diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 8736d946702..598b4ae1628 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.19.26-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/19733 - version: 8.19.25 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_4.json b/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_4.json deleted file mode 100644 index b6e511dd50c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_4.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Uncommon Destination Port Connection by Web Server", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Uncommon Destination Port Connection by Web Server\n\nWeb servers, crucial for hosting applications, typically communicate over standard ports like 80 and 443. Adversaries may exploit web server processes to establish unauthorized connections to unusual ports, potentially indicating web shell activity or data exfiltration. This detection rule identifies such anomalies by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges, thus highlighting potential threats.\n\n### Possible investigation steps\n\n- Review the process name and user associated with the alert to determine if the connection attempt was made by a legitimate web server process or user, as specified in the query fields (e.g., process.name or user.name).\n- Examine the destination IP address to assess whether it is known or suspicious, and check if it falls outside the excluded local IP ranges.\n- Investigate the destination port to understand why the connection was attempted on a non-standard port, and determine if this port is associated with any known services or threats.\n- Check historical logs for any previous connection attempts from the same process or user to the same or similar destination IPs and ports to identify patterns or repeated behavior.\n- Analyze any related network traffic or logs to identify additional context or anomalies that may indicate unauthorized activity or data exfiltration.\n- Correlate the alert with other security events or alerts to determine if it is part of a larger attack pattern or campaign.\n\n### False positive analysis\n\n- Routine administrative tasks or maintenance scripts may trigger alerts if they involve web server processes connecting to non-standard ports. To manage this, identify and document these tasks, then create exceptions for the specific processes and ports involved.\n- Internal monitoring or management tools that use non-standard ports for legitimate purposes can cause false positives. Review the tools in use and exclude their known IP addresses and ports from the rule.\n- Development or testing environments often use non-standard ports for web server processes. Ensure these environments are well-documented and consider excluding their IP ranges or specific ports from the rule.\n- Load balancers or reverse proxies might redirect traffic to non-standard ports as part of their normal operation. Verify the configuration of these devices and exclude their IP addresses and ports if necessary.\n- Custom applications running on web servers may require communication over non-standard ports. Work with application owners to understand these requirements and adjust the rule to exclude these specific cases.\n\n### Response and remediation\n\n- Immediately isolate the affected web server from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the web server's logs and processes to identify any unauthorized changes or suspicious activities, focusing on the processes and user accounts mentioned in the detection rule.\n- Terminate any suspicious processes identified during the investigation that are not part of the standard operation of the web server.\n- Change passwords and review permissions for the user accounts associated with the web server processes to ensure they have not been compromised.\n- Restore the web server from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.\n- Implement network segmentation to limit the web server's access to critical systems and data, reducing the potential impact of future incidents.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected, ensuring comprehensive threat containment and remediation.\n", - "query": "network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and (\n process.name like (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-fpm*\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.name == \"java\" and process.working_directory like \"/u0?/*\")\n) and\nnetwork.direction == \"egress\" and destination.ip != null and\nnot destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and\nnot cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1\",\"FE80::/10\", \"FF00::/8\", \"10.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\",\n\"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\",\n\"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"224.0.0.0/4\", \"240.0.0.0/4\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00546494-5bb0-49d6-9220-5f3b4c12f26a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "00546494-5bb0-49d6-9220-5f3b4c12f26a_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json deleted file mode 100644 index 52e875cd1a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", - "false_positives": [ - "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Suspended User Account Renewed", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Google Workspace Suspended User Account Renewed\n\nGoogle Workspace manages user identities and access, crucial for organizational security. Adversaries may exploit the renewal of suspended accounts to regain unauthorized access, bypassing security measures. The detection rule identifies such events by monitoring specific administrative actions, helping analysts spot potential misuse and maintain secure access controls.\n\n### Possible investigation steps\n\n- Review the event logs for the specific action `UNSUSPEND_USER` to identify the user account that was renewed and gather details about the timing and context of the action.\n- Check the identity of the administrator or service account that performed the `UNSUSPEND_USER` action to determine if the action was authorized or if there are signs of account compromise.\n- Investigate the history of the suspended user account to understand why it was initially suspended and assess any potential risks associated with its renewal.\n- Examine recent activity logs for the renewed user account to identify any suspicious behavior or unauthorized access attempts following the account's reactivation.\n- Cross-reference the event with other security alerts or incidents to determine if the renewal is part of a broader pattern of suspicious activity within the organization.\n\n### False positive analysis\n\n- Routine administrative actions may trigger the rule when IT staff unsuspend accounts for legitimate reasons, such as resolving a temporary issue. To manage this, create exceptions for known IT personnel or specific administrative actions that are part of regular account maintenance.\n- Automated processes or scripts that unsuspend accounts as part of a workflow can also lead to false positives. Identify and document these processes, then exclude them from triggering alerts by using specific identifiers or tags associated with the automation.\n- User accounts that are temporarily suspended due to policy violations or inactivity and later reinstated can cause false positives. Implement a review process to verify the legitimacy of these reinstatements and adjust the rule to exclude such cases when they are part of a documented policy.\n\n### Response and remediation\n\n- Immediately review the user account activity logs to determine if any unauthorized actions were taken after the account was unsuspended. Focus on sensitive data access and changes to security settings.\n- Temporarily suspend the user account again to prevent further unauthorized access while the investigation is ongoing.\n- Notify the security team and relevant stakeholders about the potential security incident to ensure coordinated response efforts.\n- Conduct a thorough review of the account's permissions and access levels to ensure they align with the user's current role and responsibilities. Adjust as necessary to follow the principle of least privilege.\n- If malicious activity is confirmed, initiate a password reset for the affected account and any other accounts that may have been compromised.\n- Implement additional monitoring on the affected account and similar accounts to detect any further suspicious activity.\n- Review and update security policies and procedures related to account suspension and reactivation to prevent similar incidents in the future.\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", - "references": [ - "https://support.google.com/a/answer/1110339", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 - }, - "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_109.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_109.json deleted file mode 100644 index f319aba205d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_109.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Dumping Account Hashes via Built-In Commands", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Dumping Account Hashes via Built-In Commands\n\nIn macOS environments, built-in commands like `defaults` and `mkpassdb` can be exploited by adversaries to extract user account hashes, which are crucial for credential access. These hashes, once obtained, can be cracked to reveal passwords or used for lateral movement within a network. The detection rule identifies suspicious process executions involving these commands and specific arguments, signaling potential credential dumping activities.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the presence of the `defaults` or `mkpassdb` commands with arguments like `ShadowHashData` or `-dump`, as these are indicative of credential dumping attempts.\n- Identify the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.\n- Check the historical activity of the involved user account and the host to identify any patterns or anomalies that could suggest unauthorized access or lateral movement.\n- Investigate any network connections or subsequent processes initiated by the suspicious process to assess potential data exfiltration or further malicious actions.\n- Correlate the event with other security alerts or logs from the same host or user account to build a comprehensive timeline of the activity and assess the scope of the potential compromise.\n\n### False positive analysis\n\n- System administrators or security tools may legitimately use the `defaults` or `mkpassdb` commands for system maintenance or auditing purposes. To manage these, create exceptions for known administrative accounts or tools that regularly execute these commands.\n- Automated scripts or management software might invoke these commands as part of routine operations. Identify and whitelist these scripts or software to prevent unnecessary alerts.\n- Developers or IT personnel might use these commands during testing or development phases. Establish a process to temporarily exclude these activities by setting up time-bound exceptions for specific user accounts or devices.\n- Security assessments or penetration tests could trigger this rule. Coordinate with security teams to schedule and document these activities, allowing for temporary rule adjustments during the testing period.\n\n### Response and remediation\n\n- Immediately isolate the affected macOS system from the network to prevent further lateral movement or data exfiltration.\n- Terminate any suspicious processes identified as using the `defaults` or `mkpassdb` commands with the specified arguments to halt ongoing credential dumping activities.\n- Conduct a thorough review of user accounts on the affected system to identify any unauthorized access or changes, focusing on accounts with elevated privileges.\n- Reset passwords for all potentially compromised accounts, especially those with administrative access, and enforce strong password policies.\n- Analyze system logs and network traffic to identify any additional systems that may have been accessed using the compromised credentials, and apply similar containment measures.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Implement enhanced monitoring and alerting for similar suspicious activities across the network to detect and respond to future attempts promptly.", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name in (\"defaults\", \"mkpassdb\") and process.args like~ (\"ShadowHashData\", \"-dump\")\n", - "references": [ - "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", - "https://www.unix.com/man-page/osx/8/mkpassdb/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 109 - }, - "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05f2b649-dc03-4e9a-8c4e-6762469e8249_1.json b/packages/security_detection_engine/kibana/security_rule/05f2b649-dc03-4e9a-8c4e-6762469e8249_1.json deleted file mode 100644 index 7e86b0c11e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05f2b649-dc03-4e9a-8c4e-6762469e8249_1.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential malicious activity.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Suspicious AWS S3 Connection via Script Interpreter", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious AWS S3 Connection via Script Interpreter\n\nThis rule flags macOS script interpreters (AppleScript, Node.js, Python) that repeatedly initiate outbound connections to AWS S3 or CloudFront with little or no command context, a common sign of scripted automation rather than normal app traffic. Attackers often use a short Python or Node one-liner to fetch a second-stage payload from an S3 bucket and then poll the same bucket or a CloudFront-backed URL for commands or to upload stolen data.\n\n### Possible investigation steps\n\n- Pivot from the flagged executable to full process ancestry and command-line/script file to determine what code initiated the S3/CloudFront traffic and whether it was launched interactively, by a LaunchAgent/Daemon, or by another app. \n- Identify the specific bucket/distribution and object paths involved using available URL/SNI/HTTP telemetry, then validate ownership and reputation by correlating with cloud account inventory, known-good tooling, and threat intel. \n- Review concurrent endpoint activity from the same process and user such as file downloads to writable/temp locations, new executable creation, permission changes, or immediate execution of newly written payloads. \n- Hunt for follow-on behaviors consistent with C2 or exfiltration including repeated polling intervals, unusually large outbound byte counts, multipart upload patterns, and matching connections from other hosts using the same domain. \n- If suspicious, capture and preserve the script contents and related artifacts (Python/Node packages, AppleScript files, launch plist, cron entries) and isolate the host while blocking the destination domain at egress.\n\n### False positive analysis\n\n- A developer or build/CI workflow runs Python/Node scripts on macOS to fetch artifacts or dependencies from an organization-owned S3 bucket or CloudFront distribution, producing repeated connections during installs, tests, or packaging. \n- A legitimate AppleScript/Python/Node automation (e.g., user logon script, LaunchAgent task, or scheduled job) periodically uploads logs/backups or syncs configuration to S3/CloudFront, resulting in bursty, minimal-argument interpreter network starts that exceed the connection threshold.\n\n### Response and remediation\n\n- Isolate the affected macOS host from the network and immediately block the observed S3/CloudFront domain(s) and resolved IPs at egress while allowing access needed for forensics and management.\n- Acquire and preserve the initiating script and execution context by collecting the interpreter\u2019s on-disk script/one-liner source, parent process details, relevant LaunchAgents/LaunchDaemons plist files, and any newly written binaries or archives associated with the same time window.\n- Eradicate persistence and tooling by removing or disabling the malicious launch plist/cron entries, deleting the identified script and any downloaded payloads, and revoking/quarantining any Python/Node packages or AppleScript components tied to the outbound S3 activity.\n- Reset and revoke credentials exposed on the host by rotating the user\u2019s passwords/tokens, removing any AWS keys found in environment variables/config files (e.g., CLI config, application secrets), and invalidating active sessions associated with the user or host.\n- Recover by reimaging or restoring the endpoint from a known-good baseline if payload execution or system modification is confirmed, then reintroduce it to the network only after validating no recurring connections to the same S3/CloudFront endpoints.\n- Escalate to incident response and cloud security if multiple hosts show the same destination domain or bucket, the script performs uploads or handles sensitive files, or you identify AWS credentials, data staging, or active command polling indicative of C2 or exfiltration.\n", - "query": "FROM logs-endpoint.events.network-*\n| WHERE host.os.type == \"macos\" \n AND event.type == \"start\"\n AND (process.name == \"osascript\" \n OR process.name == \"node\" \n OR process.name LIKE \"python*\")\n AND (destination.domain LIKE \"s3.*.amazonaws.com\" \n OR destination.domain LIKE \"*.s3*.amazonaws.com\" \n OR destination.domain LIKE \"*.cloudfront.net\")\n| STATS Esql.connection_count = COUNT(*) \n BY process.executable, user.name, host.name, destination.domain\n| WHERE Esql.connection_count >= 5\n| KEEP Esql.*, process.executable, user.name, host.name, destination.domain\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.connection_count", - "type": "long" - }, - { - "ecs": true, - "name": "destination.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "05f2b649-dc03-4e9a-8c4e-6762469e8249", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1102", - "name": "Web Service", - "reference": "https://attack.mitre.org/techniques/T1102/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1567", - "name": "Exfiltration Over Web Service", - "reference": "https://attack.mitre.org/techniques/T1567/", - "subtechnique": [ - { - "id": "T1567.002", - "name": "Exfiltration to Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1567/002/" - } - ] - } - ] - } - ], - "type": "esql", - "version": 1 - }, - "id": "05f2b649-dc03-4e9a-8c4e-6762469e8249_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/064a2e08-25da-11f0-b1f1-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/064a2e08-25da-11f0-b1f1-f661ea17fbcd_5.json index 2fa1150af20..be299f2dd47 100644 --- a/packages/security_detection_engine/kibana/security_rule/064a2e08-25da-11f0-b1f1-f661ea17fbcd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/064a2e08-25da-11f0-b1f1-f661ea17fbcd_5.json @@ -46,7 +46,7 @@ "related_integrations": [ { "package": "azure", - "version": "^1.0.0" + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json deleted file mode 100644 index ed6a52c63f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", - "false_positives": [ - "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Drive Ownership Transferred via Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", - "references": [ - "https://support.google.com/a/answer/1247799?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1074", - "name": "Data Staged", - "reference": "https://attack.mitre.org/techniques/T1074/", - "subtechnique": [ - { - "id": "T1074.002", - "name": "Remote Data Staging", - "reference": "https://attack.mitre.org/techniques/T1074/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_7.json b/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_7.json index dc8626f1dba..9b5eea0b3bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_7.json +++ b/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_7.json @@ -16,14 +16,14 @@ "package": "endpoint", "version": "^8.2.0" }, - { - "package": "panw", - "version": "^5.0.0" - }, { "package": "fortinet_fortigate", "version": "^1.0.0" }, + { + "package": "panw", + "version": "^5.0.0" + }, { "package": "suricata", "version": "^2.0.0" diff --git a/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_11.json b/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_11.json index b33946078ab..6d3e4c76aa8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_11.json +++ b/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_11.json @@ -21,6 +21,11 @@ "https://pushsecurity.com/blog/consentfix" ], "related_integrations": [ + { + "integration": "graphactivitylogs", + "package": "azure", + "version": "^1.10.0" + }, { "package": "azure", "version": "^1.0.0" diff --git a/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_8.json b/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_8.json deleted file mode 100644 index 8f03bc168ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d3d2254-2b4a-11f0-a019-f661ea17fbcc_8.json +++ /dev/null @@ -1,237 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.", - "false_positives": [ - "This pattern may occur during legitimate device switching or roaming between networks (e.g., corporate to mobile). Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges. Still, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved." - ], - "from": "now-31m", - "interval": "30m", - "language": "esql", - "license": "Elastic License v2", - "name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "note": "## Triage and analysis\n\n### Investigating Entra ID OAuth User Impersonation to Microsoft Graph\n\nIdentifies potential phishing, session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID and client application. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.\n\nThis rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be\nperformed to the original sign-in and Graph events for further context.\n\n### Possible investigation steps\n\n- This rule relies on an aggregation-based ESQL query, therefore the alert document will contain dynamically generated fields.\n - To pivot into the original events, it is recommended to use the values captured to filter in timeline or discovery for the original sign-in and Graph events.\n- Review the session ID and user ID to identify the user account involved in the suspicious activity.\n- Check the source addresses involved in the sign-in and Graph access to determine if they are known or expected locations for the user.\n - The sign-in source addresses should be two, one for the initial phishing sign-in and the other when exchanging the auth code for a token by the adversary.\n - The Graph API source address should identify the IP address used by the adversary to access Microsoft Graph.\n- Review the user agent strings for the sign-in and Graph access events to identify any anomalies or indicators of compromise.\n- Analyze the Graph permission scopes to identify what resources were accessed and whether they align with the user's expected behavior.\n- Check the timestamp difference between the sign-in and Graph access events to determine if they occurred within a reasonable time frame that would suggest successful phishing to token issuance and then Graph access.\n- Identify the original sign-in event to investigation if conditional access policies were applied, such as requiring multi-factor authentication or blocking access from risky locations. In phishing scenarios, these policies likely were applied as the victim user would have been prompted to authenticate.\n\n### False positive analysis\n- This pattern may occur during legitimate device switching or roaming between networks (e.g., corporate to mobile).\n- Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges. Still, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved.\n\n### Response and remediation\n\n- If confirmed malicious, revoke all refresh/access tokens for the user principal.\n- Block the source IP(s) involved in the Graph access.\n- Notify the user and reset credentials.\n- Review session control policies and conditional access enforcement.\n- Monitor for follow-on activity, such as lateral movement or privilege escalation.\n- Review conditional access policies to ensure they are enforced correctly.\n", - "query": "from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index\n| where\n (event.dataset == \"azure.signinlogs\"\n and source.`as`.organization.name != \"MICROSOFT-CORP-MSN-AS-BLOCK\"\n and azure.signinlogs.properties.session_id is not null)\n or\n (event.dataset == \"azure.graphactivitylogs\"\n and source.`as`.organization.name != \"MICROSOFT-CORP-MSN-AS-BLOCK\"\n and azure.graphactivitylogs.properties.c_sid is not null)\n\n| eval\n Esql.azure_signinlogs_properties_session_id_coalesce = coalesce(azure.signinlogs.properties.session_id, azure.graphactivitylogs.properties.c_sid),\n Esql.azure_signinlogs_properties_user_id_coalesce = coalesce(azure.signinlogs.properties.user_id, azure.graphactivitylogs.properties.user_principal_object_id),\n Esql.azure_signinlogs_properties_app_id_coalesce = coalesce(azure.signinlogs.properties.app_id, azure.graphactivitylogs.properties.app_id),\n Esql.source_ip = source.ip,\n Esql.@timestamp = @timestamp,\n Esql.event_type_case = case(\n event.dataset == \"azure.signinlogs\", \"signin\",\n event.dataset == \"azure.graphactivitylogs\", \"graph\",\n \"other\"\n ),\n Esql.signin_source_asn = case(event.dataset == \"azure.signinlogs\", source.`as`.organization.name, null),\n Esql.graph_source_asn = case(event.dataset == \"azure.graphactivitylogs\", source.`as`.organization.name, null)\n\n| where Esql.azure_signinlogs_properties_app_id_coalesce not in (\n \"4354e225-50c9-4423-9ece-2d5afd904870\", // Augmentation Loop\n \"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe\", // Microsoft Teams Services\n \"ecd6b820-32c2-49b6-98a6-444530e5a77a\", // Microsoft Edge [Community Contributed]\n \"e8be65d6-d430-4289-a665-51bf2a194bda\", // Microsoft 365 App Catalog Services\n \"ab9b8c07-8f02-4f72-87fa-80105867a763\", // OneDrive SyncEngine\n \"394866fc-eedb-4f01-8536-3ff84b16be2a\", // Microsoft People Cards Service\n \"66a88757-258c-4c72-893c-3e8bed4d6899\", // Office 365 Search Service\n \"9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7\", // Bing\n \"d7b530a4-7680-4c23-a8bf-c52c121d2e87\", // Microsoft Edge Enterprise New Tab Page [Community Contributed]\n \"6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3\", // Microsoft Application Command Service [Community Contributed]\n \"52c2e0b5-c7b6-4d11-a89c-21e42bcec444\", // Graph Files Manager\n \"27922004-5251-4030-b22d-91ecd9a37ea4\", // Outlook Mobile\n \"bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce\", // Olympus [Community Contributed]\n \"26a7ee05-5602-4d76-a7ba-eae8b7b67941\", // Windows Search\n \"00000007-0000-0000-c000-000000000000\", // Dataverse\n \"6bc3b958-689b-49f5-9006-36d165f30e00\", // Teams CMD Services Artifacts\n \"0ec893e0-5785-4de6-99da-4ed124e5296c\", // Office UWP PWA [Community Contributed]\n \"fc108d3f-543d-4374-bbff-c7c51f651fe5\", // Zoom\n \"01fc33a7-78ba-4d2f-a4b7-768e336e890e\", // MS PIM\n \"7ab7862c-4c57-491e-8a45-d52a7e023983\" // Power Automate / Logic Apps Graph Connector\n ) and Esql.signin_source_asn IS NOT NULL and Esql.graph_source_asn IS NOT NULL\n\n| keep\n Esql.azure_signinlogs_properties_session_id_coalesce,\n Esql.source_ip,\n Esql.@timestamp,\n Esql.event_type_case,\n Esql.azure_signinlogs_properties_user_id_coalesce,\n Esql.azure_signinlogs_properties_app_id_coalesce,\n Esql.signin_source_asn,\n Esql.graph_source_asn,\n source.`as`.organization.name,\n user_agent.original,\n url.original,\n azure.graphactivitylogs.properties.scopes,\n azure.signinlogs.properties.user_principal_name\n\n| stats\n Esql.azure_signinlogs_properties_user_id_coalesce_values = values(Esql.azure_signinlogs_properties_user_id_coalesce),\n Esql.azure_signinlogs_properties_session_id_coalesce_values = values(Esql.azure_signinlogs_properties_session_id_coalesce),\n Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),\n Esql.source_ip_values = values(Esql.source_ip),\n Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),\n Esql.source_as_organization_name_values = values(source.`as`.organization.name),\n Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),\n Esql.signin_source_asn_values = values(Esql.signin_source_asn),\n Esql.signin_source_asn_count_distinct = count_distinct(Esql.signin_source_asn),\n Esql.graph_source_asn_values = values(Esql.graph_source_asn),\n Esql.graph_source_asn_count_distinct = count_distinct(Esql.graph_source_asn),\n Esql.user_agent_original_values = values(user_agent.original),\n Esql.azure_signinlogs_properties_app_id_coalesce_values = values(Esql.azure_signinlogs_properties_app_id_coalesce),\n Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct = count_distinct(Esql.azure_signinlogs_properties_app_id_coalesce),\n Esql.event_type_case_values = values(Esql.event_type_case),\n Esql.event_type_case_count_distinct = count_distinct(Esql.event_type_case),\n Esql.signin_time_min = min(case(Esql.event_type_case == \"signin\", Esql.@timestamp, null)),\n Esql.graph_time_min = min(case(Esql.event_type_case == \"graph\", Esql.@timestamp, null)),\n Esql.url_original_values = values(url.original),\n Esql.azure_graphactivitylogs_properties_scopes_values = values(azure.graphactivitylogs.properties.scopes),\n Esql.event_count = count()\n by\n Esql.azure_signinlogs_properties_session_id_coalesce,\n Esql.azure_signinlogs_properties_app_id_coalesce,\n Esql.azure_signinlogs_properties_user_id_coalesce\n\n| eval\n Esql.event_signin_to_graph_delay_minutes_date_diff = date_diff(\"minutes\", Esql.signin_time_min, Esql.graph_time_min),\n Esql.event_signin_to_graph_delay_days_date_diff = date_diff(\"days\", Esql.signin_time_min, Esql.graph_time_min)\n\n| where\n Esql.event_type_case_count_distinct > 1 and\n Esql.source_ip_count_distinct > 1 and\n Esql.source_as_organization_name_count_distinct > 1 and\n Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct == 1 and\n Esql.signin_time_min is not null and\n Esql.graph_time_min is not null and\n Esql.event_signin_to_graph_delay_minutes_date_diff > 0 and\n Esql.event_signin_to_graph_delay_days_date_diff == 0 and\n (Esql.signin_source_asn_count_distinct + Esql.graph_source_asn_count_distinct) == Esql.source_as_organization_name_count_distinct\n", - "references": [ - "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", - "https://github.com/dirkjanm/ROADtools", - "https://attack.mitre.org/techniques/T1078/004/", - "https://pushsecurity.com/blog/consentfix" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.azure_graphactivitylogs_properties_scopes_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_app_id_coalesce", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_app_id_coalesce_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_session_id_coalesce", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_session_id_coalesce_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_user_id_coalesce", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_user_id_coalesce_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_signin_to_graph_delay_days_date_diff", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.event_signin_to_graph_delay_minutes_date_diff", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.event_type_case_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_type_case_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.graph_source_asn_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.graph_source_asn_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.graph_time_min", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.signin_source_asn_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.signin_source_asn_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.signin_time_min", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.source_as_organization_name_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_as_organization_name_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.source_ip_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.url_original_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.user_agent_original_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql_priv.azure_signinlogs_properties_user_principal_name_values", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0d3d2254-2b4a-11f0-a019-f661ea17fbcc", - "setup": "#### Required Microsoft Entra ID Sign-In and Graph Activity Logs\nThis rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub.\n", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Domain: Identity", - "Domain: API", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", - "Data Source: Microsoft Graph", - "Data Source: Microsoft Graph Activity Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - }, - { - "id": "T1550.004", - "name": "Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1550/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 8 - }, - "id": "0d3d2254-2b4a-11f0-a019-f661ea17fbcc_8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_107.json b/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_107.json index c9462df3642..3e6a6e4e4ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_107.json @@ -43,10 +43,6 @@ "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/0f5941c6-3db9-4d2f-91df-06c7c292ba45_1.json b/packages/security_detection_engine/kibana/security_rule/0f5941c6-3db9-4d2f-91df-06c7c292ba45_1.json index dfede6d41c5..e943320f546 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f5941c6-3db9-4d2f-91df-06c7c292ba45_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0f5941c6-3db9-4d2f-91df-06c7c292ba45_1.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_108.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_108.json deleted file mode 100644 index 3d9162d1474..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_108.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", - "false_positives": [ - "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." - ], - "index": [ - "packetbeat-*", - "filebeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Abnormally Large DNS Response", - "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.bytes", - "type": "long" - }, - { - "ecs": false, - "name": "type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "11013227-0301-4a8c-b150-4db924484475", - "severity": "medium", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Impact", - "Resources: Investigation Guide", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1499", - "name": "Endpoint Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1499/", - "subtechnique": [ - { - "id": "T1499.004", - "name": "Application or System Exploitation", - "reference": "https://attack.mitre.org/techniques/T1499/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 108 - }, - "id": "11013227-0301-4a8c-b150-4db924484475_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_112.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_112.json new file mode 100644 index 00000000000..abc9d595ec9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_112.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormally Large DNS Response", + "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n### False positive analysis\n\n- Based on this rule, which looks for a threshold of 65k bytes, activity below this value is expected to be legitimate. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses in observed attacks were all greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n- Network security devices such as PAN-OS firewalls, Fortinet, and NetFlow exporters, as well as Zeek/Corelight connection summary records, record `destination.bytes` as the total bytes across an entire session rather than a single DNS response. Long-lived flow or connection records (`event.duration` > 60 seconds) are excluded to reduce this noise. Duration is used rather than packet count because a genuine SigRed TCP exchange completes in seconds and cannot be made to exceed 60 seconds by an attacker continuing to use the connection.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", + "query": "((event.category:(network or network_traffic) and destination.port:53) \n or network.protocol:\"dns\" \n or data_stream.dataset:(network_traffic.dns or zeek.dns)\n or (event.module:corelight and event.dataset:dns))\n and destination.bytes >= 65000\n and event.type:(\"allowed\" or \"end\" or \"protocol\" or \"start\")\nand not (\n event.duration > 60000000000\n and (\n event.action:(\"flow_terminated\" or \"network_flow\")\n or data_stream.dataset:zeek.connection\n or (event.module:corelight and event.dataset:conn)\n )\n)\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.bytes", + "type": "long" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.duration", + "type": "long" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11013227-0301-4a8c-b150-4db924484475", + "severity": "medium", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Impact", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: Zeek" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/", + "subtechnique": [ + { + "id": "T1499.004", + "name": "Application or System Exploitation", + "reference": "https://attack.mitre.org/techniques/T1499/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "11013227-0301-4a8c-b150-4db924484475_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_219.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_219.json index 2ddd9112540..e5cfaf66ad7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_219.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_219.json @@ -32,13 +32,13 @@ "package": "m365_defender", "version": "^3.0.0" }, - { - "package": "crowdstrike", - "version": "^3.0.0" - }, { "package": "sentinel_one_cloud_funnel", "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_211.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_211.json index 73be59a15a0..8fc548a032d 100644 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_211.json +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_211.json @@ -27,7 +27,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_210.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_210.json index 8e4c37fd4e0..f1e3fe06141 100644 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_210.json +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_108.json b/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_108.json new file mode 100644 index 00000000000..5d77365e086 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_108.json @@ -0,0 +1,169 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an attacker attempting to backdoor the authentication process through malicious PAM modules.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Pluggable Authentication Module (PAM) Version Discovery", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Pluggable Authentication Module (PAM) Version Discovery\n\nPluggable Authentication Modules (PAM) provide a flexible mechanism for authenticating users on Linux systems. Adversaries may exploit PAM by discovering its version to identify vulnerabilities or backdoor the authentication process with malicious modules. The detection rule identifies suspicious processes querying PAM-related packages, indicating potential reconnaissance or tampering attempts, thus alerting security teams to possible threats.\n\n### Possible investigation steps\n\n- Review the process details to confirm the presence of suspicious activity, focusing on processes with names \"dpkg\", \"dpkg-query\", or \"rpm\" and their arguments \"libpam-modules\" or \"pam\".\n- Check the user account associated with the process to determine if it is a legitimate user or potentially compromised.\n- Investigate the parent process to understand the origin of the command execution and assess if it aligns with normal user behavior.\n- Analyze recent login attempts and authentication logs to identify any unusual patterns or failed attempts that may indicate unauthorized access attempts.\n- Correlate this activity with other alerts or logs from the same host to identify if there are additional indicators of compromise or related suspicious activities.\n\n### False positive analysis\n\n- Routine system updates or package management activities may trigger the rule when legitimate processes like dpkg or rpm query PAM-related packages. To manage this, consider creating exceptions for known maintenance windows or trusted administrative scripts.\n- Automated configuration management tools, such as Ansible or Puppet, might execute commands that match the rule's criteria. Identify these tools and exclude their processes from triggering alerts by specifying their execution context.\n- Security compliance checks or vulnerability assessments often involve querying system packages, including PAM. If these are regularly scheduled and verified, whitelist the associated processes to prevent unnecessary alerts.\n- Developers or system administrators testing PAM configurations might inadvertently trigger the rule. Establish a protocol for notifying the security team of such activities in advance, allowing for temporary exceptions during testing periods.\n- Custom scripts used for system monitoring or auditing may include commands that match the rule. Review these scripts and, if deemed safe, add them to an exclusion list to reduce false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any suspicious processes identified by the detection rule, specifically those involving 'dpkg', 'dpkg-query', or 'rpm' with arguments related to PAM.\n- Conduct a thorough review of PAM configuration files and modules on the affected system to identify and remove any unauthorized or malicious modifications.\n- Restore any compromised PAM modules from a known good backup to ensure the integrity of the authentication process.\n- Monitor for any additional suspicious activity on the affected system and related systems, focusing on unusual authentication attempts or process executions.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and ?process.parent.name != null and\n (\n (process.name in (\"dpkg\", \"dpkg-query\") and process.args == \"libpam-modules\") or\n (process.name == \"rpm\" and process.args == \"pam\")\n ) and\nnot (\n ?process.parent.name in (\"dcservice\", \"inspectorssmplugin\") or\n ?process.working_directory in (\"/var/ossec\", \"/opt/msp-agent\") or\n ?process.entry_leader.executable in(\"/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent\", \"/usr/sbin/ScanAssistant\") or\n ?process.parent.executable in (\n \"/opt/CyberCNSAgent/cybercnsagent_linux\", \"/usr/local/manageengine/uems_agent/bin/dcpatchscan\",\n \"/usr/local/manageengine/uems_agent/bin/dcconfig\", \"/usr/share/vicarius/topiad\",\n \"/etc/rc.d/init.d/sshd-chroot\", \"/var/ossec/bin/wazuh-modulesd\",\n \"/usr/lib/venv-salt-minion/bin/python.original\"\n ) or\n (\n process.executable == \"/usr/bin/rpm\" and\n ?process.parent.name == \"systemd\" and\n ?process.env_vars == \"LD_LIBRARY_PATH=/usr/lib/venv-salt-minion/lib\"\n )\n)\n", + "references": [ + "https://www.group-ib.com/blog/pluggable-authentication-module/", + "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.env_vars", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "135abb91-dcf4-48aa-b81a-5ad036b67c68", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "135abb91-dcf4-48aa-b81a-5ad036b67c68_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_112.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_112.json new file mode 100644 index 00000000000..0c280fe2706 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_112.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) from the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RPC (Remote Procedure Call) from the Internet\n\nRPC enables remote management and resource sharing, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic by monitoring TCP port 135 and filtering out internal IP addresses, flagging potential threats from external sources.\n\n### Possible investigation steps\n\n- Review the source IP address of the alert to determine if it is from a known malicious actor or if it has been flagged in previous incidents.\n- Check the destination IP address to confirm it belongs to a critical internal system that should not be exposed to the Internet.\n- Analyze network traffic logs to identify any unusual patterns or volumes of traffic associated with the source IP, focusing on TCP port 135.\n- Investigate any related alerts or logs from the same source IP or destination IP to identify potential patterns or repeated attempts.\n- Assess the potential impact on the affected system by determining if any unauthorized access or changes have occurred.\n- Consult threat intelligence sources to gather additional context on the source IP or any related indicators of compromise.\n\n### False positive analysis\n\n- Internal testing or development environments may generate RPC traffic that appears to originate from external sources. To manage this, add the IP addresses of these environments to the exception list in the detection rule.\n- Legitimate remote management activities by trusted third-party vendors could trigger the rule. Verify the IP addresses of these vendors and include them in the exception list if they are known and authorized.\n- Misconfigured network devices or proxies might route internal RPC traffic through external IP addresses. Review network configurations to ensure proper routing and add any necessary exceptions for known devices.\n- Cloud-based services or applications that use RPC for legitimate purposes might be flagged. Identify these services and adjust the rule to exclude their IP ranges if they are verified as non-threatening.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.\n- Conduct a thorough examination of the system logs and network traffic to identify any unauthorized access or data exfiltration attempts.\n- Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.\n- Change all administrative and user credentials on the affected system and any other systems that may have been accessed using the same credentials.\n- Implement network segmentation to limit the exposure of critical systems and services, ensuring that RPC services are not accessible from the Internet.\n- Monitor the network for any signs of re-infection or further suspicious activity, focusing on traffic patterns similar to those identified in the initial alert.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if additional systems are compromised.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or data_stream.dataset:zeek.dce_rpc) and\n not (event.type: denied or event.action: flow_dropped or event.outcome: failure) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Tactic: Initial Access", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: Network Traffic", + "Data Source: PAN-OS", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + }, + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_211.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_211.json index c45b4297b6e..64bbae15c5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_211.json +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_211.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/168b5538-4d54-4269-b4f5-786fa49dd850_1.json b/packages/security_detection_engine/kibana/security_rule/168b5538-4d54-4269-b4f5-786fa49dd850_1.json new file mode 100644 index 00000000000..7879c333ff3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/168b5538-4d54-4269-b4f5-786fa49dd850_1.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Amazon Bedrock agent is associated with, or updated to use, a knowledge base via the AssociateAgentKnowledgeBase, or UpdateAgentKnowledgeBase API actions. Bedrock agents consume knowledge base (RAG) content as trusted context for the model. By wiring an agent to an externally controlled or third-party knowledge base, or by swapping in an attacker-controlled knowledge base, an adversary can redraw the agent's trust boundary toward an untrusted source. This is a software-supply-chain compromise and an indirect prompt-injection delivery vector: poisoned or adversarial content served from the associated knowledge base is treated as authoritative by the agent. Validate that the associated knowledge base, and any underlying data source, is owned and controlled by your organization.", + "false_positives": [ + "Legitimate platform, ML, or application teams may associate or update knowledge bases on Bedrock agents as part of normal development, onboarding, or RAG pipeline changes. Verify that the actor identity, user agent, and source IP correspond to expected automation or authorized engineers, and that the associated knowledge base is an approved, organization-owned resource. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters", + "aws.cloudtrail.flattened.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Third-Party or External Knowledge Base Associated to Agent", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Third-Party or External Knowledge Base Associated to Agent\n\nAmazon Bedrock agents use knowledge bases to retrieve content that is injected into the model's context as\ntrusted, authoritative information (Retrieval-Augmented Generation). The `AssociateAgentKnowledgeBase`, and \n`UpdateAgentKnowledgeBase` actions change which knowledge base an agent trusts. Because the model consumes this \ncontent as ground truth, redirecting an agent toward an externally controlled or attacker-supplied knowledge base \nis a supply-chain and indirect prompt-injection delivery vector \u2014 distinct from poisoning the content of a knowledge \nbase the agent already trusts.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `user_agent.original`, and `source.ip`.\n - Confirm a related change request exists (RAG pipeline change, agent onboarding, model improvement work).\n- **Validate the association**\n - In `aws.cloudtrail.flattened.request_parameters`, identify the `agentId`, `knowledgeBaseId`, and any third-party\n or external endpoint/configuration referenced.\n - Confirm the knowledge base and its underlying data source are owned by your organization and not an external account.\n- **Assess blast radius**\n - Determine which applications or users invoke the affected agent and what sensitivity of decisions it drives.\n - Check `aws.cloudtrail.flattened.response_elements` for the resulting association state.\n- **Correlate activity**\n - Look for preceding enumeration (`ListAgents`, `ListKnowledgeBases`, `GetAgent`) or creation of new knowledge\n bases and data sources from the same identity.\n\n### False positive analysis\n\n- **Planned RAG changes**: ML/platform teams routinely associate or update knowledge bases. Validate via ticket\n and confirm the resource is an approved, organization-owned knowledge base.\n- **Automation**: IaC or CI/CD pipelines may manage agent\u2013knowledge base associations during deployment.\n\n### Response and remediation\n\n- If unauthorized, dissociate the knowledge base from the agent and restore the approved configuration.\n- Review the associated knowledge base and its data source for attacker-controlled or external content; quarantine if suspect.\n- Audit the actor's recent Bedrock and IAM activity and rotate credentials if compromise is suspected.\n- Restrict `bedrock:AssociateAgentKnowledgeBase`, `bedrock:UpdateAgentKnowledgeBase`, and third-party association\n permissions to a small set of trusted roles.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: (\n \"AssociateAgentKnowledgeBase\" or\n \"UpdateAgentKnowledgeBase\"\n )\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html", + "https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "168b5538-4d54-4269-b4f5-786fa49dd850", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: Amazon Web Services", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "168b5538-4d54-4269-b4f5-786fa49dd850_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16acac42-b2f9-4802-9290-d6c30914db6e_8.json b/packages/security_detection_engine/kibana/security_rule/16acac42-b2f9-4802-9290-d6c30914db6e_8.json index e4afe9af977..4f464f81e64 100644 --- a/packages/security_detection_engine/kibana/security_rule/16acac42-b2f9-4802-9290-d6c30914db6e_8.json +++ b/packages/security_detection_engine/kibana/security_rule/16acac42-b2f9-4802-9290-d6c30914db6e_8.json @@ -38,10 +38,6 @@ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/1aefed68-eecd-47cc-9044-4a394b60061d_2.json b/packages/security_detection_engine/kibana/security_rule/1aefed68-eecd-47cc-9044-4a394b60061d_2.json index db3ff4991c2..cfa09b12048 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aefed68-eecd-47cc-9044-4a394b60061d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1aefed68-eecd-47cc-9044-4a394b60061d_2.json @@ -23,10 +23,6 @@ "https://github.com/msanft/CVE-2025-55182" ], "related_integrations": [ - { - "package": "panw", - "version": "^5.0.0" - }, { "package": "cisco_ftd", "version": "^3.0.0" @@ -35,6 +31,10 @@ "package": "fortinet_fortigate", "version": "^1.0.0" }, + { + "package": "panw", + "version": "^5.0.0" + }, { "package": "suricata", "version": "^2.0.0" diff --git a/packages/security_detection_engine/kibana/security_rule/1b1b4236-175f-4863-89f7-7f0d2da0f0e8_1.json b/packages/security_detection_engine/kibana/security_rule/1b1b4236-175f-4863-89f7-7f0d2da0f0e8_1.json new file mode 100644 index 00000000000..ce432df34c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b1b4236-175f-4863-89f7-7f0d2da0f0e8_1.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Microsoft Quick Assist sharing mode is set to FullControl on a Windows host. This grants the remote helper full interactive control of the target device and may indicate IT help desk fraud, unauthorized remote access, or lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-system.application*", + "logs-windows.forwarded*", + "winlogbeat-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "host.name", + "user.id", + "user.name", + "event.provider", + "event.code", + "winlog.event_id", + "winlog.event_data.param1" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Quick Assist Full Control Sharing Mode Enabled", + "note": "## Triage and analysis\n\n### Investigating Quick Assist Full Control Sharing Mode Enabled\n\nMicrosoft Quick Assist is a built-in remote support tool. When a sharer grants FullControl, the helper can interact with\nthe desktop as if physically present. Adversaries abuse Quick Assist in help desk fraud and social engineering to gain\ninteractive access without deploying separate remote access software.\n\nQuick Assist logs these transitions in the Windows Application log under the Quick Assist provider. A `setsharingmode`\ncommand with sharing mode `FullControl` is written to `winlog.event_data.param1`, often alongside a JSON payload that\nincludes `\"result\":\"true\"` when consent is granted.\n\n#### Possible investigation steps\n\n- Review `winlog.event_data.param1` and any related Quick Assist Application log events around `@timestamp` for\n `beginsharing`, `setsharingmode`, and `endsharing` commands to reconstruct the session timeline.\n- Identify the local user on `host.id` who initiated or approved the session and determine whether Quick Assist use is\n expected for that user, host role, or business unit.\n- Correlate with process telemetry for `QuickAssist.exe` on the same host and timeframe, including parent process,\n command line, and code signature details when available.\n- Check for related alerts on the same `host.id` or `user.id`, such as credential access, defense evasion, or\n additional remote access activity during or shortly after the session.\n- If the host is a server or privileged workstation, determine whether any follow-on actions occurred during the\n FullControl window, such as new logons, service creation, or lateral movement.\n\n### False positive analysis\n\n- IT help desk, managed service providers, and internal support teams legitimately use Quick Assist with FullControl\n during approved troubleshooting. Confirm the session aligns with an open ticket, known support staff, and expected\n host and user pairings before closing as benign.\n- Before creating an exception, anchor it on the minimum confirmed workflow: `host.id`, `user.id`, and recurring\n support patterns. Avoid broad exceptions on the Quick Assist provider alone.\n\n### Response and remediation\n\n- If confirmed malicious, terminate the Quick Assist session, isolate the affected host when feasible, and reset\n credentials for accounts used or exposed during the session.\n- Preserve Application log events containing `winlog.event_data.param1` and related Quick Assist telemetry before\n remediation.\n- Review whether Quick Assist should remain enabled organization-wide or be restricted via policy for high-value hosts.\n- Hunt for additional hosts where the same remote helper pattern or concurrent Quick Assist FullControl sessions\n occurred.", + "query": "host.os.type:windows and winlog.channel:\"Application\" and event.provider:\"Quick Assist\" and event.code:\"0\" and\n winlog.event_data.param1:(*FullControl* and *setsharingmode*)\n", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", + "https://attack.mitre.org/software/S1209/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.channel", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.param1", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b1b4236-175f-4863-89f7-7f0d2da0f0e8", + "setup": "## Setup\n\nWindows Application event log collection must be enabled via the Elastic Agent System integration to ingest Application log events.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Data Source: Windows Application Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "1b1b4236-175f-4863-89f7-7f0d2da0f0e8_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c28becc-ec0b-4e6d-81a5-899d00348089_1.json b/packages/security_detection_engine/kibana/security_rule/1c28becc-ec0b-4e6d-81a5-899d00348089_1.json index ec7ae8250b6..db425f60b52 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c28becc-ec0b-4e6d-81a5-899d00348089_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1c28becc-ec0b-4e6d-81a5-899d00348089_1.json @@ -24,10 +24,6 @@ "https://www.kernel.org/doc/html/latest/crypto/userspace-if.html" ], "related_integrations": [ - { - "package": "auditd_manager", - "version": "^1.0.0" - }, { "integration": "auditd", "package": "auditd_manager", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_212.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_212.json deleted file mode 100644 index b449073d289..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_212.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.file-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Web Browser Sensitive File Access", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Web Browser Sensitive File Access\n\nWeb browsers store sensitive data like cookies and login credentials in specific files. Adversaries exploit this by accessing these files using untrusted or unsigned processes, potentially stealing credentials. The detection rule identifies such unauthorized access on macOS by monitoring file access events, focusing on untrusted processes or scripts, and excluding known safe executables, thus flagging potential credential theft attempts.\n\n### Possible investigation steps\n\n- Review the process executable path and name to determine if it is a known legitimate application or script, focusing on those not signed by trusted entities or identified as osascript.\n- Check the process code signature details to verify if the process is unsigned or untrusted, which could indicate malicious activity.\n- Investigate the user account associated with the process to determine if there is any unusual or unauthorized activity, such as unexpected logins or privilege escalations.\n- Examine the file access event details, including the specific sensitive file accessed (e.g., cookies.sqlite, logins.json), to assess the potential impact on credential security.\n- Correlate the event with other security alerts or logs from the same host or user to identify any patterns or additional suspicious activities that might indicate a broader compromise.\n- Verify if the process executable path matches any known safe paths, such as the excluded path for the Elastic Endpoint, to rule out false positives.\n\n### False positive analysis\n\n- Access by legitimate applications: Some legitimate applications may access browser files for valid reasons, such as backup or synchronization tools. Users can create exceptions for these applications by adding their code signatures to the exclusion list.\n- Developer or testing scripts: Developers might use scripts like osascript for testing purposes, which could trigger the rule. To manage this, users can whitelist specific scripts or processes used in development environments.\n- Security software interactions: Security tools might access browser files as part of their scanning or monitoring activities. Users should verify the legitimacy of these tools and add them to the exclusion list if they are trusted.\n- System maintenance tasks: Automated system maintenance tasks might access browser files. Users can identify these tasks and exclude them if they are part of routine system operations and deemed safe.\n\n### Response and remediation\n\n- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any untrusted or unsigned processes identified in the alert, especially those accessing sensitive browser files.\n- Conduct a thorough review of the affected system's recent activity logs to identify any additional suspicious behavior or potential lateral movement.\n- Change all potentially compromised credentials, focusing on those stored in the affected web browsers, and enforce multi-factor authentication where possible.\n- Restore any altered or deleted sensitive files from a known good backup to ensure data integrity.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Update endpoint protection and monitoring tools to enhance detection capabilities for similar unauthorized access attempts in the future.", - "query": "file where event.action == \"open\" and host.os.type == \"macos\" and process.executable != null and\n file.name like~ (\"cookies.sqlite\",\n \"key?.db\",\n \"logins.json\",\n \"Cookies\",\n \"Cookies.binarycookies\",\n \"Login Data\") and\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name == \"osascript\") and\n not process.code_signature.signing_id == \"org.mozilla.firefox\" and\n not Effective_process.executable like \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\"\n", - "references": [ - "https://securelist.com/calisto-trojan-for-macos/86543/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Effective_process.executable", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.exists", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.code_signature.signing_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.003", - "name": "Credentials from Web Browsers", - "reference": "https://attack.mitre.org/techniques/T1555/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 212 - }, - "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_212", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_12.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_12.json new file mode 100644 index 00000000000..b547af2773d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_12.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a user authorizes a third-party Google OAuth application that requests identity or sign-in scopes. Adversaries may abuse compromised credentials or phishing-linked consent flows to register novel OAuth clients, obtain refresh tokens, and authenticate as valid users while evading password-only detections.", + "false_positives": [ + "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." + ], + "from": "now-130m", + "history_window_start": "now-15d", + "index": [ + "logs-google_workspace.token-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "source.ip", + "user.domain", + "event.action", + "google_workspace.token.app_name", + "google_workspace.token.client.type", + "google_workspace.token.client.id", + "google_workspace.token.scope.value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", + "new_terms_fields": [ + "google_workspace.token.client.id" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Google Workspace OAuth Login from Third-Party Application\n\nThreat actors may trick users into authorizing adversary-controlled OAuth applications after credential theft, AiTM\nrelay, or spearphishing. A successful `authorize` grant issues tokens the application can reuse to act on behalf of the\nuser. Novel third-party client IDs are a strong signal as malicious consent often appears as a first-time application in the tenant.\n\nThis rule uses `new_terms` to flag the first appearance of a `google_workspace.token.client.id` when\na user grants at least one identity or sign-in scope in `google_workspace.token.scope.value` (for example `openid`,\n`userinfo.email`, `userinfo.profile`, or `OAuthLogin`).\n\n### Possible investigation steps\n\n- Identify the user who authorized the application by reviewing `user.email` or `user.name`, and note `source.ip` and `event.ingested` if present in the alert.\n- Identify the application by reviewing `google_workspace.token.app_name` and `google_workspace.token.client.id`.\n- Review granted scopes in `google_workspace.token.scope.value` to determine whether the app received identity-only access or additional permissions (for example calendar, drive, or mail scopes on the same grant).\n- Determine whether the authorization is expected and authorized:\n - If `source.ip` or timing is unusual for the user, treat the alert as higher priority until proven benign.'\n\n- Search Kibana for related activity:\n - Find prior authorizations for the same client in the org:\n ```\n data_stream.dataset: \"google_workspace.token\" and event.action: \"authorize\" and google_workspace.token.client.id: \"\"\n ```\n - Correlate with sign-in anomalies for the same user:\n ```\n data_stream.dataset: \"google_workspace.login\" and user.email: \"\"\n ```\n - Scope for other OAuth or admin changes from the same `user.email` within the last 48 hours.\n\n### False positive analysis\n\n- Internal development or QA OAuth clients may appear as new `client.id` values during testing; coordinate with engineering teams and exclude known test clients if needed.\n- Some vendors rotate OAuth client IDs during major upgrades, which can look like a new application, confirm with the vendor or IT owner before closing as benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the authorization is not clearly authorized, revoke the application's access for the affected user under Security > Access and data control > API controls (or remove the user token via admin OAuth reports).\n- If the user account is suspected compromised, reset credentials, revoke active sessions, and review all OAuth grants for that user.\n- Review activity performed with the new token (Drive, Gmail, Calendar, or other services implied by `google_workspace.token.scope.value`).\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566", + "query": "data_stream.dataset: \"google_workspace.token\"\n and event.action: \"authorize\"\n and google_workspace.token.scope.value: (*openid* or *userinfo.email* or *userinfo.profile* or *Login*)\n and google_workspace.token.client.id: *apps.googleusercontent.com\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", + "https://developers.google.com/apps-script/guides/bound", + "https://developers.google.com/identity/protocols/oauth2" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.scope.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 12 + }, + "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_12", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_217.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_217.json new file mode 100644 index 00000000000..f06965e017c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_217.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspicious or malicious behavior.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Load via Built-in Utility", + "note": "## Triage and analysis\n\n### Investigating Kernel Module Load via Built-in Utility\n\nThreat actors with root privileges may abuse pre-installed binaries to load loadable kernel modules (LKMs), which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel Module Load via Built-in Utility' is designed to identify instances where these binaries are used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and (\n (process.name == \"kmod\" and process.args == \"insmod\" and process.args like~ \"*.ko*\") or\n (process.name == \"kmod\" and process.args == \"modprobe\" and not process.args in (\"-r\", \"--remove\")) or\n (process.name == \"insmod\" and process.args like~ \"*.ko*\") or\n (process.name == \"modprobe\" and not process.args in (\"-r\", \"--remove\"))\n) and\nnot (\n ?process.parent.executable like (\"/opt/ds_agent/*\", \"/opt/TrendMicro/vls_agent/*\", \"/opt/intel/oneapi/*\") or\n ?process.working_directory in (\"/opt/vinchin/agent\", \"/var/opt/ds_agent/am\", \"/opt/ds_agent\", \"/var/opt/TrendMicro/vls_agent/am\") or\n ?process.parent.executable in (\n \"/usr/lib/uptrack/ksplice-apply\", \"/opt/commvault/commvault/Base/linux_drv\", \"/opt/cisco/amp/bin/cisco-amp-helper\",\n \"/usr/bin/kcarectl\", \"/usr/share/ksplice/ksplice-apply\", \"/opt/commvault/Base/linux_drv\", \"/usr/sbin/veeamsnap-loader\",\n \"/bin/falcoctl\"\n ) or\n (?process.parent.name like (\"python*\", \"platform-python*\") and ?process.parent.args in (\"--smart-update\", \"--auto-update\")) or\n (\n process.name == \"modprobe\" and process.args == \"-q\" and process.args == \"--\" and process.args in (\"net-pf-10\", \"netdev-\", \"binfmt-464c\")\n ) or\n (\n process.name == \"modprobe\" and process.args == \"-n\" and process.args == \"-v\" and process.args in (\"usb-storage\", \"dccp\", \"squashfs\", \"udf\", \"sctp\", \"cramfs\", \"hfsplus\")\n ) or\n ?process.parent.executable like (\"/sbin/iptables-multi*\", \"/var/ossec/bin/wazuh-modulesd\", \"/usr/sbin/mkinitramfs\", \"/usr/share/initramfs-tools/hooks/lvm2\") or\n ?process.parent.args like \"/usr/share/initramfs-tools/hooks/*\"\n)\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 217 + }, + "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_217", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2449be9d-2fdf-4126-a85b-f05e4058df9f_2.json b/packages/security_detection_engine/kibana/security_rule/2449be9d-2fdf-4126-a85b-f05e4058df9f_2.json new file mode 100644 index 00000000000..0e84d23f8d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2449be9d-2fdf-4126-a85b-f05e4058df9f_2.json @@ -0,0 +1,70 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /` request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an `Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic). Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic credentials, so this combination is not produced by normal use.", + "false_positives": [ + "Authorized vulnerability scanners (Nessus, Tenable, Qualys, etc.) running CVE-2026-41940 plugins will reproduce the exploit shape. Validate against scan windows and source IPs of approved scanners before escalating." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.http*", + "logs-zeek.http*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)\n\nCVE-2026-41940 is a critical (CVSS 9.8) authentication bypass in cPanel & WHM that gives an unauthenticated attacker\na root-privileged session on the host. The exploit chains a CRLF injection in the session writer with an\nencryption-skip triggered by a malformed cookie, then uses how cPanel caches sessions to promote the injected data\ninto a privileged login. Around 1.5M cPanel instances were exposed at disclosure and exploitation has been observed in\nthe wild since 2026-02-23, two months before the patch.\n\nThis rule fires on the Stage 2 request/response shape: a `GET /` to a cPanel admin port that carries an\n`Authorization: Basic` header and receives a 3xx redirect whose `Location` points at a freshly minted\n`/cpsessNNNNNNNNNN` path. Per the watchTowr and Unfold writeups, this is the only request shape that lets the\nexploit retrieve the security token needed for Stage 4 (privileged use of the session).\n\n### Detection logic\n\nThe rule requires all of the following on a single decoded HTTP transaction matched from\n`data_stream.dataset:network_traffic.http` (or `event.category:network_traffic` with `network.protocol:http`):\n\n- `http.request.method:GET` and `url.path:\"/\"` \u2014 request targets the root path exactly. The CRLF vulnerability is only\n reachable on `GET /`; the same payload on other paths does not return the redirect that leaks the token, so the\n match is intentionally exact (a request like `GET /index.html` will not fire).\n- `destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)` \u2014 cPanel/WHM admin and webmail ports. These are\n not in the default Network Packet Capture HTTP port list and must be added explicitly (see Setup).\n- `http.response.status_code:[300 TO 399]` \u2014 a redirect response. Normal `GET /` to WHM returns 200 with the login\n screen; only the exploit produces a 3xx here.\n- `http.request.headers.authorization:Basic*` \u2014 HTTP Basic credentials sent on `GET /`. This is the network-layer\n equivalent of the `auth_method=b` flag the Unfold and watchTowr writeups identify as the first bulletproof artifact\n in cPanel's `access_log`. `GET /` is an unauthenticated endpoint in normal cPanel operation and never legitimately\n carries Basic auth.\n- `http.response.headers.location:/cpsess*` \u2014 the response redirects to a `/cpsess`-prefixed path, leaking the CSRF\n token the attacker needs for Stage 4. This is what makes the exploit succeed and is not produced by any benign flow.\n\n### Possible investigation steps\n\n- Capture the alert evidence. Record `source.ip` (attacker), `destination.ip` (cPanel host), `destination.port`,\n `user_agent.original`, `http.response.status_code`, the exact `http.response.headers.location` value (which contains\n the leaked `cpsess` token), and the captured `http.request.headers.authorization` value.\n- Decode the Authorization header to confirm the CRLF payload. Strip the leading `Basic ` from\n `http.request.headers.authorization` and base64-decode the remainder. A legitimate Basic credential decodes to\n `username:password`; the exploit's payload decodes to a multi-line block delimited by `\\r\\n` containing fields like\n `successful_internal_auth_with_timestamp=`, `tfa_verified=1`, and `hasroot=1`. CRLF bytes in the decoded value\n distinguish exploitation from a misconfigured Basic-auth client.\n- Confirm the destination host runs cPanel/WHM. Identify the installed version and whether the 2026-04-28 emergency\n patch is applied.\n- Pivot on the source IP across the host's `/usr/local/cpanel/logs/access_log`. The exploit-inherent log artifact is a\n request line of the form `\"GET / HTTP/1.1\" 3xx 0 \"-\" \"\" \"b\" \"-\" ` \u2014 `auth_method=b` on `GET /` should never\n occur in normal operation and corresponds 1:1 to the `http.request.headers.authorization:Basic*` clause in this rule.\n- Look for the Stage 4 follow-on from the same source IP: a request to the leaked `cpsess` path\n (`/cpsessNNNNNNNNNN/...`) with `auth_method=s` (session) and HTTP 200, without a preceding successful login\n (form POST `/login`, `/openid_connect/`, or reseller `?session=`). This is the post-exploitation artifact.\n- Identify whether privileged WHM API actions were invoked under the leaked `cpsess` token (account creation, package\n install, file manager writes, terminal API).\n- Review egress from the host for outbound connections initiated after the alert that could indicate web shell or\n implant install.\n\n### False positive analysis\n\n- Legitimate WHM administration never produces `GET /` with HTTP Basic authentication and a 3xx redirect leaking a\n fresh `cpsess` token. This combination is exploit-inherent.\n- Authorized vulnerability scans running CVE-2026-41940 plugins will reproduce the request shape.\n\n### Response and remediation\n\n- Apply the cPanel emergency patch released 2026-04-28 (or the WP Squared equivalent). Verify by checking the\n installed cPanel version against the advisory.\n- If the alert is paired with an `auth_method=s` `cpsess` request (post-exploitation), assume host compromise:\n rotate root credentials, audit `/var/cpanel/sessions/`, look for newly created accounts, scheduled tasks, SSH keys,\n and `authorized_keys` modifications.\n- Restrict access to cPanel admin ports (2087/2086/2083/2082/2095/2096) to known administrator source IPs at the\n perimeter or via host firewall.\n- Block the source IP at the WAF or perimeter if exploitation is confirmed.\n", + "query": "(\n (\n (data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND\n http.response.status_code:[300 TO 399] AND\n http.request.headers.authorization:Basic* AND\n http.response.headers.location:\\/cpsess*\n )\n OR\n (\n data_stream.dataset:zeek.http AND\n zeek.http.client_header_names:AUTHORIZATION AND\n zeek.http.server_header_names:LOCATION\n )\n) AND\nhttp.request.method:GET AND\nurl.path:\"/\" AND\ndestination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)\n", + "references": [ + "https://www.unfold.ai/blog/cpanel-exploit-cve-2026-41940", + "https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/", + "https://www.picussecurity.com/resource/blog/cve-2026-41940-explained-cpanel-whm-authentication-bypass-hit-1-5m-servers", + "https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026", + "https://nvd.nist.gov/vuln/detail/CVE-2026-41940", + "https://docs.cpanel.net/knowledge-base/cpanel-product/the-cpanel-log-files", + "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "2449be9d-2fdf-4126-a85b-f05e4058df9f", + "setup": "## Setup\n\nThis rule supports two data sources:\n\n1. **Network Packet Capture / Packetbeat (preferred):** Requires the Network Packet Capture integration (or legacy\n Packetbeat) with cPanel admin ports added to the HTTP protocol configuration and `send_all_headers` enabled, so that\n `http.request.headers.authorization` and `http.response.headers.location` are populated. cPanel admin ports\n (2087/2086/2083/2082/2095/2096) are not in the default HTTP port list and must be added explicitly.\n2. **Zeek HTTP logs (`zeek.http`):** Zeek records only the names of HTTP request and response headers in\n `zeek.http.client_header_names` and `zeek.http.server_header_names`, not their values. The Zeek branch of this rule\n therefore matches on the presence of `AUTHORIZATION` and `LOCATION` headers on a `GET /` to a cPanel admin port,\n which is a less precise but still exploit-shaped signal. Confirm exploitation by retrieving the raw header values\n from the upstream Zeek sensor or correlated packet capture.\n\n The Zeek branch has non-default sensor prerequisites that must be met or it will never match:\n - **Header-name logging is not enabled by default.** `client_header_names` and `server_header_names` are produced by\n the policy script `policy/protocols/http/header-names.zeek`, which is not loaded by `base/protocols/http` or the\n default `site/local.zeek`. Add `@load policy/protocols/http/header-names.zeek` to the Zeek configuration. Without\n it, neither field is emitted and the Zeek branch cannot fire.\n - **Server header-name logging defaults to off.** Even with the script loaded, `HTTP::log_server_header_names`\n defaults to `F`, so the `server_header_names:LOCATION` condition is unsatisfiable. Set\n `redef HTTP::log_server_header_names = T;` (client header-name logging is on by default).\n - **Non-standard ports are handled by DPD, not a port list.** Zeek ships port-independent HTTP DPD signatures\n (`base/protocols/http/dpd.sig`) that detect HTTP by payload regardless of port, so plaintext `GET /` on cPanel\n admin ports (2086/2082/2095) is parsed into `zeek.http` without registering those ports. The TLS ports\n (2087/2083/2096) are encrypted and yield `zeek.ssl`, not `zeek.http`, unless the sensor sits upstream of TLS\n termination (see decryption note below).\n\ncPanel/WHM exposes paired TLS and plaintext ports: 2087 (WHM HTTPS), 2083 (cPanel HTTPS), and 2096 (Webmail HTTPS)\nrequire decryption visibility (TLS interception, sidecar on the host, or a sensor upstream of TLS termination) for\neither data source to observe HTTP headers. The plaintext counterparts \u2014 2086 (WHM HTTP), 2082 (cPanel HTTP), and 2095\n(Webmail HTTP) \u2014 carry headers in the clear and are observable without decryption. An attacker can exploit the\nvulnerability over either variant, so both sets of ports are included in this rule.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Initial Access", + "Data Source: Network Packet Capture", + "Data Source: Network Traffic", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "2449be9d-2fdf-4126-a85b-f05e4058df9f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_108.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_108.json deleted file mode 100644 index 0ee7fa7a136..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_108.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "endgame-*", - "logs-auditd_manager.auditd-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Clear Kernel Ring Buffer", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Attempt to Clear Kernel Ring Buffer\n\nThe kernel ring buffer logs system messages, crucial for diagnosing issues. Adversaries may clear these logs using the `dmesg -c` command to hide traces of malicious activities, such as installing unauthorized kernel modules. The detection rule identifies this behavior by monitoring the execution of `dmesg` with specific arguments, flagging potential evasion attempts for further investigation.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the presence of the `dmesg -c` command, focusing on the process name and arguments to ensure the alert is valid.\n- Investigate the user account associated with the execution of the `dmesg -c` command to determine if it is a known and authorized user or potentially compromised.\n- Check for any recent installations or modifications of Linux kernel modules (LKMs) on the host to identify unauthorized changes that may coincide with the log clearing attempt.\n- Examine other system logs and security alerts around the same timeframe to identify any suspicious activities or patterns that may indicate a broader attack or compromise.\n- Assess the host's network activity for any unusual outbound connections or data exfiltration attempts that could suggest further malicious intent.\n\n### False positive analysis\n\n- Routine system maintenance activities may trigger the rule if administrators use the dmesg -c command to clear logs for legitimate purposes. To handle this, create exceptions for known maintenance scripts or processes that regularly execute this command.\n- Automated scripts or monitoring tools that include dmesg -c as part of their log management routine can cause false positives. Identify these scripts and exclude them from the rule by specifying their process IDs or user accounts.\n- Development and testing environments where kernel modules are frequently installed and removed might generate alerts. Consider excluding these environments from the rule or adjusting the risk score to reflect the lower threat level in these contexts.\n- System administrators may use dmesg -c during troubleshooting to clear logs and view new messages. Document these activities and create exceptions for specific user accounts or roles that perform this task regularly.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.\n- Conduct a thorough review of the system to identify any unauthorized kernel modules or other suspicious changes, and remove them if found.\n- Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed.\n- Review and update access controls and permissions to ensure that only authorized users have the ability to execute commands like `dmesg -c`.\n- Implement enhanced monitoring and logging for the affected system to detect any future attempts to clear the kernel ring buffer or similar evasion tactics.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\")\n and process.name == \"dmesg\" and process.args in (\"-c\", \"--clear\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - }, - { - "package": "auditd_manager", - "version": "^1.18.0" - }, - { - "package": "crowdstrike", - "version": "^1.51.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.9.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.002", - "name": "Clear Linux or Mac System Logs", - "reference": "https://attack.mitre.org/techniques/T1070/002/" - } - ] - }, - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "2724808c-ba5d-48b2-86d2-0002103df753_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29e57265-d358-420a-b1cd-845e8a1fd70d_1.json b/packages/security_detection_engine/kibana/security_rule/29e57265-d358-420a-b1cd-845e8a1fd70d_1.json new file mode 100644 index 00000000000..f4829a80197 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/29e57265-d358-420a-b1cd-845e8a1fd70d_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects attempts to abuse Redis CONFIG SET commands to redirect the database save directory to a cron directory on Linux hosts. Attackers issue CONFIG SET dir to a cron path such as /etc/cron.d or /var/spool/cron, set a filename via CONFIG SET dbfilename, write a cron payload via SET, and then call BGSAVE to flush it to disk, establishing persistence for execution of an XMRig cryptominer.", + "from": "now-9m", + "index": [ + "logs-network_traffic.redis*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)\n\nRedis's CONFIG SET command allows runtime reconfiguration of the server, including the working directory (`dir`) and database filename (`dbfilename`). Attackers exploit this to redirect Redis's BGSAVE output into system directories such as `/etc/cron.d` or `/var/spool/cron`, writing attacker-controlled content as a cron job. The RedisRaider campaign used this technique to deploy XMRig cryptominers at scale by mass-scanning IPv4 blocks for unauthenticated Redis instances.\n\nA related variant (not specific to RedisRaider) targets SSH key injection using `CONFIG SET dir /root/.ssh` and `CONFIG SET dbfilename authorized_keys`. Consider a companion rule for that pattern if your Redis instances are internet-exposed.\n\n### Possible investigation steps\n\n- Identify the source IP and determine whether it is an expected Redis client or an external/unknown address. Internet-sourced CONFIG SET to a cron path is almost certainly malicious.\n- Check whether the destination Redis instance requires authentication (`requirepass` or ACL). Unauthenticated instances are the primary target of RedisRaider-style campaigns.\n- Review subsequent Redis commands from the same source IP for `SET` (cron payload write) and `BGSAVE` (flush to disk), which complete the persistence chain.\n- Examine the Redis host for new or modified files under `/etc/cron.d`, `/etc/cron.daily`, `/etc/cron.hourly`, `/var/spool/cron`, or `/var/spool/cron/crontabs` at or after the alert time.\n- Check for XMRig or other cryptominer process execution and unexplained CPU spikes on the host.\n- Review outbound network connections from the Redis host for connections to known mining pools or C2 infrastructure.\n\n### False positive analysis\n\n- `CONFIG SET dir` is a legitimate administrative command used during backup configuration, data migration, or operational changes. Verify whether the directory is a known backup or data path rather than a system directory.\n- Legitimate Redis usage will never set `dir` to `/etc/cron.d`, `/var/spool/cron`, or any other system cron directory. A match on this pattern has an extremely low false positive rate.\n- Automated deployment or configuration management tools (Ansible, Chef, Puppet) may issue CONFIG SET as part of Redis setup \u2014 verify the source IP and timing against known deployment windows.\n\n### Response and remediation\n\n- Immediately check the target cron directories for newly created files written by the Redis process (owner: redis, unusual content).\n- If a cron file was written, delete it and terminate any spawned miner processes before remediating.\n- Require authentication on all Redis instances (`requirepass` or ACL). Unauthenticated Redis exposed to any network is the root cause of this attack class.\n- Restrict `CONFIG SET` permissions using Redis ACLs: `ACL SETUSER -config`.\n- Block inbound access to Redis port 6379 from untrusted networks at the host firewall or perimeter.\n- Consider enabling Redis's protected mode, which rejects connections from non-loopback addresses when no authentication is configured.\n", + "query": "network where data_stream.dataset == \"network_traffic.redis\" and\n network_traffic.redis.query like~ \"*CONFIG SET dir*\" and\n (\n network_traffic.redis.query like~ \"*/etc/cron*\" or\n network_traffic.redis.query like~ \"*/var/spool/cron*\"\n )\n", + "references": [ + "https://securitylabs.datadoghq.com/articles/redisraider-mining-campaign/", + "https://attack.mitre.org/techniques/T1053/003/", + "https://attack.mitre.org/techniques/T1496/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": false, + "name": "network_traffic.redis.query", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "29e57265-d358-420a-b1cd-845e8a1fd70d", + "setup": "## Setup\n\nThis rule requires the Elastic **network_traffic** integration (Packetbeat via Elastic Agent) with the Redis\nprotocol module enabled.\n\n### Enabling the Redis module\n\nIn the Elastic Agent `network_traffic` integration policy:\n1. Add or confirm **Redis** in the protocols list with `enabled: true`.\n2. Set **ports** to include `6379` (or the custom port your Redis instances listen on).\n3. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.\n\n### TLS limitation\n\nThis rule requires unencrypted Redis traffic. Redis uses plaintext by default (port 6379). If TLS is configured,\nPacketbeat cannot inspect the payload without TLS decryption.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1496", + "name": "Resource Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "29e57265-d358-420a-b1cd-845e8a1fd70d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_8.json b/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_8.json index 916f9b1c5e6..044a9dba32f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_8.json +++ b/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_8.json @@ -29,8 +29,9 @@ ], "related_integrations": [ { + "integration": "graphactivitylogs", "package": "azure", - "version": "^1.0.0" + "version": "^1.10.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_210.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_210.json index 85fbb88ae8e..8bd540dd044 100644 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_210.json +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_210.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/2d7822a5-418c-4cde-a96e-e337d77b67e7_1.json b/packages/security_detection_engine/kibana/security_rule/2d7822a5-418c-4cde-a96e-e337d77b67e7_1.json new file mode 100644 index 00000000000..53d61939a4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2d7822a5-418c-4cde-a96e-e337d77b67e7_1.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion or modification of AWS Bedrock Automated Reasoning policies via the DeleteAutomatedReasoningPolicy, UpdateAutomatedReasoningPolicy, or UpdateAutomatedReasoningPolicyAnnotations CloudTrail actions. Automated Reasoning policies are a Bedrock safety and validation control that constrains model outputs against formal rules. An adversary who deletes a policy or alters the policy definition or its annotations weakens an enforced output-validation defense, potentially allowing unsafe or non-compliant model responses to pass unchecked. Benign build, test-workflow, and test-case CRUD operations are intentionally excluded as they have no coherent abuse path.", + "false_positives": [ + "Policy administrators, ML platform engineers, or infrastructure-as-code pipelines may legitimately update or remove Automated Reasoning policies during model governance changes, policy tuning, or environment teardown. Verify that the user identity, source IP, and user agent correspond to an approved change and that a corresponding change request exists. Known automation roles can be exempted if they generate recurring noise." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Automated Reasoning Safety Policy Tampering", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Automated Reasoning Safety Policy Tampering\n\nAWS Bedrock Automated Reasoning policies enforce formal, rule-based validation of model outputs, acting as a\nsafety control that constrains what a model is permitted to return. Deleting a policy or modifying its\ndefinition or annotations directly weakens this control. Adversaries who have gained access to the Bedrock\ncontrol plane may tamper with these policies to evade output-validation defenses, enabling unsafe, manipulated,\nor non-compliant model behavior. This detection identifies `DeleteAutomatedReasoningPolicy`,\n`UpdateAutomatedReasoningPolicy`, and `UpdateAutomatedReasoningPolicyAnnotations` calls so responders can\nconfirm whether the change was authorized.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,\n `aws.cloudtrail.user_identity.access_key_id`, `source.ip`, and `user_agent.original`.\n - Determine whether the identity normally administers Bedrock safety policies and whether the action aligns\n with an approved change request.\n- **Review the specific action**\n - For `DeleteAutomatedReasoningPolicy`, identify the deleted policy in\n `aws.cloudtrail.flattened.request_parameters` and confirm whether a replacement control exists.\n - For `UpdateAutomatedReasoningPolicy` / `UpdateAutomatedReasoningPolicyAnnotations`, inspect\n `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` to understand what was changed\n and whether the change loosens validation constraints.\n- **Correlate surrounding activity**\n - Look for other Defense Evasion or Bedrock control-plane activity from the same identity in the surrounding\n window (model invocation changes, guardrail modifications, logging changes).\n - Check `cloud.account.id` and `cloud.region` to scope blast radius across the environment.\n\n### False positive analysis\n\n- **Planned policy maintenance**: Governance teams may legitimately tune or retire Automated Reasoning\n policies. Validate against change tickets and standard templates.\n- **Automation**: IaC or CI/CD pipelines may update policies during deployments. Confirm the actor maps to\n known automation infrastructure.\n\n### Response and remediation\n\n- If the change is unauthorized, restore the prior policy definition or recreate the deleted policy from a\n known-good configuration.\n- Revoke or rotate the credentials in `aws.cloudtrail.user_identity.access_key_id` if compromise is suspected.\n- Review all Bedrock control-plane activity from the same identity in the preceding window for further\n defense-impairing actions.\n- Restrict `bedrock:DeleteAutomatedReasoningPolicy` and `bedrock:UpdateAutomatedReasoningPolicy*` permissions\n to a small set of administrative roles and enforce approval workflows.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\n \"DeleteAutomatedReasoningPolicy\" or\n \"UpdateAutomatedReasoningPolicy\" or\n \"UpdateAutomatedReasoningPolicyAnnotations\"\n ) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/automated-reasoning.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2d7822a5-418c-4cde-a96e-e337d77b67e7", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2d7822a5-418c-4cde-a96e-e337d77b67e7_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e99477f-6099-48a9-ae0e-68801d97079c_1.json b/packages/security_detection_engine/kibana/security_rule/2e99477f-6099-48a9-ae0e-68801d97079c_1.json new file mode 100644 index 00000000000..1d592decef8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e99477f-6099-48a9-ae0e-68801d97079c_1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects failed, access-denied attempts to modify or delete resource-based access policies on AWS Bedrock resources via the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. A principal that is repeatedly denied when attempting to attach or remove these policies may be a compromised or under-privileged identity probing for the ability to grant external or cross-account access, or to weaken existing access controls. Unlike the companion rule that detects successful changes, this rule surfaces the attempt itself, which is a high-signal indicator of credential boundary-testing even though no change occurred.", + "false_positives": [ + "Access-denied errors can result from benign permission gaps: a newly created role or user whose IAM policy has not yet been provisioned, infrastructure-as-code pipelines running ahead of permission grants, or developers experimenting in non-production accounts. Verify whether the user identity, user agent, and source IP are expected to manage Bedrock resource policies in your environment. Recurring denials from known automation or onboarding workflows can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "aws.cloudtrail.error_code", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt\n\nAWS Bedrock resource-based policies control which principals can access Bedrock resources such as agents,\nknowledge bases, and custom models. An adversary who has compromised a credential may attempt to attach a policy\nthat grants an external principal access for persistence or cross-account access, or delete a policy to break\nexisting access controls. This rule detects `PutResourcePolicy` and `DeleteResourcePolicy` calls that were denied\n(`AccessDenied` / unauthorized), which indicates an identity attempting an action it is not permitted to perform \u2014\na strong signal of boundary-testing by a compromised or under-privileged principal even though the change did not\ntake effect.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,\n `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.\n - Determine whether this identity has any legitimate reason to manage Bedrock resource policies. A denial for an\n identity that should never touch these APIs is more suspicious than one from an admin with a transient gap.\n- **Assess the attempt**\n - Inspect `aws.cloudtrail.error_code` and `aws.cloudtrail.error_message` to confirm the denial reason.\n - For `PutResourcePolicy`, review `aws.cloudtrail.request_parameters` and\n `aws.cloudtrail.flattened.request_parameters` for the target resource ARN and the attempted policy document.\n Look for `Principal` values referencing external AWS account IDs, `\"*\"`, or unfamiliar roles.\n- **Correlate activity**\n - Look for repeated denials across Bedrock or IAM APIs from the same identity, which can indicate permission\n enumeration or escalation attempts.\n - Check whether the identity later succeeded (e.g., after acquiring new permissions) on the same or related\n resources, and review any IAM changes in the surrounding window.\n\n### False positive analysis\n\n- **Permission gaps**: Newly provisioned roles/users or IaC pipelines running before policy grants are applied may\n generate transient denials. Validate against change tickets and known automation.\n- **Exploration in non-production**: Developers testing in sandbox accounts may hit denials. Confirm the account and\n identity context.\n\n### Response and remediation\n\n- If the attempt is unexpected, treat the identity as potentially compromised: disable or rotate the credentials in\n `aws.cloudtrail.user_identity.access_key_id` and review the actor's recent activity.\n- Review all Bedrock and IAM activity from the same identity in the surrounding time window for successful access\n grants, permission changes, or other persistence attempts.\n- Confirm least-privilege on `bedrock:PutResourcePolicy` and `bedrock:DeleteResourcePolicy`, and alert on both denied\n and successful calls.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\"PutResourcePolicy\" or \"DeleteResourcePolicy\") and\n event.outcome: \"failure\" and\n aws.cloudtrail.error_code: (\n \"AccessDenied\" or\n \"AccessDeniedException\"\n )\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutResourcePolicy.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteResourcePolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2e99477f-6099-48a9-ae0e-68801d97079c", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2e99477f-6099-48a9-ae0e-68801d97079c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30090d40-cdfd-4750-a281-0125fdf22045_1.json b/packages/security_detection_engine/kibana/security_rule/30090d40-cdfd-4750-a281-0125fdf22045_1.json new file mode 100644 index 00000000000..70754540cd5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30090d40-cdfd-4750-a281-0125fdf22045_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "descambiado" + ], + "description": "Identifies Entra ID user accounts converted from Guest to Member type via an Update user operation. A Guest-to-Member conversion grants the account full directory read access, removes external-identity Conditional Access restrictions, and makes the account indistinguishable from an internal employee. An attacker who compromises a guest account and promotes it to Member type gains persistent tenant access without triggering role assignment alerts.", + "false_positives": [ + "B2B collaboration migrations where external users are intentionally promoted to full membership. Organizational restructuring that converts former contractors to permanent employees in place." + ], + "from": "now-9m", + "index": [ + "logs-azure.auditlogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID Guest Account Promoted to Member", + "note": "## Triage and analysis\n\n### Investigating Entra ID Guest Account Promoted to Member\n\nA Guest-to-Member UserType conversion is a rarely needed, high-impact operation that removes all\nguest account restrictions. In most tenants it occurs fewer than once per month.\n\n#### Possible investigation steps\n\n- Identify the administrator who performed the conversion (`azure.auditlogs.properties.initiated_by`)\n and verify whether the action was authorized.\n- Check when the guest account was originally invited: look for \"Invite external user\" in AuditLogs\n with the same target object ID.\n- Review post-conversion sign-in activity in `azure.signinlogs.*` for the target account -- look for\n directory enumeration patterns (access to Graph API `/users`, `/groups`, `/applications`).\n- Check whether the converting actor's role was recently granted and whether other high-privilege\n operations were performed around the same time.\n\n### False positive analysis\n\n- Planned B2B-to-member migrations coordinated by HR or IT should be documented in change records.\n Confirm via ticket correlation before closing.\n\n### Response and remediation\n\n- Revert the UserType to Guest if unauthorized: Entra ID > Users > Edit properties.\n- Revoke all sessions for the affected account.\n- Review all directory objects the account accessed after the conversion.\n", + "query": "data_stream.dataset: \"azure.auditlogs\" and\nazure.auditlogs.operation_name: \"Update user\" and\nazure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: \"UserType\" and\nazure.auditlogs.properties.target_resources.*.modified_properties.*.old_value: *Guest* and\nazure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: *Member* and\nevent.outcome: (Success or success)\n", + "references": [ + "https://learn.microsoft.com/en-us/entra/external-id/user-properties", + "https://learn.microsoft.com/en-us/entra/identity/users/convert-external-users-internal" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30090d40-cdfd-4750-a281-0125fdf22045", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "30090d40-cdfd-4750-a281-0125fdf22045_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_111.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_111.json new file mode 100644 index 00000000000..04bb2ef0996 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_111.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) to the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RPC (Remote Procedure Call) to the Internet\n\nRPC enables remote management and resource sharing across networks, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic from internal IPs to external networks, flagging potential exploitation attempts by monitoring specific ports and IP ranges.\n\n### Possible investigation steps\n\n- Review the source IP address from the alert to identify the internal system initiating the RPC traffic. Check if this IP belongs to a known or authorized device within the network.\n- Examine the destination IP address to determine if it is a known or suspicious external entity. Use threat intelligence sources to assess if the IP has been associated with malicious activity.\n- Analyze the network traffic logs for the specific event.dataset values (network_traffic.flow or zeek.dce_rpc) to gather more context about the nature and volume of the RPC traffic.\n- Investigate the destination port, specifically port 135, to confirm if the traffic is indeed RPC-related and assess if there are any legitimate reasons for this communication.\n- Check for any recent changes or anomalies in the network configuration or system settings of the source IP that might explain the unexpected RPC traffic.\n- Correlate this alert with other security events or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.\n\n### False positive analysis\n\n- Internal testing environments may generate RPC traffic to external IPs for legitimate purposes. Identify and document these environments, then create exceptions in the detection rule to prevent unnecessary alerts.\n- Cloud-based services or applications that require RPC communication for integration or management might trigger false positives. Review these services and whitelist their IP addresses if they are verified as non-threatening.\n- VPN or remote access solutions that use RPC for secure connections can be mistaken for suspicious activity. Ensure that the IP ranges of these solutions are excluded from the rule to avoid false alerts.\n- Automated backup or synchronization tools that use RPC to communicate with external servers could be flagged. Verify these tools and add their destination IPs to an exception list if they are part of routine operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough analysis of the affected system to identify any unauthorized changes or installed backdoors, focusing on processes and services related to RPC.\n- Revoke any compromised credentials and enforce a password reset for all accounts that may have been accessed or used during the incident.\n- Apply necessary patches and updates to the affected system and any other systems with similar vulnerabilities to mitigate the risk of exploitation.\n- Monitor network traffic for any signs of lateral movement or additional suspicious activity, particularly focusing on RPC-related traffic.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced logging and monitoring for RPC traffic to detect and respond to similar threats more effectively in the future.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or data_stream.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "32923416-763a-4531-bb35-f33b9232ecdb_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33c27b4e-8ec6-406f-b8e5-345dc024aa97_3.json b/packages/security_detection_engine/kibana/security_rule/33c27b4e-8ec6-406f-b8e5-345dc024aa97_3.json index c087734beb8..7c5ee9b609b 100644 --- a/packages/security_detection_engine/kibana/security_rule/33c27b4e-8ec6-406f-b8e5-345dc024aa97_3.json +++ b/packages/security_detection_engine/kibana/security_rule/33c27b4e-8ec6-406f-b8e5-345dc024aa97_3.json @@ -15,7 +15,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_111.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_115.json similarity index 83% rename from packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_111.json rename to packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_115.json index 7ef39323144..b2cc9ed847b 100644 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_111.json +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_115.json @@ -15,6 +15,7 @@ "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.log-*", + "logs-pfsense.log-*", "logs-sonicwall_firewall.log-*", "logs-suricata.*" ], @@ -22,8 +23,12 @@ "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Accepted Default Telnet Port Connection\n\nTelnet, a protocol for remote command-line access, is often used in legacy systems. Its lack of encryption makes it vulnerable, allowing attackers to intercept credentials or use it as a backdoor. The detection rule identifies unencrypted Telnet traffic on port 23, flagging connections that bypass typical security measures, thus highlighting potential unauthorized access attempts.\n\n### Possible investigation steps\n\n- Review the network traffic logs to identify the source IP address associated with the Telnet connection on port 23. Determine if the source IP is internal or external to the organization.\n- Check the destination IP address to ascertain if it belongs to a critical system or a legacy device that might still use Telnet for management purposes.\n- Investigate the timeline of the connection event to see if there are any patterns or repeated attempts, which could indicate a persistent threat or automated attack.\n- Analyze any associated user accounts or credentials used during the Telnet session to verify if they are legitimate and authorized for remote access.\n- Correlate the Telnet connection event with other security alerts or logs to identify any related suspicious activities, such as failed login attempts or unusual data transfers.\n- Assess the network segment where the Telnet traffic was detected to determine if it is appropriately segmented and secured against unauthorized access.\n- Consider implementing network security measures, such as disabling Telnet on devices or replacing it with secure alternatives like SSH, to prevent future unauthorized access attempts.\n\n### False positive analysis\n\n- Legacy systems or devices that require Telnet for management may trigger alerts. To manage this, create exceptions for specific IP addresses or subnets known to host these systems.\n- Internal network monitoring tools that use Telnet for legitimate purposes might be flagged. Identify these tools and exclude their traffic from the rule to prevent unnecessary alerts.\n- Lab environments or test networks where Telnet is used for educational or testing purposes can cause false positives. Implement network segmentation and apply exceptions to these environments to reduce noise.\n- Automated scripts or maintenance tasks that utilize Telnet for routine operations may be mistakenly identified. Document these tasks and whitelist their associated traffic patterns to avoid false alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active Telnet sessions on the affected system to disrupt potential attacker activities.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data manipulation that may have occurred.\n- Change all credentials that may have been exposed through Telnet traffic, prioritizing those with administrative privileges.\n- Implement network segmentation to restrict Telnet access to only necessary internal systems, ensuring it is not exposed to the internet.\n- Deploy encryption protocols such as SSH to replace Telnet for remote command-line access, enhancing security for remote management.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for additional security measures.", - "query": "(event.dataset:(fortinet_fortigate.log or network_traffic.flow\n or sonicwall_firewall.log or suricata.eve or panw.panos)\n or event.category:(network or network_traffic))\n and event.type:(connection and not end) and not event.action:(\n flow_dropped or flow_denied or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n and destination.port:23\n", + "query": "(data_stream.dataset:(fortinet_fortigate.log or network_traffic.flow\n or panw.panos or pfsense.log or sonicwall_firewall.log or suricata.eve)\n or event.category:(network or network_traffic))\n and event.type:(connection and not (denied or end))\n and not event.action:(Reject or client-rst or connection-denied or\n connection-end or denied or deny or flow_denied or flow_dropped or\n flow_terminated or network_flow or server-rst or timeout)\n and not (event.action:netflow_flow and not network.packets > 1)\n and not network.application:(stretchoid-scanning or traceroute)\n and destination.port:23\n", "related_integrations": [ + { + "package": "fortinet_fortigate", + "version": "^1.0.0" + }, { "package": "network_traffic", "version": "^1.1.0" @@ -33,7 +38,7 @@ "version": "^5.0.0" }, { - "package": "fortinet_fortigate", + "package": "pfsense", "version": "^1.0.0" }, { @@ -46,6 +51,11 @@ } ], "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, { "ecs": true, "name": "destination.port", @@ -63,13 +73,18 @@ }, { "ecs": true, - "name": "event.dataset", + "name": "event.type", "type": "keyword" }, { "ecs": true, - "name": "event.type", + "name": "network.application", "type": "keyword" + }, + { + "ecs": true, + "name": "network.packets", + "type": "long" } ], "risk_score": 47, @@ -81,8 +96,9 @@ "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access", - "Data Source: PAN-OS", "Data Source: Fortinet", + "Data Source: PAN-OS", + "Data Source: pfSense", "Data Source: SonicWall", "Data Source: Suricata", "Resources: Investigation Guide" @@ -95,7 +111,13 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "technique": [] + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] }, { "framework": "MITRE ATT&CK", @@ -120,6 +142,11 @@ "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + }, { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -132,8 +159,8 @@ "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 111 + "version": 115 }, - "id": "34fde489-94b0-4500-a76f-b8a157cf9269_111", + "id": "34fde489-94b0-4500-a76f-b8a157cf9269_115", "type": "security-rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json deleted file mode 100644 index d152985482d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", - "false_positives": [ - "Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "eql", - "license": "Elastic License v2", - "name": "External User Added to Google Workspace Group", - "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", - "references": [ - "https://support.google.com/a/answer/33329", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.target.email", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.target.group.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_8.json b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_8.json index 5521032a2b7..c6900a9f9b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_8.json +++ b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_8.json @@ -35,10 +35,6 @@ "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/39ab0f66-efa0-4649-9c9c-8c64682f5fdd_1.json b/packages/security_detection_engine/kibana/security_rule/39ab0f66-efa0-4649-9c9c-8c64682f5fdd_1.json new file mode 100644 index 00000000000..ae1a3f18145 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/39ab0f66-efa0-4649-9c9c-8c64682f5fdd_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects attempts to abuse Redis CONFIG SET commands to inject SSH authorized keys on Linux hosts. Attackers targeting unauthenticated Redis instances issue CONFIG SET dir to an SSH directory such as /root/.ssh, set the filename to authorized_keys via CONFIG SET dbfilename, write an attacker-controlled public key via SET, and call BGSAVE to flush it to disk, establishing persistent SSH access as root.", + "from": "now-9m", + "index": [ + "logs-network_traffic.redis*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Redis CONFIG SET SSH Authorized Key Injection", + "note": "## Triage and analysis\n\n### Investigating Potential Redis CONFIG SET SSH Authorized Key Injection\n\nRedis's CONFIG SET command allows runtime reconfiguration of the server, including the working directory (`dir`) and database filename (`dbfilename`). Attackers targeting unauthenticated Redis instances exploit this to redirect BGSAVE output into `/root/.ssh/authorized_keys`, injecting their own SSH public key and establishing persistent root shell access without credentials.\n\nThe full attack chain is:\n1. `CONFIG SET dir /root/.ssh` \u2014 redirects the save path to the SSH directory\n2. `CONFIG SET dbfilename authorized_keys` \u2014 sets the output filename\n3. `SET key \"\n\nssh-rsa ATTACKER_KEY\n\n\"` \u2014 writes the public key with surrounding newlines\n4. `BGSAVE` \u2014 flushes the in-memory dataset (including the injected key) to disk\n\nA related variant targets cron persistence (`CONFIG SET dir /etc/cron.d`) for cryptominer deployment, as used by the RedisRaider campaign.\n\n### Possible investigation steps\n\n- Identify the source IP and determine whether it is an expected Redis client or an external/unknown address. Any external IP issuing CONFIG SET to an SSH directory should be treated as malicious.\n- Check whether the destination Redis instance requires authentication (`requirepass` or ACL). Unauthenticated instances are the prerequisite for this attack.\n- Review subsequent Redis commands from the same source IP for `SET` (key write) and `BGSAVE` (flush to disk), which complete the injection chain.\n- Examine `/root/.ssh/authorized_keys` and other user SSH directories on the Redis host for unexpected or recently modified entries at or after the alert time.\n- Check SSH login events on the Redis host for successful logins from unknown keys or source IPs shortly after the alert.\n- Review outbound connections from the Redis host for lateral movement or C2 activity following a successful key injection.\n\n### False positive analysis\n\n- `CONFIG SET dir` is a legitimate administrative command, but pointing it to any `/.ssh` directory has no legitimate use case. A match on this pattern has an extremely low false positive rate.\n- `CONFIG SET dbfilename authorized_keys` has no legitimate operational use. Any match should be investigated immediately.\n- Automated deployment tooling (Ansible, Chef, Puppet) will never target SSH directories via Redis CONFIG SET \u2014 this combination is exclusively malicious.\n\n### Response and remediation\n\n- Immediately inspect `/root/.ssh/authorized_keys` and all user `~/.ssh/authorized_keys` files on the Redis host for unauthorized entries and remove them.\n- Rotate SSH host keys and audit all active SSH sessions on the affected host.\n- Require authentication on all Redis instances (`requirepass` or ACL). Unauthenticated Redis reachable from any network is the root cause.\n- Restrict `CONFIG SET` permissions using Redis ACLs: `ACL SETUSER -config`.\n- Block inbound access to Redis port 6379 from untrusted networks at the host firewall or perimeter.\n- Consider enabling Redis's protected mode, which rejects connections from non-loopback addresses when no authentication is configured.\n", + "query": "network where data_stream.dataset == \"network_traffic.redis\" and\n (\n (\n network_traffic.redis.query like~ \"*CONFIG SET dir*\" and\n network_traffic.redis.query like~ \"*/.ssh*\"\n ) or\n (\n network_traffic.redis.query like~ \"*CONFIG SET dbfilename*\" and\n network_traffic.redis.query like~ \"*authorized_keys*\"\n )\n )\n", + "references": [ + "https://redis.io/docs/latest/operate/oss_and_stack/management/security/", + "https://attack.mitre.org/techniques/T1098/004/", + "https://attack.mitre.org/techniques/T1190/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": false, + "name": "network_traffic.redis.query", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "39ab0f66-efa0-4649-9c9c-8c64682f5fdd", + "setup": "## Setup\n\nThis rule requires the Elastic **network_traffic** integration (Packetbeat via Elastic Agent) with the Redis\nprotocol module enabled.\n\n### Enabling the Redis module\n\nIn the Elastic Agent `network_traffic` integration policy:\n1. Add or confirm **Redis** in the protocols list with `enabled: true`.\n2. Set **ports** to include `6379` (or the custom port your Redis instances listen on).\n3. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.\n\n### TLS limitation\n\nThis rule requires unencrypted Redis traffic. Redis uses plaintext by default (port 6379). If TLS is configured,\nPacketbeat cannot inspect the payload without TLS decryption.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "39ab0f66-efa0-4649-9c9c-8c64682f5fdd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a01e5c6-ce01-46d7-ac9f-52dc349695fb_3.json b/packages/security_detection_engine/kibana/security_rule/3a01e5c6-ce01-46d7-ac9f-52dc349695fb_3.json index 046d9dddd11..360c5c7f35a 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a01e5c6-ce01-46d7-ac9f-52dc349695fb_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3a01e5c6-ce01-46d7-ac9f-52dc349695fb_3.json @@ -14,7 +14,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_112.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_112.json new file mode 100644 index 00000000000..5d1b4c1f264 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_112.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) to the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating VNC (Virtual Network Computing) to the Internet\n\nVNC is a tool that allows remote control of computers, often used by administrators for maintenance. However, when exposed to the internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC to establish backdoors or gain initial access. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out internal IP addresses, flagging potential threats when VNC is accessed from external networks.\n\n### Possible investigation steps\n\n- Review the source IP address to determine if it belongs to a known internal asset or user, and verify if the access was authorized.\n- Check the destination IP address to confirm if it is an external address and investigate its reputation or any known associations with malicious activity.\n- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or volumes of VNC traffic.\n- Correlate the VNC traffic event with other security events or logs to identify any related suspicious activities or anomalies.\n- Investigate the user account associated with the VNC session to ensure it has not been compromised or misused.\n- Assess the system or application logs on the destination machine for any signs of unauthorized access or changes during the time of the VNC connection.\n\n### False positive analysis\n\n- Internal maintenance activities may trigger the rule if VNC is used for legitimate remote administration. To manage this, create exceptions for known internal IP addresses that frequently use VNC for maintenance.\n- Automated scripts or tools that use VNC for legitimate purposes might be flagged. Identify these tools and whitelist their IP addresses to prevent unnecessary alerts.\n- Testing environments that simulate external access to VNC for security assessments can cause false positives. Exclude IP ranges associated with these environments to avoid confusion.\n- Cloud-based services that use VNC for remote management might be misidentified as threats. Verify these services and add their IP addresses to an exception list if they are trusted.\n- Temporary remote access setups for troubleshooting or support can be mistaken for unauthorized access. Document these instances and apply temporary exceptions to reduce false alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active VNC sessions that are identified as originating from external networks to cut off potential attacker access.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data transfer that may have occurred during the VNC exposure.\n- Change all passwords and credentials associated with the affected system and any other systems that may have been accessed using the same credentials.\n- Apply necessary patches and updates to the VNC software and any other vulnerable applications on the affected system to mitigate known vulnerabilities.\n- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the internet.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be compromised.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: PAN-OS", + "Data Source: pfSense", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.005", + "name": "VNC", + "reference": "https://attack.mitre.org/techniques/T1021/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3aec394d-ed2a-4f3e-8ed3-4a2adea39f05_1.json b/packages/security_detection_engine/kibana/security_rule/3aec394d-ed2a-4f3e-8ed3-4a2adea39f05_1.json new file mode 100644 index 00000000000..0fc2d5ae5ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3aec394d-ed2a-4f3e-8ed3-4a2adea39f05_1.json @@ -0,0 +1,165 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Azure AD Graph (graph.windows.net) requests originating from user-agent strings associated with offensive tooling, scripting libraries, or generic HTTP clients. First-party Microsoft components calling AAD Graph identify with specific user agents such as \"Microsoft Azure Graph Client Library\", \"Microsoft ADO.NET Data Services\", or \"Microsoft.OData.Client\". Anything outside that recognised set is either a developer prototyping against the legacy API or an enumeration tool walking the directory.", + "false_positives": [ + "Developer activity prototyping against AAD Graph from a workstation may match. Validate via the calling `azure.aadgraphactivitylogs.properties.app_id` and the signed-in user; legitimate developer use is rare in production tenants since Microsoft has been steering callers off AAD Graph for years.", + "Authorized red team or penetration test activity using ROADrecon, ROADtools, AADInternalsor similar tooling can match. Add exceptions on the source IP, signed-in user, or app ID after validation." + ], + "from": "now-10m", + "interval": "9m", + "investigation_fields": { + "field_names": [ + "user.id", + "source.ip", + "source.as.organization.name", + "user_agent.original", + "azure.aadgraphactivitylogs.properties.app_id", + "azure.aadgraphactivitylogs.properties.api_version", + "url.path", + "http.response.status_code", + "azure.tenant_id" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Azure AD Graph Access with Suspicious User-Agent", + "note": "## Triage and analysis\n\n### Investigating Azure AD Graph Access with Suspicious User-Agent\n\nAzure AD Graph (graph.windows.net) is the legacy directory REST API that Microsoft has been retiring for years.\nLegitimate first-party traffic against it is dominated by a small set of recognisable user agents (`Microsoft.OData.Client`,\n`Microsoft Azure Graph Client Library`, `Microsoft ADO.NET Data Services`, the Azure portal with a Chrome user agent,\nand an empty-UA tail from first-party AppIds). Traffic identifying as Python, aiohttp, curl, Go-http-client, or any\nof the `*hound` enumeration families is almost always either a developer prototype or adversary tooling. This rule\nflags any such request even at a single event, because tooling samples for AAD Graph are inherently low-volume in\nnormal tenants.\n\n### Possible investigation steps\n\n- Confirm the matching user agent.\n - `user_agent.original` (e.g., `aiohttp`, `AADInternals`, `curl`, `bav2ropc`).\n- Identify the caller and the calling client.\n - `user.id` for the caller, `azure.aadgraphactivitylogs.properties.app_id` for the OAuth client.\n- Review which directory object types were touched.\n - `url.path` (e.g., `/users`, `/policies`, `/servicePrincipals`).\n- Check the success / failure pattern.\n - `http.response.status_code`. Many 4xx responses suggest permission probing.\n- Cross-reference with the API version.\n - `azure.aadgraphactivitylogs.properties.api_version`. A non-Microsoft UA combined with `1.6-internal` or `1.61-internal` is a stronger signal of offensive tooling.\n- Pivot to sign-in logs (`logs-azure.signinlogs-*`) for the same user / source IP to understand how the token was obtained.\n- Confirm the activity is not attributable to authorized testing (red team engagement, penetration test, internal tooling validation) before treating as malicious.\n\n### Response and remediation\n\n- Revoke refresh tokens and active sessions for the calling user.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- Check for device registrations created by the user during or around the burst window and remove rogue devices.\n - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.\n - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.\n- If the calling application has no legitimate AAD Graph dependency, block further use by that app.\n - `PATCH /beta/applications/{id}` with body `{\"authenticationBehaviors\": {\"blockAzureADGraphAccess\": true}}`.\n - This property lives on the Graph beta endpoint, not v1.0.\n- Apply Conditional Access targeting the AAD Graph audience for the affected user population.\n", + "query": "from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index\n\n| where data_stream.dataset == \"azure.aadgraphactivitylogs\"\n and azure.aadgraphactivitylogs.properties.actor_type == \"User\"\n and user_agent.original is not null\n| eval Esql.ua_lower = to_lower(user_agent.original)\n| where Esql.ua_lower like \"*fasthttp*\"\n or Esql.ua_lower like \"*aiohttp*\"\n or Esql.ua_lower like \"*hound*\"\n or Esql.ua_lower like \"*aadinternals*\"\n or Esql.ua_lower like \"*go-http-client*\"\n or Esql.ua_lower like \"python*\"\n or Esql.ua_lower like \"*curl/*\"\n or Esql.ua_lower like \"*okhttp*\"\n or Esql.ua_lower like \"*axios*\"\n or Esql.ua_lower like \"*node-fetch*\"\n or Esql.ua_lower like \"*go-resty*\"\n or Esql.ua_lower like \"*bav2ropc*\"\n or Esql.ua_lower like \"*undici*\"\n| keep\n _id,\n _version,\n _index,\n @timestamp,\n user.id,\n source.ip,\n source.as.organization.name,\n user_agent.original,\n azure.aadgraphactivitylogs.properties.app_id,\n azure.aadgraphactivitylogs.properties.api_version,\n url.path,\n http.response.status_code,\n azure.tenant_id,\n Esql.ua_lower\n", + "references": [ + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview", + "https://github.com/dirkjanm/ROADtools", + "https://www.sophos.com/en-us/research/tampering-with-conditional-access-policies-using-azure-ad-graph-api", + "https://github.com/gerenios/aadinternals" + ], + "related_integrations": [], + "required_fields": [ + { + "ecs": true, + "name": "@timestamp", + "type": "date" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": false, + "name": "_version", + "type": "long" + }, + { + "ecs": false, + "name": "azure.aadgraphactivitylogs.properties.api_version", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.aadgraphactivitylogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.tenant_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3aec394d-ed2a-4f3e-8ed3-4a2adea39f05", + "setup": "#### Azure AD Graph Activity Logs\nRequires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure\nintegration (Azure Event Hub). Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.003", + "name": "Cloud Groups", + "reference": "https://attack.mitre.org/techniques/T1069/003/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + }, + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "3aec394d-ed2a-4f3e-8ed3-4a2adea39f05_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_6.json b/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_6.json new file mode 100644 index 00000000000..6a3b0e35a65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_6.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the modification and reading of kernel features through built-in commands. Attackers may collect information, disable or weaken Linux kernel protections. For example, an attacker may modify ASLR protection by disabling kernel.randomize_va_space, allow ptrace by setting kernel.yama.ptrace_scope to 0, or disable the NMI watchdog by setting kernel.nmi_watchdog to 0. These changes may be used to impair defenses and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Kernel Feature Activity", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Kernel Feature Activity\n\nKernel features in Linux systems are critical for maintaining security and stability. They control various system behaviors, such as memory randomization and process tracing. Adversaries may exploit these features to weaken defenses, for instance, by disabling address space layout randomization (ASLR) or enabling unrestricted process tracing. The detection rule identifies suspicious activities by monitoring command executions that modify or read kernel settings, focusing on unusual patterns or contexts that suggest malicious intent.\n\n### Possible investigation steps\n\n- Review the process command line to identify which specific kernel feature was accessed or modified, focusing on entries like kernel.randomize_va_space or kernel.yama.ptrace_scope.\n- Examine the parent process executable and name to determine the context in which the suspicious command was executed, checking for unusual or unauthorized parent processes.\n- Investigate the user account associated with the process execution to assess whether the activity aligns with expected behavior for that user.\n- Check for any recent changes in the /etc/sysctl.conf or /etc/sysctl.d/ directories that might indicate unauthorized modifications to kernel settings.\n- Analyze the system's process execution history to identify any patterns or sequences of commands that suggest a broader attack or compromise.\n- Correlate the alert with other security events or logs to determine if this activity is part of a larger attack campaign or isolated incident.\n\n### False positive analysis\n\n- System administrators or automated scripts may frequently modify kernel settings for legitimate purposes such as performance tuning or system maintenance. To handle these, identify and whitelist known administrative scripts or processes that regularly perform these actions.\n- Security tools or monitoring solutions might execute commands that read kernel settings as part of their normal operation. Review and exclude these tools from triggering alerts by adding them to an exception list based on their process names or command patterns.\n- Developers and testers might disable certain kernel features temporarily during debugging or testing phases. Coordinate with development teams to document these activities and exclude them from detection by specifying the relevant process names or command lines.\n- Some system management tools may use commands like sysctl to apply configuration changes across multiple systems. If these tools are verified as non-threatening, exclude their specific command patterns or parent processes from triggering the rule.\n- Regular system updates or configuration management processes might involve reading or modifying kernel settings. Identify these processes and add them to an exception list to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.\n- Review and revert any unauthorized changes to kernel settings, such as ASLR, ptrace scope, or NMI watchdog, to their secure defaults using sysctl or by editing configuration files.\n- Conduct a thorough examination of the system for signs of compromise, including checking for unauthorized access, unusual processes, or modifications to critical files.\n- Restore the system from a known good backup if the integrity of the system is compromised and cannot be reliably remediated.\n- Implement additional monitoring and logging for kernel feature modifications to detect similar activities in the future, ensuring alerts are configured for immediate response.\n- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and correlation with other potential threats across the network.\n- Review and update security policies and configurations to prevent unauthorized kernel modifications, including enforcing stricter access controls and auditing procedures.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\") and\nprocess.command_line : (\n \"*/etc/sysctl.conf*\", \"*/etc/sysctl.d/*\", \"*/proc/sys/kernel/nmi_watchdog*\",\n \"*/proc/sys/vm/nr_hugepages*\", \"*/proc/sys/kernel/yama/ptrace_scope*\",\n \"*/proc/sys/kernel/randomize_va_space*\", \"*/proc/sys/vm/drop_caches*\",\n \"*/proc/sys/kernel/sysrq*\", \"*grsecurity*\", \"*exec-shield*\",\n \"*kernel.randomize_va_space*\", \"*kernel.yama.ptrace_scope*\",\n \"*kernel.nmi_watchdog*\", \"*vm.nr_hugepages*\", \"*vm.drop_caches*\",\n \"*kernel.sysrq*\"\n) and\n?process.parent.executable != null and \n(\n (process.name == \"tee\" and process.args like \"-*a*\") or // also detects --append\n (process.name == \"cat\" and not process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")) or\n (process.name == \"grep\" and process.args_count == 3 and not process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")) or\n (process.name == \"sysctl\" and process.args like (\"*-w*\", \"*--write*\", \"*=*\")) or\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and process.args == \"-c\" and process.args : \"*echo *\")\n) and\nnot (\n process.parent.executable in (\n \"/opt/novell/groupwise/agents/bin/gwia\", \"/opt/novell/groupwise/agents/bin/gwmta\", \"/opt/novell/groupwise/agents/bin/gwpoa\",\n \"/opt/illumio_ven/system/etc/init.d/illumio-firewall\", \"/usr/bin/oracle-database-preinstall-19c-verify\", \"/usr/bin/make\",\n \"/usr/local/qualys/cloud-agent/bin/qualys-scan-util\"\n ) or\n process.parent.executable like \"/tmp/CVU_19_resource*/checkmemlock.sh\" or\n process.parent.args == \"/usr/share/mysql/mysql-systemd-start\" or\n process.parent.command_line like \"*ansible*\" or\n (process.parent.name in (\"crond\", \"cron\") and process.command_line like \"*drop_caches*\") or\n (process.parent.name == \"python.original\" and process.parent.args == \"/usr/lib/venv-salt-minion/bin/salt-minion\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3aff6ab1-18bd-427e-9d4c-c5732110c261", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "3aff6ab1-18bd-427e-9d4c-c5732110c261_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c82bf84-5941-495b-ac41-0302f28e1a90_3.json b/packages/security_detection_engine/kibana/security_rule/3c82bf84-5941-495b-ac41-0302f28e1a90_3.json index 0e5a44b6358..28f5b02a354 100644 --- a/packages/security_detection_engine/kibana/security_rule/3c82bf84-5941-495b-ac41-0302f28e1a90_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3c82bf84-5941-495b-ac41-0302f28e1a90_3.json @@ -18,7 +18,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/3d086f43-5382-493d-a018-bce165c88f9f_1.json b/packages/security_detection_engine/kibana/security_rule/3d086f43-5382-493d-a018-bce165c88f9f_1.json new file mode 100644 index 00000000000..a7c751d09d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d086f43-5382-493d-a018-bce165c88f9f_1.json @@ -0,0 +1,164 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a source autonomous system number (ASN) associated with VPN, residential proxy, or hosting egress commonly observed in OAuth phishing and adversary-in-the-middle device registration flows. This pattern can indicate device join or primary refresh token acquisition staged from attacker-controlled infrastructure after a user completes authentication.", + "false_positives": [ + "Users enrolling or joining devices while on corporate VPNs, consumer VPNs, or cloud egress that map to the listed ASNs may match. Legitimate mobile device management or bulk provisioning that uses the broker against Device Registration Service from the same networks can also trigger alerts. Baseline `source.as.organization.name` and successful broker-to-DRS sign-ins before tuning exclusions for approved ASNs or user groups." + ], + "from": "now-9m", + "index": [ + "logs-azure.signinlogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "source.geo.country_name", + "event.outcome", + "azure.signinlogs.properties.user_principal_name", + "azure.signinlogs.properties.session_id", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.resource_display_name", + "azure.signinlogs.properties.resource_id", + "azure.signinlogs.properties.authentication_protocol", + "azure.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN", + "note": "## Triage and analysis\n\n### Investigating Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN\n\nReview `azure.signinlogs.properties.user_principal_name`, `azure.signinlogs.properties.app_display_name`,\n`azure.signinlogs.properties.resource_display_name`, `azure.signinlogs.properties.session_id`, `source.ip`,\n`source.as.number`, `source.as.organization.name`, and `user_agent.original`.\n\nConfirm whether the user intentionally registered or joined a device and whether the source ASN is expected for your\nenrollment or remote-access programs.\n\n### Possible investigation steps\n\n- Correlate `azure.signinlogs.properties.session_id` with other sign-ins for the same user, especially multi-IP OAuth\n flows or follow-on primary refresh token usage.\n- Review Entra ID audit logs for device registration activity around the same timestamp.\n- Compare `source.as.organization.name` against approved VPN, MDM, and automation egress in your environment.\n- Hunt for additional users signing in from the same ASN with the same application pair in a short window.\n\n### False positive analysis\n\n- Corporate or consumer VPN exit nodes that use ASNs in the rule list are a common source of benign matches during\n standard Windows or mobile device join.\n- Cloud hosting or ISP NAT pools may intermittently map to listed ASNs without indicating compromise.\n\n### Response and remediation\n\n- If malicious, revoke refresh tokens for the user, disable suspicious registered devices, and reset credentials per\n policy.\n- Review conditional access for the Microsoft Authentication Broker and device registration requirements.\n- Escalate per incident procedures when paired with identity protection alerts or impossible travel.\n", + "query": "data_stream.dataset:\"azure.signinlogs\" and event.action:\"Sign-in activity\" and\nsource.as.number:(\n 399629 or 14061 or 136787 or 9009 or 45102 or 215540 or 29802 or 62240 or 204957 or 395092 or 393406 or 400940 or\n 59711 or 132203\n) and\nazure.signinlogs.properties.app_display_name:\"Microsoft Authentication Broker\" and\nazure.signinlogs.properties.resource_display_name:\"Device Registration Service\"\n", + "references": [ + "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", + "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.app_display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.resource_display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "3d086f43-5382-493d-a018-bce165c88f9f", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.005", + "name": "Device Registration", + "reference": "https://attack.mitre.org/techniques/T1098/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "3d086f43-5382-493d-a018-bce165c88f9f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d2e8c90-5be7-4a57-9de4-58be75af933f_1.json b/packages/security_detection_engine/kibana/security_rule/3d2e8c90-5be7-4a57-9de4-58be75af933f_1.json new file mode 100644 index 00000000000..e30efdcb486 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d2e8c90-5be7-4a57-9de4-58be75af933f_1.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies failed, access-denied attempts to enable account-level access to an Amazon Bedrock foundation model, either by granting a foundation-model entitlement, submitting a use case for model access, or creating a foundation-model agreement (accepting the EULA). These account-level \"model access\" actions unlock a foundation model so that it can subsequently be invoked. A principal that is repeatedly denied when attempting these actions may be a compromised or under-privileged identity probing for the ability to unlock expensive models (LLMjacking) or to establish a durable ability to invoke models. Unlike the companion rule that detects successful model-access grants, this rule surfaces the attempt itself, which is a high-signal indicator of credential boundary-testing even though access was not granted.", + "false_positives": [ + "Access-denied errors can result from benign permission gaps: a newly created role or user whose IAM policy has not yet been provisioned, automation pipelines running ahead of permission grants, or ML teams experimenting in non-production accounts during onboarding. Verify that the principal, source IP, and user agent are expected before escalating. Recurring denials from known onboarding or provisioning workflows can be exempted for specific users or roles." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "aws.cloudtrail.error_code", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Unauthorized Foundation Model Access Attempt", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS Bedrock Unauthorized Foundation Model Access Attempt\n\nAmazon Bedrock exposes account-level \"model access\" controls that determine which foundation models a principal is allowed to invoke. Granting an entitlement (`PutFoundationModelEntitlement`), submitting a use case for model access (`PutUseCaseForModelAccess`), or creating a foundation-model agreement (`CreateFoundationModelAgreement`, which accepts the model EULA) all unlock a model for subsequent `InvokeModel`/`InvokeModelWithResponseStream` calls.\n\nThis rule detects Bedrock control-plane calls that enable model access at the account level but were denied (`AccessDenied` / unauthorized). A denial indicates an identity attempting an action it is not permitted to perform, which is a strong signal of boundary-testing by a compromised or under-privileged principal even though no model access was granted.\n\n### Possible investigation steps\n\n- Identify the principal by reviewing `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`, and determine whether the identity has any legitimate reason to manage Bedrock model access. A denial for an identity that should never touch these APIs is more suspicious than one from an admin with a transient permission gap.\n- Inspect `aws.cloudtrail.error_code` and `aws.cloudtrail.error_message` to confirm the denial reason, and review `event.action` to determine which model-access action was attempted.\n- Verify the `source.ip` and `user_agent.original` of the request. An unexpected IP, geolocation, or automation user agent is suspicious.\n- Confirm the `cloud.account.id` and `cloud.region` are expected for Bedrock usage in your environment.\n- Correlate with recent activity from the same principal, such as new access key creation, IAM permission changes, or repeated denials across Bedrock/IAM APIs, which can indicate permission enumeration or escalation attempts.\n- Determine whether the identity later succeeded on the same or related actions (e.g., after acquiring new permissions), and check for subsequent `InvokeModel`/`InvokeModelWithResponseStream` activity.\n\n### False positive analysis\n\n- Newly provisioned roles/users or infrastructure-as-code pipelines running before model-access permissions are applied may generate transient denials. Validate against change-management records and known provisioning workflows.\n- ML teams exploring model adoption in sandbox accounts may hit denials; confirm the account and identity context.\n\n### Response and remediation\n\n- If the attempt is unexpected, treat the identity as potentially compromised: disable or rotate the credentials (`aws.cloudtrail.user_identity.access_key_id`) and review the actor's recent activity.\n- Review all Bedrock and IAM activity from the same identity in the surrounding window for successful access grants, permission changes, or other persistence attempts.\n- Review and constrain IAM permissions so that only approved principals can call Bedrock model-access APIs, and alert on both denied and successful calls.\n- Implement preventative guardrails (SCPs, IAM conditions) to limit which principals and models can be enabled.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: (\n \"PutFoundationModelEntitlement\" or\n \"PutUseCaseForModelAccess\" or\n \"CreateFoundationModelAgreement\"\n )\n and event.outcome: \"failure\"\n and aws.cloudtrail.error_code: (\n \"AccessDenied\" or\n \"AccessDeniedException\"\n )\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutFoundationModelEntitlement.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutUseCaseForModelAccess.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateFoundationModelAgreement.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3d2e8c90-5be7-4a57-9de4-58be75af933f", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "3d2e8c90-5be7-4a57-9de4-58be75af933f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4027f24e-b02f-4605-872f-7bafd8fe1b33_1.json b/packages/security_detection_engine/kibana/security_rule/4027f24e-b02f-4605-872f-7bafd8fe1b33_1.json new file mode 100644 index 00000000000..95e57ab8e21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4027f24e-b02f-4605-872f-7bafd8fe1b33_1.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell script block content associated with an Antimalware Scan Interface (AMSI) bypass that hooks the RPC runtime marshaling stub NdrClientCall3 (or NdrClientCall2) in rpcrt4.dll. Unlike bypasses that patch AmsiScanBuffer or set amsiInitFailed, this technique operates at the RPC layer used by AMSI to delegate scan requests to the antivirus provider, tampering with the request before it reaches the engine and leaving AMSI itself unmodified. The loader allocates an executable trampoline and marshals a delegate to the native stub; these primitives appear in PowerShell Script Block Logging before the hook takes effect.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "host.name", + "user.id", + "user.name", + "user.domain", + "process.pid", + "powershell.file.script_block_text", + "powershell.file.script_block_id", + "powershell.sequence", + "powershell.total", + "file.path" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential AMSI Bypass via RPC Runtime Hooking", + "note": "## Triage and analysis\n\n### Investigating Potential AMSI Bypass via RPC Runtime Hooking\n\nThe Antimalware Scan Interface (AMSI) delegates scan requests to the registered antivirus provider over RPC. By hooking\nthe RPC runtime marshaling stub `NdrClientCall3`/`NdrClientCall2` in `rpcrt4.dll`, an adversary can tamper with these\nrequests so that malicious content is reported as clean, without modifying `amsi.dll` or patching `AmsiScanBuffer`.\nThis makes the bypass harder to catch via AMSI buffer or memory-write telemetry; the most reliable host artifact is the\nloader's own PowerShell script content, captured by Script Block Logging.\n\n#### Possible investigation steps\n\n- Review `powershell.file.script_block_text` for references to `NdrClientCall3`/`NdrClientCall2`, resolution of\n functions in `rpcrt4.dll`, allocation of executable (`PAGE_EXECUTE_READWRITE`) memory, and delegate marshaling via\n `GetDelegateForFunctionPointer`.\n- PowerShell logs each statement as a separate event; pivot on `host.id` and the PowerShell process id to reconstruct\n the full loader sequence and confirm intent.\n- Identify how PowerShell was launched (interactive, encoded command, remote session) and review the parent process\n tree for download or staging activity.\n- Correlate with Elastic Defend endpoint telemetry on the same host around the same time. Note that this RPC-layer hook\n may not surface as a memory modification of `rpcrt4.dll`, which is expected for this technique.\n- Hunt for the same script content, user, or host pattern across the environment.\n\n### False positive analysis\n\n- Security research, detection engineering, and red-team development that legitimately references the RPC runtime\n marshaling functions or allocates executable memory from PowerShell can match. Validate the user, host, parent\n process, and surrounding script blocks against authorized testing before closing as benign, and add exceptions for\n known testing identities or hosts.\n\n### Response and remediation\n\n- Isolate the host if the activity is confirmed malicious and review for follow-on payload execution that the bypass\n was intended to conceal.\n- Terminate the offending PowerShell session and preserve the Script Block Logging events for analysis.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, or WDAC.\n- Reset credentials for accounts active on the host during the session if follow-on activity is observed.\n\n### Limitations\n\nThis rule detects the technique only when it is delivered as logged PowerShell script-block text. In-memory delivery, a\nPowerShell v2 downgrade, or implementing the hook outside PowerShell (compiled binary) can evade Script Block Logging\nand therefore this rule. For customers running Elastic Defend, prefer the companion Endpoint Rule which detects the\nVirtualProtect call targeting rpcrt4.dll!NdrClientCall* directly via API telemetry and is not dependent on Script\nBlock Logging.", + "query": "event.code: \"4104\" and host.os.type: \"windows\" and\n powershell.file.script_block_text : (\n \"NdrClientCall\" or\n \"NdrClientCall2\" or\n \"NdrClientCall3\"\n ) and\n powershell.file.script_block_text : (\n \"GetProcAddress\" or\n \"GetDelegateForFunctionPointer\" or\n \"VirtualProtect\"\n )\n", + "references": [ + "https://github.com/andreisss/Ghosting-AMSI" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "4027f24e-b02f-4605-872f-7bafd8fe1b33", + "setup": "## Setup\n\nPowerShell Script Block Logging must be enabled to generate the events used by this rule (event ID 4104). The\n`Microsoft-Windows-PowerShell/Operational` channel must be collected by the Windows integration or Winlogbeat.\n\nSetup instructions: https://ela.st/powershell-logging-setup", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "4027f24e-b02f-4605-872f-7bafd8fe1b33_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42b5e06d-b297-4286-a004-ae0da92c5b81_1.json b/packages/security_detection_engine/kibana/security_rule/42b5e06d-b297-4286-a004-ae0da92c5b81_1.json new file mode 100644 index 00000000000..1c8d6c5cae0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42b5e06d-b297-4286-a004-ae0da92c5b81_1.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects creation, modification, or deletion of AWS Bedrock Provisioned Model Throughput via the CreateProvisionedModelThroughput, UpdateProvisionedModelThroughput, and DeleteProvisionedModelThroughput APIs. Provisioned Throughput reserves dedicated, billed model capacity for Amazon Bedrock. An adversary who scales this capacity up can drive large, unauthorized cost (cloud resource/bill hijacking), while deleting reserved throughput can cause denial of service to production workloads that depend on that committed capacity. These control-plane changes should be validated against approved capacity-planning and change-management processes.", + "false_positives": [ + "Provisioned Throughput changes may be performed by platform, ML, or FinOps teams as part of capacity planning, scaling for production demand, or cost optimization. Infrastructure-as-code pipelines and automation roles may also create, update, or delete provisioned throughput during deployments. Verify that the user identity, user agent, and source IP correspond to known administrators or automation and that a corresponding change request exists. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Provisioned Model Throughput Tampering", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Provisioned Model Throughput Tampering\n\nAmazon Bedrock Provisioned Throughput reserves dedicated, billed model capacity for foundation models.\nBecause this capacity is committed and metered, adversaries can abuse it in two ways: scaling capacity up to\nincur large, unauthorized cloud spend (resource/bill hijacking), or deleting reserved throughput to deny\nservice to production workloads that rely on committed capacity. This rule identifies\n`CreateProvisionedModelThroughput`, `UpdateProvisionedModelThroughput`, and `DeleteProvisionedModelThroughput`\ncalls so responders can confirm whether the change was authorized.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,\n `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.\n - Determine whether the identity is an approved administrator, ML/platform engineer, or automation role.\n - Confirm a corresponding change request or capacity-planning ticket exists.\n- **Validate the request details**\n - Inspect `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` for the model ID,\n commitment duration, and requested model units. Unusually large model-unit counts or long commitment\n terms on a Create/Update may indicate cost-driven abuse.\n - For `DeleteProvisionedModelThroughput`, identify which provisioned model was removed and whether any\n production workload depended on it.\n- **Correlate activity**\n - Review other Bedrock control-plane actions (e.g., model invocation logging changes, guardrail changes)\n and IAM/STS activity from the same identity around the same time.\n - Check `cloud.account.id` and `cloud.region` for whether the activity occurred in an expected account/region.\n\n### False positive analysis\n\n- **Capacity planning**: Platform, ML, or FinOps teams may legitimately create, update, or delete provisioned\n throughput. Validate against change tickets and standard capacity-management procedures.\n- **Automation**: IaC or deployment pipelines may manage provisioned throughput on bootstrap or teardown.\n Confirm the source IP and ARN match expected automation infrastructure.\n\n### Response and remediation\n\n- If unauthorized, immediately disable the offending access key or role and revert the change (delete\n unauthorized provisioned throughput, or recreate deleted reserved capacity required by production).\n- Review billing and Cost Explorer for unexpected Bedrock provisioned-throughput charges.\n- Audit the actor's recent activity and rotate credentials if compromise is suspected.\n- Restrict `bedrock:CreateProvisionedModelThroughput`, `bedrock:UpdateProvisionedModelThroughput`, and\n `bedrock:DeleteProvisionedModelThroughput` to a small set of administrative roles and enforce approval\n workflows and budget alarms.\n\n### Additional information\n\n- **[Amazon Bedrock Provisioned Throughput](https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html)**\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\n \"CreateProvisionedModelThroughput\" or\n \"UpdateProvisionedModelThroughput\" or\n \"DeleteProvisionedModelThroughput\"\n ) and\n event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateProvisionedModelThroughput.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteProvisionedModelThroughput.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_UpdateProvisionedModelThroughput.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42b5e06d-b297-4286-a004-ae0da92c5b81", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1496", + "name": "Resource Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/", + "subtechnique": [ + { + "id": "T1496.004", + "name": "Cloud Service Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "42b5e06d-b297-4286-a004-ae0da92c5b81_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42c97e6e-60c3-11f0-832a-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/42c97e6e-60c3-11f0-832a-f661ea17fbcd_4.json index b60f85e4483..251f3bf35c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/42c97e6e-60c3-11f0-832a-f661ea17fbcd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/42c97e6e-60c3-11f0-832a-f661ea17fbcd_4.json @@ -23,8 +23,9 @@ ], "related_integrations": [ { + "integration": "graphactivitylogs", "package": "azure", - "version": "^1.0.0" + "version": "^1.10.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_115.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_115.json new file mode 100644 index 00000000000..c751db4d61d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_115.json @@ -0,0 +1,169 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating Linux User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was successfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.executable != null and process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n) and\n(\n process.name in (\"usermod\", \"adduser\") or\n (process.name == \"gpasswd\" and process.args in (\"-a\", \"--add\", \"-M\", \"--members\"))\n) and\nnot (\n ?process.parent.executable like (\n \"/usr/lib/google/guest_agent/core_plugin\", \"/usr/libexec/platform-python*\", \"/usr/lib/google/guest_agent/GuestAgentCorePlugin/core_plugin\",\n \"/usr/bin/google_guest_agent\"\n ) or\n (\n ?process.entry_leader.executable == \"/usr/lib/venv-salt-minion/bin/python.original\" and\n ?process.entry_leader.args == \"/usr/lib/venv-salt-minion/bin/salt-minion\"\n )\n)\n", + "references": [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.007", + "name": "Additional Local or Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1098/007/" + } + ] + }, + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.007", + "name": "Additional Local or Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1098/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 115 + }, + "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_115", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44b8d933-8fed-485d-a0af-bd97d0093439_1.json b/packages/security_detection_engine/kibana/security_rule/44b8d933-8fed-485d-a0af-bd97d0093439_1.json new file mode 100644 index 00000000000..459c8277f0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44b8d933-8fed-485d-a0af-bd97d0093439_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies two or more distinct DHCP servers sending an OFFER or ACK for the same transaction ID (xid) within a short window, indicating a rogue DHCP server racing the legitimate one to win the client's handshake. This is the rogue-DHCP / adversary-in-the-middle precondition (T1557.003) and is operating-system agnostic, since it keys only on server behavior observed on the wire. Winning the race lets an attacker intercept traffic via a hostile gateway/DNS, bypass a VPN (TunnelVision), or deliver a malformed response that exploits the client's DHCP parser for code execution.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple DHCP Servers Responding to the Same Transaction", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Multiple DHCP Servers Responding to the Same Transaction\n\nDHCP is plaintext UDP and fully visible to any sensor on the broadcast segment. A rogue server (or an injected response\non the victim's L2 broadcast domain) that answers a transaction the legitimate server already owns is the defining\nprecondition for DHCP-based adversary-in-the-middle and for malformed-option client exploits. This rule flags exactly\nthat: two or more distinct server source IPs producing an OFFER/ACK for one transaction ID inside the same 30-second\nwindow, and is operating-system agnostic, since it keys only on server behavior observed on the wire.\n\n### Possible investigation steps\n\n- Identify the server source IPs in `Esql.values_server_ips` and `Esql.values_server_identifiers`. Determine which is\n the sanctioned DHCP server and which is unexpected.\n- Locate the rogue server on the segment (switch CAM/ARP tables, port, VLAN). It is on the same broadcast domain as the\n victim by definition.\n- Inspect the rogue OFFER/ACK options for an oversized or malformed payload (the overflow trigger) and for hostile\n configuration such as an attacker-controlled default gateway (option 3), DNS server (option 6), WPAD/proxy\n auto-config (option 252), or classless static routes (option 121, TunnelVision-style VPN bypass).\n- Identify the client(s) acquiring leases on the segment (any OS, including Windows, Linux, macOS, iOS, IoT) and review their\n endpoint telemetry for DHCP client service crashes, unexpected route/DNS/gateway changes, or follow-on code execution.\n Where the target OS and DHCP client are known, check whether they are unpatched for the relevant CVE (e.g.\n CVE-2026-44815 on Windows, CVE-2018-5732 on ISC dhclient).\n\n### False positive analysis\n\n- DHCP failover pairs (Microsoft or ISC) are designed so that, for a given transaction, only one peer answers; two\n peers answering the same xid within 30 seconds is not normal failover behavior. If a known active-active or\n load-balancing architecture genuinely does this, add its server IPs to an exception.\n- DHCP relay agents forward responses but the relayed source is the relay, and a single server still owns each\n transaction. Anycast/VIP DHCP designs that present multiple real backend IPs on the wire are rare and would be a known\n architectural fact, which can be excepted by those IPs.\n\n### Response and remediation\n\n- Remove the rogue DHCP server from the segment, then patch the affected client DHCP stacks (e.g. June 2026 Patch\n Tuesday for CVE-2026-44815 on Windows, or the fixed ISC dhclient for CVE-2018-5732 on Linux/Unix).\n- Enable DHCP snooping on managed switches and restrict DHCP server responses to authorized server ports/MACs as a\n compensating control, which protects clients of every OS and also mitigates TunnelVision-style route injection.\n", + "query": "from logs-network_traffic.dhcpv4-*, packetbeat-*\n| eval\n message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),\n Esql.transaction_id = COALESCE(network_traffic.dhcpv4.transaction_id, dhcpv4.transaction_id),\n server_identifier = COALESCE(network_traffic.dhcpv4.option.server_identifier, dhcpv4.option.server_identifier)\n| where message_type in (\"offer\", \"ack\") and Esql.transaction_id is not null and source.ip is not null\n| eval Esql.time_window = DATE_TRUNC(30 seconds, @timestamp)\n| stats\n Esql.count_distinct_servers = COUNT_DISTINCT(source.ip),\n Esql.values_server_ips = VALUES(source.ip),\n Esql.values_server_identifiers = VALUES(server_identifier),\n Esql.count_replies = COUNT(*)\n by Esql.time_window, Esql.transaction_id\n| where Esql.count_distinct_servers >= 2\n| keep Esql.transaction_id, Esql.time_window, Esql.count_distinct_servers, Esql.values_server_ips, Esql.values_server_identifiers, Esql.count_replies\n", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2026-44815", + "https://nvd.nist.gov/vuln/detail/CVE-2024-3661", + "https://www.leviathansecurity.com/blog/tunnelvision", + "https://nvd.nist.gov/vuln/detail/CVE-2018-5732", + "https://msrc.microsoft.com/update-guide" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 73, + "rule_id": "44b8d933-8fed-485d-a0af-bd97d0093439", + "setup": "## Setup\n\nThis rule requires the Elastic network_traffic (Packetbeat) integration capturing DHCP (UDP 67/68) on the broadcast\nsegment where clients acquire/renew leases, either Packetbeat running on the segment or a SPAN/mirror feeding it. A\nsensor not on the same L2 broadcast domain (or not behind the relevant DHCP relay) will not observe competing OFFER/ACK\npackets.\n\nZeek is intentionally not supported: the zeek.dhcp data stream does not expose a transaction ID and aggregates a full\nDORA exchange into one record, so the per-transaction server-count comparison cannot be expressed on it.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Use Case: Network Security Monitoring", + "Tactic: Credential Access", + "Tactic: Execution", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/", + "subtechnique": [ + { + "id": "T1557.003", + "name": "DHCP Spoofing", + "reference": "https://attack.mitre.org/techniques/T1557/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "44b8d933-8fed-485d-a0af-bd97d0093439_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_6.json b/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_6.json index 1eebe3f2a15..e75248bb6a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_6.json +++ b/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_6.json @@ -18,22 +18,10 @@ "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "package": "gcp", "version": "^2.0.0" }, - { - "package": "azure", - "version": "^1.0.0" - }, - { - "package": "kubernetes", - "version": "^1.4.1" - }, { "integration": "cloudtrail", "package": "aws", @@ -43,6 +31,10 @@ "integration": "platformlogs", "package": "azure", "version": "^1.0.0" + }, + { + "package": "kubernetes", + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_112.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_112.json new file mode 100644 index 00000000000..8da28cf47a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_112.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Removed from Blocklist in Google Workspace", + "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Review `google_workspace.admin.old_value` and `google_workspace.admin.new_value` to confirm the app moved from blocked to allowed and note the affected organizational unit (`google_workspace.admin.org_unit.name`).\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace apps > Apps list`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:\"google_workspace.admin\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.old_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_8.json b/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_8.json index 9ef91761cb7..70ddd0f35b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_8.json +++ b/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_8.json @@ -381,6 +381,11 @@ "name": "client.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "client.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "client.bytes", @@ -506,6 +511,11 @@ "name": "client.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "client.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "client.user.group.domain", @@ -536,6 +546,11 @@ "name": "client.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "client.user.name.text", + "type": "text" + }, { "ecs": true, "name": "client.user.roles", @@ -886,6 +901,11 @@ "name": "source.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "source.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "source.bytes", @@ -1011,6 +1031,11 @@ "name": "source.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "source.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "source.user.group.domain", @@ -1041,6 +1066,11 @@ "name": "source.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "source.user.name.text", + "type": "text" + }, { "ecs": true, "name": "source.user.roles", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd_4.json index e18059e1f4f..71fc9f3f662 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd_4.json @@ -43,7 +43,7 @@ "related_integrations": [ { "package": "azure", - "version": "^1.0.0" + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_6.json b/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_6.json index fc71849fd75..eec3416d18c 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_6.json +++ b/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_6.json @@ -19,7 +19,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/4df91789-7859-4bc4-9c5a-6b56bfa81a8b_1.json b/packages/security_detection_engine/kibana/security_rule/4df91789-7859-4bc4-9c5a-6b56bfa81a8b_1.json index 2ff9c3bb073..6b5c3b98a99 100644 --- a/packages/security_detection_engine/kibana/security_rule/4df91789-7859-4bc4-9c5a-6b56bfa81a8b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4df91789-7859-4bc4-9c5a-6b56bfa81a8b_1.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/4e2dcdf4-f012-4b67-980b-1551b7149305_1.json b/packages/security_detection_engine/kibana/security_rule/4e2dcdf4-f012-4b67-980b-1551b7149305_1.json new file mode 100644 index 00000000000..93accff2e09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e2dcdf4-f012-4b67-980b-1551b7149305_1.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS Bedrock Agent creation performed directly by an IAM user or the root account. Bedrock Agents are autonomous AI systems that execute multi-step tasks, invoke Lambda action groups to call external APIs, and query knowledge bases. Adversaries with access to an AWS account can create rogue agents configured to exfiltrate data via action group Lambda functions, pivot to other services, or act as a persistent AI-driven command-and-control channel. This rule is scoped to IAMUser and Root identity types \u2014 AssumedRole sessions (which represent automated CI/CD pipelines and SSO-federated engineers) are excluded to avoid global false positives from legitimate deployment automation that varies widely across customer environments.", + "false_positives": [ + "Developers or administrators creating Bedrock agents interactively using personal IAM user credentials. This is the intended detection surface \u2014 validate the identity against known developer accounts and confirm the agent configuration (instruction, action groups, model) matches a known project." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Agent Created by IAM User or Root", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Agent Created by IAM User or Root\n\nAWS Bedrock Agents can autonomously perform complex tasks by combining foundation models with action groups\n(Lambda functions) and knowledge bases. A rogue agent could serve as a persistent AI-driven foothold, executing\nattacker-controlled instructions via inference requests.\n\n#### Possible investigation steps\n\n- **Identity**: `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`. This rule fires only\n for IAMUser or Root \u2014 both are direct human credentials, not automated pipeline roles. Confirm the user is\n known and authorized to create agents.\n\n- **Agent configuration** in `aws.cloudtrail.request_parameters`:\n - `agentName` \u2014 does the name match known internal projects?\n - `foundationModel` \u2014 which model was selected? Expensive models (Claude Opus-class) indicate higher cost risk.\n - `instruction` \u2014 the system prompt. Adversarial, minimal, or exfiltration-oriented instructions are a red flag.\n - `actionGroupExecutor.lambda` \u2014 Lambda ARN presence means the agent can invoke external code.\n\n- **Cross-account indicators**: Lambda ARNs in action groups belonging to a different account than\n `cloud.account.id` indicate external code execution capability.\n\n- **Follow-on activity**: Look for `PrepareAgent`, `CreateAgentAlias`, `CreateAgentActionGroup`, or\n `AssociateAgentKnowledgeBase` from the same identity within the next hour.\n\n### False positive analysis\n- Developers creating agents interactively with personal IAM user credentials. Confirm the agent is for a known\n project and the IAM user is authorized. Production agent deployment should use IAM roles \u2014 personal key use\n is itself a misconfiguration worth noting.\n\n### Response and remediation\n- Delete the unauthorized agent using `DeleteAgent`.\n- Review and remove associated action groups and aliases.\n- Audit Lambda functions referenced in action group executors for malicious code.\n- Restrict `bedrock:CreateAgent` to specific deployment roles via IAM policy or SCP.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: \"CreateAgent\"\n and event.outcome: \"success\"\n and aws.cloudtrail.user_identity.type: (\"IAMUser\" or \"Root\")\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgent.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4e2dcdf4-f012-4b67-980b-1551b7149305", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "4e2dcdf4-f012-4b67-980b-1551b7149305_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5202697c-313b-4bf0-9029-73fe78cd4b6d_1.json b/packages/security_detection_engine/kibana/security_rule/5202697c-313b-4bf0-9029-73fe78cd4b6d_1.json index 46b1d2d0b50..14682737d4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5202697c-313b-4bf0-9029-73fe78cd4b6d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5202697c-313b-4bf0-9029-73fe78cd4b6d_1.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json new file mode 100644 index 00000000000..f0b5643e4eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Deprecated - Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Deprecated - Linux Restricted Shell Breakout via Linux Binary(s)\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.executable != null and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\" and not process.parent.executable == \"/usr/bin/log4j-cve-2021-44228-hotpatch\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and\n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and\n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n\n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not\n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\" and\n not process.parent.executable == \"/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 120 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_120", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53bb8f53-3550-4805-b6bd-728ded8d5564_1.json b/packages/security_detection_engine/kibana/security_rule/53bb8f53-3550-4805-b6bd-728ded8d5564_1.json new file mode 100644 index 00000000000..d486ffe9557 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53bb8f53-3550-4805-b6bd-728ded8d5564_1.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or update of an AWS Lambda function URL configured with an authentication type of NONE, which exposes the function to unauthenticated invocation directly from the public internet. Adversaries can use a public function URL to establish a durable, internet-reachable entry point for command and control, data egress, or on-demand execution of attacker-controlled code, bypassing the need for valid AWS credentials to invoke the function. Function URLs with public access should be rare and deliberate, so this configuration warrants review.", + "false_positives": [ + "Some public-facing applications, webhooks, and lightweight APIs legitimately use Lambda function URLs with no authentication and enforce access control elsewhere. Verify the function, the principal in `aws.cloudtrail.user_identity.arn`, and the intended exposure with the owning team. Known public endpoints can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS Lambda Function URL Created with Public Access", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function URL Created with Public Access\n\nA Lambda function URL is a dedicated HTTPS endpoint for a function. When configured with `authType=NONE`, anyone on the internet can invoke the function without AWS authentication. Adversaries use this to create a public, persistent entry point for command and control, data exfiltration, or running attacker-controlled code without needing AWS credentials.\n\nThis rule detects successful `CreateFunctionUrlConfig` and `UpdateFunctionUrlConfig` calls where the auth type is set to NONE.\n\n### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine how the change was made.\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and the auth type, and review `aws.cloudtrail.response_elements` for the resulting `functionUrl`.\n- Determine whether the function is intended to be public and whether the owning team requested an unauthenticated endpoint.\n- Review the function's code, execution role, and recent changes (`UpdateFunctionCode`, `UpdateFunctionConfiguration`, `AddPermission`) for signs of tampering.\n- Correlate with other activity by the same principal, and check the function's invocation and access logs for traffic from unexpected sources after the URL was exposed.\n\n### False positive analysis\n\n- Public webhooks, simple APIs, and front-end integrations sometimes use unauthenticated function URLs intentionally. Confirm the exposure is approved and exclude known public endpoints on `functionName` or `aws.cloudtrail.user_identity.arn` after validation.\n\n### Response and remediation\n\n- If the exposure is unauthorized, change the function URL auth type to `AWS_IAM` or delete the function URL configuration, and review the function code and execution role for compromise.\n- Examine invocation logs for unauthenticated requests received while the URL was public and assess potential impact.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:CreateFunctionUrlConfig` and `lambda:UpdateFunctionUrlConfig` to trusted roles.\n\n### Additional information\n\n- [Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html)\n- [Security and auth model for Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html)\n", + "query": "any where data_stream.dataset == \"aws.cloudtrail\"\n and event.provider == \"lambda.amazonaws.com\"\n and event.outcome == \"success\"\n and (event.action : \"CreateFunctionUrlConfig*\" or event.action : \"UpdateFunctionUrlConfig*\")\n and stringContains(aws.cloudtrail.request_parameters, \"authType=NONE\")\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html", + "https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "53bb8f53-3550-4805-b6bd-728ded8d5564", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.005", + "name": "Modify Cloud Compute Configurations", + "reference": "https://attack.mitre.org/techniques/T1578/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "53bb8f53-3550-4805-b6bd-728ded8d5564_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5619545b-9738-408c-bdb5-a2807e19133e_1.json b/packages/security_detection_engine/kibana/security_rule/5619545b-9738-408c-bdb5-a2807e19133e_1.json new file mode 100644 index 00000000000..694bc83eed2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5619545b-9738-408c-bdb5-a2807e19133e_1.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to a Lambda function so the function is automatically invoked when new records arrive. Adversaries with \"lambda:CreateEventSourceMapping\" permissions can abuse this to establish stealthy, event-driven persistence and execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the function then runs on its own whenever the source produces events, this grants durable execution without any further interactive activity by the adversary.", + "false_positives": [ + "Application teams and infrastructure-as-code pipelines routinely create event source mappings to wire data pipelines, queue consumers, and stream processors to Lambda functions. Verify whether the principal in `aws.cloudtrail.user_identity.arn`, the function, and the event source are expected for the workload. Known deployment roles and automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Event Source Mapping Creation", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Event Source Mapping Creation\n\nAWS Lambda event source mappings poll an event source (Amazon SQS, Kinesis or DynamoDB streams, Amazon MSK or self-managed Kafka, or Amazon MQ) and invoke a target function as records arrive. Creating a mapping is a low-frequency, high-impact configuration change: it can establish event-driven persistence and execution, or quietly relay sensitive records from a stream or queue into attacker-controlled code.\n\nThis rule detects successful `CreateEventSourceMapping` calls. Investigate whether the principal, the target function, and the event source are expected for the environment.\n\n#### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine whether the call came from the console, CLI, SDK, or automation.\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName`/`functionArn` and the `eventSourceArn` to identify the target function and the source queue, stream, topic, or broker.\n- Determine whether the target function and the event source belong to the same application and account, and whether the function code, role, and recent changes are trusted (correlate with `CreateFunction`, `UpdateFunctionCode`, and `AddPermission`).\n- Review whether the event source contains sensitive data (for example a DynamoDB stream or SQS queue carrying business records) that the mapping could be used to exfiltrate.\n- Pivot on the same principal and access key for other recent Lambda, IAM, or data-plane activity.\n\n### False positive analysis\n\n- Event source mappings are a normal building block of serverless data pipelines and queue/stream consumers. Mappings created by approved deployment roles, CI/CD pipelines, or application teams are expected. Tune on `aws.cloudtrail.user_identity.arn`, `user_agent.original`, or known automation roles after validation.\n\n### Response and remediation\n\n- If the mapping is unauthorized, disable or delete it (`DeleteEventSourceMapping`) and review the target function's code, configuration, and execution role.\n- Determine whether records were processed by the function while the mapping was active and assess potential data exposure.\n- Rotate or restrict credentials for the principal that created the mapping if compromise is suspected, and constrain `lambda:CreateEventSourceMapping` to a small set of trusted roles.\n\n### Additional information\n\n- [AWS Lambda event source mappings](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html)\n- [CreateEventSourceMapping API](https://docs.aws.amazon.com/lambda/latest/api/API_CreateEventSourceMapping.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.action: CreateEventSourceMapping*\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html", + "https://docs.aws.amazon.com/lambda/latest/api/API_CreateEventSourceMapping.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5619545b-9738-408c-bdb5-a2807e19133e", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.005", + "name": "Modify Cloud Compute Configurations", + "reference": "https://attack.mitre.org/techniques/T1578/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "5619545b-9738-408c-bdb5-a2807e19133e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56312ef5-656c-4bf7-ad9a-affed052b102_1.json b/packages/security_detection_engine/kibana/security_rule/56312ef5-656c-4bf7-ad9a-affed052b102_1.json new file mode 100644 index 00000000000..0deaa9a53e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56312ef5-656c-4bf7-ad9a-affed052b102_1.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "alert_suppression": { + "duration": { + "unit": "m", + "value": 60 + }, + "group_by": [ + "aws.cloudtrail.user_identity.arn", + "cloud.account.id" + ], + "missing_fields_strategy": "suppress" + }, + "author": [ + "Elastic" + ], + "description": "Identifies an AWS principal performing a high volume of Amazon Bedrock inference API calls against a single model within a short window. Membership inference attacks require hundreds to thousands of statistically similar queries whose prompts and responses are intentionally content-benign, making guardrail- and content-based rules ineffective. This rule detects the high-frequency single-model probing pattern that precedes membership inference and related exfiltration via the inference API. It is a behavioral / volumetric precursor: it does not observe model confidence scores and a fixed call-count threshold only catches the loud variant, so paced, low-and-slow, or credential-distributed probing will evade it. Definitive membership inference detection requires ML anomaly analysis over per-entity inference-rate and response-distribution baselines.", + "false_positives": [ + "Automated agents, chat applications, retrieval-augmented generation services, evaluation pipelines, and load tests routinely generate high Bedrock inference volume against one model and will exceed any fixed threshold. Validate the principal, user agent, source IP, and application context before treating the activity as malicious, and tune the threshold to the deployment." + ], + "from": "now-60m", + "interval": "10m", + "investigation_fields": { + "field_names": [ + "aws.cloudtrail.user_identity.arn", + "cloud.account.id", + "Esql.model_id", + "Esql.inference_call_count" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS Bedrock High-Frequency Single-Model Inference API Probing", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock High-Frequency Single-Model Inference API Probing\n\nMembership inference compares many samples against a model to infer whether\nspecific records were present in training data. Because prompts and responses often appear benign, the\nactionable signal is frequently statistical: unusually high inference rates concentrated on one model from\na single principal. AWS CloudTrail records the core Bedrock runtime operations (`InvokeModel`,\n`InvokeModelWithResponseStream`, `Converse`, `ConverseStream`) as management events, which are logged by\ndefault, so this probing phase is observable at the API layer even when Bedrock model invocation logging is\ndisabled. CloudTrail does not capture the prompt body, so this rule is purely volumetric.\n\nThis rule is tuned to the loud case. Treat it as corroborating signal alongside other Bedrock alerts, not\nas conclusive membership inference detection.\n\n#### Possible investigation steps\n\n- Identify the principal in `aws.cloudtrail.user_identity.arn` and the targeted model in the extracted\n `Esql.model_id`.\n- Determine whether the call volume exceeds the principal's historical baseline for the same model.\n- Review companion Bedrock invocation logs, if enabled, for short prompts, repeated inputs, or low-variance\n responses that may indicate membership testing.\n- Inspect `source.ip`, `user_agent.original`, and recent IAM activity for signs of compromised credentials\n or unexpected automation.\n- Correlate with bulk output-extraction or guardrail alerts that may indicate a broader inference abuse\n campaign.\n\n### Response and remediation\n\n- Apply Bedrock service quotas and IAM least privilege for inference APIs while investigating.\n- Enable model invocation logging for content-level review if not already configured.\n- If abuse is confirmed, rotate access keys or disable the compromised principal.\n\n### Additional information\n\n- For further details on how Amazon Bedrock integrates with AWS CloudTrail to log control plane and data plane runtime operations, see the [AWS Bedrock User Guide on CloudTrail Logging](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html).\n- To explore the adversarial tactics, techniques, and case studies surrounding machine learning model data leakage, consult the [MITRE ATLAS Exfiltration via Inferences (AML.T0024)](https://atlas.mitre.org/techniques/AML.T0024) documentation.\n\n", + "query": "from logs-aws.cloudtrail-*\n \n// Bedrock runtime inference APIs (CloudTrail management events, logged by default) used to probe at scale\n| where\n event.provider == \"bedrock.amazonaws.com\"\n and event.action in (\n \"InvokeModel\",\n \"Converse\",\n \"ConverseStream\",\n \"InvokeModelWithResponseStream\"\n )\n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.arn IS NOT NULL\n and aws.cloudtrail.request_parameters IS NOT NULL\n \n| grok aws.cloudtrail.request_parameters \"\"\"modelId=(?[^,}\\]]+)\"\"\"\n| where Esql.model_id IS NOT NULL\n \n// preserve the grouping keys plus the ECS context fields collected via VALUES() below\n| keep\n aws.cloudtrail.user_identity.arn,\n cloud.account.id,\n Esql.model_id,\n event.action,\n source.ip,\n user_agent.original,\n aws.cloudtrail.user_identity.type,\n aws.cloudtrail.user_identity.access_key_id,\n cloud.region,\n source.as.organization.name\n \n// aggregate per principal + account + model, capturing analyst context with VALUES()\n| stats\n Esql.inference_call_count = count(*),\n Esql.event_action_values = VALUES(event.action),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.user_agent_original_values = VALUES(user_agent.original),\n Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),\n Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),\n Esql.cloud_region_values = VALUES(cloud.region),\n Esql.source_as_organization_name_values = VALUES(source.as.organization.name)\n by\n aws.cloudtrail.user_identity.arn,\n cloud.account.id,\n Esql.model_id\n \n| where Esql.inference_call_count >= 500\n \n| keep\n aws.cloudtrail.user_identity.arn,\n cloud.account.id,\n Esql.model_id,\n Esql.inference_call_count,\n Esql.event_action_values,\n Esql.source_ip_values,\n Esql.user_agent_original_values,\n Esql.aws_cloudtrail_user_identity_type_values,\n Esql.aws_cloudtrail_user_identity_access_key_id_values,\n Esql.cloud_region_values,\n Esql.source_as_organization_name_values\n \n| sort Esql.inference_call_count desc\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0024", + "https://atlas.mitre.org/techniques/AML.T0024.000", + "https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56312ef5-656c-4bf7-ad9a-affed052b102", + "setup": "## Setup\n\nThis rule requires AWS CloudTrail management events for Amazon Bedrock and ingestion via the AWS\nintegration (`aws.cloudtrail` data stream). The core Bedrock runtime operations are logged as management\nevents by default; no Bedrock model invocation logging is required.\n\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Mitre Atlas: T0024", + "Mitre Atlas: T0024.000", + "Resources: Investigation Guide" + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "56312ef5-656c-4bf7-ad9a-affed052b102_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_112.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_112.json new file mode 100644 index 00000000000..7a38a878da0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_112.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) from the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating VNC (Virtual Network Computing) from the Internet\n\nVNC allows remote control of systems, facilitating maintenance and resource sharing. However, when exposed to the Internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC for initial access or as a backdoor. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out trusted IP ranges, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the source IP address of the alert to determine if it is from an untrusted or suspicious location, as the rule filters out known trusted IP ranges.\n- Check the destination IP address to confirm it belongs to an internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and verify if the system is authorized to receive VNC traffic.\n- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or repeated access attempts that could indicate malicious activity.\n- Investigate the context of the event by correlating it with other security alerts or logs to determine if there are signs of a broader attack or compromise.\n- Assess the risk and impact of the potential threat by evaluating the criticality of the affected system and any sensitive data it may contain.\n\n### False positive analysis\n\n- Internal testing or maintenance activities may trigger the rule if VNC is used for legitimate purposes within a controlled environment. To manage this, create exceptions for known internal IP addresses that frequently use VNC for authorized tasks.\n- Automated systems or scripts that utilize VNC for routine operations might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent unnecessary alerts.\n- Remote workers using VPNs that route traffic through public IPs could be mistakenly identified as threats. Ensure that VPN IP ranges are included in the trusted IP list to avoid false positives.\n- Misconfigured network devices that inadvertently expose VNC ports to the Internet can cause alerts. Regularly audit network configurations to ensure VNC ports are not exposed and adjust the rule to exclude known safe configurations.\n- Third-party service providers accessing systems via VNC for support purposes might be flagged. Establish a list of trusted IPs for these providers and update the rule to exclude them from detection.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active VNC sessions originating from untrusted IP addresses to cut off potential attacker access.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized changes or data access that may have occurred during the VNC session.\n- Reset credentials for any accounts that were accessed or could have been compromised during the unauthorized VNC session.\n- Apply security patches and updates to the VNC software and any other potentially vulnerable applications on the affected system.\n- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the Internet.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Tactic: Command and Control", + "Tactic: Initial Access", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: PAN-OS", + "Data Source: pfSense", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + }, + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_112.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_112.json new file mode 100644 index 00000000000..9c33f28640c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_112.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects use of the systemsetup command to enable remote SSH Login.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote SSH Login Enabled via systemsetup Command", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote SSH Login Enabled via systemsetup Command\n\nThe `systemsetup` command in macOS is a utility that allows administrators to configure system settings, including enabling remote SSH login, which facilitates remote management and access. Adversaries may exploit this to gain unauthorized access and move laterally within a network. The detection rule identifies suspicious use of `systemsetup` to enable SSH, excluding legitimate administrative tools, by monitoring process execution patterns and arguments.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the use of the systemsetup command with the arguments \"-setremotelogin\" and \"on\" to ensure the alert is not a false positive.\n- Check the parent process of the systemsetup command to identify if it was executed by a known administrative tool or script, excluding /usr/local/jamf/bin/jamf as per the rule.\n- Investigate the user account associated with the process execution to determine if it is a legitimate administrator or a potentially compromised account.\n- Examine recent login events and SSH access logs on the host to identify any unauthorized access attempts or successful logins following the enabling of remote SSH login.\n- Correlate this event with other security alerts or logs from the same host or network segment to identify potential lateral movement or further malicious activity.\n\n### False positive analysis\n\n- Legitimate administrative tools like Jamf may trigger this rule when enabling SSH for authorized management purposes. To handle this, ensure that the process parent executable path for Jamf is correctly excluded in the detection rule.\n- Automated scripts used for system configuration and maintenance might enable SSH as part of their routine operations. Review these scripts and, if verified as safe, add their parent process paths to the exclusion list.\n- IT support activities that require temporary SSH access for troubleshooting can also cause false positives. Document these activities and consider scheduling them during known maintenance windows to reduce alerts.\n- Security software or management tools that periodically check or modify system settings could inadvertently trigger this rule. Identify these tools and exclude their specific process paths if they are confirmed to be non-threatening.\n\n### Response and remediation\n\n- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious or unauthorized SSH sessions that are currently active on the affected system.\n- Review and revoke any unauthorized SSH keys or credentials that may have been added to the system.\n- Conduct a thorough examination of the system logs to identify any additional unauthorized activities or changes made by the adversary.\n- Restore the system to a known good state from a backup taken before the unauthorized SSH access was enabled, if possible.\n- Implement network segmentation to limit SSH access to only trusted administrative systems and users.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n(\n (\n process.name == \"systemsetup\" and\n process.args like~ \"-setremotelogin\" and\n process.args like~ \"on\"\n ) or\n (\n process.name == \"launchctl\" and\n process.args in (\"load\", \"bootstrap\") and\n (\n process.command_line like~ \"*/System/Library/LaunchDaemons/ssh.plist*\" or\n process.command_line like~ \"*com.openssh.sshd*\"\n )\n )\n) and\nprocess.parent.executable != null and\nnot process.parent.executable like (\"/usr/local/jamf/bin/jamf\", \"/usr/libexec/xpcproxy\", \"/usr/bin/sudo\")\n", + "references": [ + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_112.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_112.json new file mode 100644 index 00000000000..6b454df21fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_112.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "alert_suppression": { + "duration": { + "unit": "m", + "value": 130 + }, + "group_by": [ + "user.email", + "source.ip" + ], + "missing_fields_strategy": "suppress" + }, + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace user disables 2-step verification (2SV) on their account. An adversary with access to a compromised account may remove 2SV to eliminate the second authentication factor, leaving password-only access and making future sign-ins easier to abuse, relay, or maintain without triggering MFA challenges.", + "false_positives": [ + "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." + ], + "from": "now-190m", + "index": [ + "filebeat-*", + "logs-google_workspace.login-*", + "logs-google_workspace.user_accounts-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "source.ip", + "event.action" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace 2SV Policy Disabled By User", + "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled By User\n\nThreat actors who compromise a Google Workspace account may disable 2-step verification (2SV) on that account to remove\nthe second authentication factor. With 2SV turned off, the account falls back to password-only authentication, which can\nsupport session abuse, AiTM credential relay, and sustained access without MFA challenges on future sign-ins. This is\nespecially concerning for administrators, executives, and users with access to sensitive mail, data, or admin functions.\n\nIn AiTM and session-hijacking scenarios, an attacker with an active session may disable 2SV before the legitimate user\nnotices, making it easier to re-enter the account later using stolen credentials alone.\n\nThis rule identifies when a user disables 2SV on their account via the `2sv_disable` event. The event appears in\nboth the `google_workspace.login` and `google_workspace.user_accounts` data streams; alert suppression groups by\n`user.email` and `source.ip` within the rule lookback to avoid duplicate alerts when both streams are ingested.\n\n### Possible investigation steps\n\n- Identify the user account that disabled 2SV by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Determine the account's privilege and data access \u2014 prioritize triage if the user is an administrator, holds delegated admin roles, or has access to sensitive resources.\n- Determine whether the disable is expected or unauthorized:\n - Validate with the user or their manager whether they intentionally turned off 2SV (for example, device replacement).\n - If the `source.ip`, geolocation, or timing is unusual for the user, treat the alert as higher priority until proven benign.\n- Search Kibana for precursor and follow-on account changes for the same `user.email` in the hours before and after the alert:\n - `password_edit`, `recovery_email_edit`, `recovery_phone_edit` in `google_workspace.login` or `google_workspace.user_accounts`\n - `login_success`, `login_failure`, `suspicious_login`, and `login_challenge` in `google_workspace.login`\n - OAuth activity in `google_workspace.token` if token abuse is suspected\n- Review `google_workspace.login.challenge_method` on recent sign-ins to determine whether MFA was used, bypassed, or relayed before 2SV was disabled.\n\n### False positive analysis\n\n- Legitimate users may disable 2SV temporarily, but this weakens the account \u2014 confirm the change was authorized even when the actor appears benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the disable is not clearly authorized, re-enable 2SV on the affected account, reset the password, and revoke active sessions while the investigation proceeds.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 190 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h) for Filebeat and 3 hours for the Fleet Integration `login` datastream. Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:(\"google_workspace.login\" or \"google_workspace.user_accounts\") and event.action:\"2sv_disable\"\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "5e161522-2545-11ed-ac47-f661ea17fbce_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_109.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_109.json new file mode 100644 index 00000000000..baea0360dea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_109.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies synchronous command execution on a virtual machine (VM) or virtual machine scale set (VMSS) in Azure via the action-based Run Command (\"runCommand/action\"). A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run on the VM via the Run Command feature, which execute as System (Windows) or root (Linux). Other roles, such as certain Administrator roles, may be able to execute commands on a VM as well.", + "false_positives": [ + "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.activitylogs-*", + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Compute VM Command Executed", + "new_terms_fields": [ + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.resource.name", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating Azure Compute VM Command Executed\n\nAzure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.\n\n### Possible investigation steps\n\n- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name values \"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\".\n- Identify the VM in question via the `azure.resource.name` field. This can aid with pivoting into endpoint analysis of the commands executed.\n- Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.\n- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.\n- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.\n- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.\n- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.\n\n### False positive analysis\n\n- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.\n- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.\n- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.\n- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.\n- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.\n\n### Response and remediation\n\n- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.\n- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.\n- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.\n- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.\n- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.\n- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.\n", + "query": "data_stream.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:(\n \"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\"\n ) and event.outcome:(Success or success) and\n azure.activitylogs.identity.authorization.evidence.principal_id: * and\n source.as.number: * and\n azure.resource.name: *\n", + "references": [ + "https://adsecurity.org/?p=4277", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor", + "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/", + "https://hackingthe.cloud/azure/run-command-abuse/", + "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command-managed" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.identity.authorization.evidence.principal_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.resource.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "60884af6-f553-4a6c-af13-300047455491", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1651", + "name": "Cloud Administration Command", + "reference": "https://attack.mitre.org/techniques/T1651/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 109 + }, + "id": "60884af6-f553-4a6c-af13-300047455491_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6148b9f5-5b12-4704-9ef7-f4b4c5dd9bb5_2.json b/packages/security_detection_engine/kibana/security_rule/6148b9f5-5b12-4704-9ef7-f4b4c5dd9bb5_2.json new file mode 100644 index 00000000000..49202b91603 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6148b9f5-5b12-4704-9ef7-f4b4c5dd9bb5_2.json @@ -0,0 +1,156 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command executions via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Command Execution via Web Server", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Command Execution via Web Server\n\nThis alert fires when a Linux web server launches a shell to run commands that look like exploitation activity, such as discovery, credential access, payload decoding, or reverse shell setup. That matters because web servers rarely need to spawn shell commands, so this behavior often signals command injection, a dropped web shell, or attacker persistence. A common pattern is an app exploit causing php-fpm or nginx to run `sh -c 'id; cat /etc/passwd; curl ... | bash'` from `/tmp`.\n\n### Possible investigation steps\n\n- Review the full process ancestry and execution context to determine what application component invoked the shell, which service account ran it, what working directory and environment it used, and whether the command aligns with any documented application behavior.\n- Correlate the execution time with web server access, error, and application logs to identify the triggering request, including source IP, requested URI, parameters, headers, authenticated user or session, and any indications of command injection or direct web shell access.\n- Inspect recently created or modified files in the web root and writable locations such as upload, cache, temp, and shared-memory directories for dropped scripts, encoded payloads, cron changes, SSH key additions, or other persistence artifacts tied to the command.\n- Scope for follow-on activity by pivoting on the source IP, command fragments, spawned children, outbound connections, and similar executions on other web servers to determine whether exploitation was successful, repeated, or part of a broader campaign.\n- If the activity is unauthorized or cannot be explained, isolate the host, preserve relevant volatile and disk evidence, rotate secrets accessible to the web service, and remediate the vulnerable application or remove any discovered web shell before restoring service.\n\n### False positive analysis\n\n- A legitimate web administration or diagnostics function may invoke `sh -c` to run commands such as `id`, `whoami`, `hostname`, or read OS metadata for status pages; verify the command matches documented application behavior and correlate it to an authorized request in web or application logs.\n- A normal application workflow may use the web server to unpack user uploads or stage temporary content under `/tmp`, `/var/tmp`, or `/dev/shm` during import, conversion, or update operations; verify the execution aligns with a known user action or scheduled maintenance window and that the created files are expected temporary artifacts owned by the service account.\n\n### Response and remediation\n\n- Isolate the affected web server from the network or remove it from the load balancer immediately, preserve a forensic snapshot if possible, and block the attacker-controlled IPs, domains, and downloaded payload locations observed in the command chain.\n- Hunt for and remove persistence by deleting web shells and dropped scripts in the document root, uploads, `/tmp`, `/var/tmp`, and `/dev/shm`, and by cleaning unauthorized cron entries, systemd services, startup scripts, SSH `authorized_keys`, and any attacker-created local accounts.\n- Reset trust on the host by rotating application secrets, database passwords, API tokens, cloud credentials, and SSH keys that were present or reachable from the web server, and invalidate active sessions tied to the compromised application.\n- Rebuild or reimage the server from a known-good source, patch the exploited web application or server component, restore only validated content and configurations, and verify no unauthorized binaries, modified packages, or backdoored application files remain before returning it to service.\n- Escalate to incident response immediately if the shell command opened a reverse shell, downloaded or piped a payload into an interpreter, accessed sensitive files such as `/etc/shadow`, `.ssh`, or cloud credential stores, or if similar activity is found on additional hosts.\n- Harden the environment by removing unnecessary shell execution from the application, disabling write and execute permissions in web-accessible upload and temp paths, enforcing least privilege for the web service account, enabling WAF or virtual patching for the exploited weakness, and increasing monitoring on web roots and startup locations.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n process.parent.name in (\n \"nginx\", \"apache2\", \"httpd\", \"caddy\", \"mongrel_rails\", \"uwsgi\", \"daphne\", \"httpd.worker\", \"flask\",\n \"php-cgi\", \"php-fcgi\", \"php-cgi.cagefs\", \"lswsctrl\", \"varnishd\", \"uvicorn\", \"waitress-serve\", \"starman\",\n \"frankenphp\", \"zabbix_server\", \"asterisk\", \"sw-engine-fpm\"\n ) or\n process.parent.name like (\"php-fpm*\", \"gunicorn*\", \"*.cgi\", \"*.fcgi\") or\n (\n process.parent.name like \"ruby*\" and\n process.parent.command_line like~ (\"*puma*\", \"*rails*\", \"*passenger*\")\n ) or\n (\n process.parent.name like \"python*\" and\n process.parent.command_line like~ (\n \"*hypercorn*\", \"*flask*\", \"*uvicorn*\", \"*django*\", \"*app.py*\", \"*server.py*\", \"*wsgi.py*\", \"*asgi.py*\"\n )\n ) or\n (process.parent.name like \"perl*\" and process.parent.command_line like~ \"*plackup*\") or\n (\n process.parent.name == \"java\" and (\n process.parent.args like~ (\n /* Tomcat */\n \"org.apache.catalina.startup.Bootstrap\", \"-Dcatalina.base=*\",\n\n /* Jetty */\n \"org.eclipse.jetty.start.Main\", \"-Djetty.home=*\",\n\n /* WildFly / JBoss */\n \"org.jboss.modules.Main\", \"-Djboss.home.dir=*\",\n\n /* WebLogic */\n \"weblogic.Server\", \"-Dweblogic.Name=*\", \"*weblogic-launcher.jar*\",\n\n /* WebSphere traditional + Liberty */\n \"com.ibm.ws.runtime.WsServer\", \"com.ibm.ws.kernel.boot.cmdline.Bootstrap\",\n\n /* GlassFish */\n \"com.sun.enterprise.glassfish.bootstrap.ASMain\",\n\n /* Resin */\n \"com.caucho.server.resin.Resin\",\n\n /* Spring Boot */\n \"org.springframework.boot.loader.*\",\n\n /* Quarkus */\n \"*quarkus-run.jar*\", \"io.quarkus.runner.GeneratedMain\",\n\n /* Micronaut */\n \"io.micronaut.runtime.Micronaut\",\n\n /* Dropwizard */\n \"io.dropwizard.cli.ServerCommand\",\n\n /* Play */\n \"play.core.server.ProdServerStart\",\n\n /* Helidon */\n \"io.helidon.microprofile.server.Main\", \"io.helidon.webserver*\",\n\n /* Vert.x */\n \"io.vertx.core.Launcher\",\n\n /* Keycloak */\n \"org.keycloak*\",\n\n /* Apereo CAS */\n \"org.apereo.cas*\",\n\n /* Elasticsearch */\n \"org.elasticsearch.bootstrap.Elasticsearch\",\n\n /* Atlassian / Gerrit */\n \"com.atlassian.jira.startup.Launcher\", \"*BitbucketServerLauncher*\", \"com.google.gerrit.pgm.Daemon\",\n\n /* Solr */\n \"*-Dsolr.solr.home=*\",\n\n /* Jenkins */\n \"*jenkins.war*\"\n ) or\n ?process.working_directory like \"/u0?/*\"\n )\n )\n) and\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"mksh\", \"busybox\") and\nprocess.args in (\"-c\", \"-cl\", \"-lc\") and (\n process.command_line like~ (\n\n /* Suspicious Paths */\n \"* /tmp/* \", \"* /var/tmp/* \", \"* /dev/shm/*\", \"* /run/*\", \"* /var/run/*\",\n\n /* Encoding, Decoding & Piping */\n \"*|sh\", \"*| sh *\", \"*| sh \", \"*|bash*\", \"*| bash*\", \"*|zsh*\", \"*| zsh*\", \"*|dash*\", \"*| dash*\",\n \"*|python*\", \"*| python*\", \"*|php*\", \"*| php*\", \"*|perl*\", \"*| perl*\", \"*|ruby*\", \"*| ruby*\",\n \"*|node*\", \"*| node*\", \"*|lua*\", \"*| lua*\", \"*|busybox*\", \"*| busybox*\", \"*|*base64 -d*\", \"*|*base64 --decode*\",\n \"*|*base64 --decode*\", \"*|*openssl base64 -d*\", \"*xxd *\", \"*| openssl*enc * -d *\", \"*b64decode -r*\",\n\n /* Interpreter Execution */\n \"*python -c*\", \"*python3 -c*\", \"*php -r*\", \"*perl -e*\", \"*ruby -e*\", \"*lua -e*\", \"*node -e *\",\n\n /* Reverse Shells */\n \"*netcat *\", \"* nc *\", \"*ncat *\", \"*/dev/tcp*\", \"*/dev/udp/*\", \"*socat *\", \"*openssl*s_client *\", \"*stty*raw*-echo*\",\n \"*mkfifo /tmp/*\", \n\n /* File Access */\n \"*>*/etc/cron*\", \"*crontab*\", \"*/etc/ssh*\", \"*/home/*/.ssh/*\", \"*/root/.ssh*\", \"*~/.ssh/*\", \"*/etc/shadow*\",\n \"*/etc/passwd*\", \"*/etc/master.passwd*\",\n\n /* Enumeration & Discovery */\n \"*/etc/hosts*\", \"*/etc/resolv.conf*\", \"*/etc/hostname*\", \"*/etc/issue*\", \"*/etc/os-release*\", \"*lsb_release*\",\n \"*/proc/*/environ*\", \"*sudo -l*\", \"*/proc/*/cgroup*\", \"*dockerenv*\", \"*/proc/*/mountinfo*\", \"*printenv*\",\n \"*cat*.env *\", \"*getcap*\", \"*capsh*\", \"*find / *\", \"*netstat *\",\n\n /* AWS Credentials */\n \"*aws_access_key_id*\", \"*aws_secret_access_key*\", \"*aws_session_token*\", \"*accesskeyid*\", \"*secretaccesskey*\",\n \"*.aws/credentials*\", \"*/.aws/config*\",\n\n /* Azure Credentials */\n \"*AZURE_CLIENT_ID*\", \"*AZURE_TENANT_ID*\", \"*AZURE_CLIENT_SECRET*\", \"*AZURE_FEDERATED_TOKEN_FILE*\",\n \"*IDENTITY_ENDPOINT*\", \"*IDENTITY_HEADER*\", \"*MSI_ENDPOINT*\", \"*MSI_SECRET*\", \"*/.azure/*\",\n \"*/run/secrets/azure/*\",\n\n /* GCP Credentials */\n \"*/.config/gcloud/*\", \"*application_default_credentials.json*\", \"*type: service_account*\",\n \"*client_email*\", \"*private_key_id*\", \"*/run/secrets/google/*\", \"*GOOGLE_APPLICATION_CREDENTIALS*\",\n\n /* Misc. Cloud */\n \"*/.docker/config.json*\", \"*/.npmrc*\", \"*/secrets/kubernetes.io/serviceaccount/*\",\n\n /* Helpers */\n \"*timeout *sh -c *\", \"*env *sh *-c*\", \"*exec -a*\",\n\n /* Miscellaneous */\n \"*chattr *\", \"*busybox *\", \"*#!*\", \"*chmod +x *\", \"*chmod 777*\", \"*chpasswd*\",\n \"**\", \"*kworker*\",\n \n /* Decompression */\n \"*gzip -*d *\", \"*bzip2 -*d *\", \"*xz -*d *\", \"*tar -*x*\",\n \n /* Path Traversal */\n \"*../../../*etc/*\", \"*/.../*\", \"*../../../*home/*/*\", \"*../../../*root/*\",\n\n /* File Upload/Download */\n \"*pastebin.com*\", \"*transfer.sh*\", \"*bashupload.com*\",\n\n /* Enumeration & Discovery */\n \"* id *\", \"* whoami *\", \"* hostname *\"\n ) or\n /* Keep this to not miss FNs due to spacing */\n process.args in (\"id\", \"whoami\", \"hostname\")\n) and\nnot (\n (\n process.parent.name == \"nginx\" and\n process.args like (\"chmod 777 /etc/resty-*\", \"resty*\")\n ) or\n (\n process.parent.name == \"apache2\" and (\n process.command_line in (\n \"sh -c /usr/local/bin/php -r 'echo phpversion();'\", \"sh -c -- /usr/local/bin/php -r 'echo phpversion();'\",\n \"sh -c /usr/bin/php -r 'echo phpversion();'\",\n \"sh -c /usr/bin/lsb_release -a 2>/dev/null\"\n ) or\n process.args like (\n \"\"\"bash -c \"( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*\"\"\",\n \"chmod 777 /etc/cobra/uploads/mysql*\", \"stat*\"\n ) or\n process.command_line like (\n \"*/usr/bin/crontab*phpupdatecrontab.txt\", \"*mysqldump*/var/www/html/*/writable/uploads/backup/mysql*\",\n \"sh -c chmod 777 -R /opt/data/www/php_upload/*/temp\"\n )\n )\n ) or\n (\n process.parent.name like \"php-fpm*\" and (\n process.command_line in (\n \"sh -c /usr/bin/php -r 'echo phpversion();'\", \"sh -c -- /usr/bin/php -r 'echo phpversion();'\",\n \"sh -c php -r 'print_r(phpversion());'\", \"sh -c chattr -i -a /usr/local/virtualizor/license2.php\",\n \"sh -c source /etc/os-release 2>/dev/null && echo $ID $ID_LIKE\",\n \"sh -c php -r \\\"echo date('T');\\\"\",\n \"sh -c php -r \\\"echo PHP_VERSION;\\\"\"\n ) or\n process.command_line like (\n \"*var_export*extension_loaded*\", \"*/tmp/tmp_resize*\", \"*/v1/objects/hosts/*_Infoterminal*\", \"*python -m json.tool*\",\n \"sh -c timeout 3600 ssh -o ControlMaster=auto -o ControlPath=/var/www/html/storage/app/ssh/mux/*\"\n ) or\n process.args like (\"ps*|*grep*\", \"ffmpeg*\")\n )\n ) or\n (\n process.parent.name == \"php-cgi\" and (\n process.command_line like (\n \"sh -c nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &\",\n \"sh -c nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &\",\n \"sh -c nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &\",\n \"sh -c nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &\",\n \"*-ef|grep*\"\n ) or\n process.args like \"ps*| grep*\"\n )\n ) or\n (\n process.command_line == \"/bin/sh -c echo | openssl s_client -connect localhost:61617 2>/dev/null | openssl x509 -noout -enddate\" and\n process.parent.name == \"gunicorn\"\n ) or\n (\n process.parent.executable == \"/usr/local/bin/gunicorn\" and\n process.command_line == \"/bin/sh -c echo 'Q' | openssl s_client -connect localhost:61617 2>/dev/null | openssl x509 -noout -enddate\"\n ) or\n (\n process.parent.executable == \"/opt/bitnami/apache/bin/httpd\" and\n process.command_line == \"sh -c /opt/bitnami/php/bin/php -r 'echo phpversion();'\"\n ) or\n (\n process.parent.executable like \"/var/lib/containers/storage/overlay/*/merged/usr/local/sbin/php-fpm\" and\n process.command_line == \"sh -c /usr/local/bin/php -r 'echo phpversion();'\"\n ) or\n (\n process.parent.executable like \"/var/lib/docker/overlay2/*/merged/usr/sbin/uwsgi\" and\n process.command_line == \"/bin/sh -c { touch /run/uwsgi-logrotate }\"\n ) or\n (process.parent.name like \"python*\" and process.parent.command_line like \"*hive_server.py*\") or\n (process.parent.name == \"sw-engine-fpm\" and process.command_line like (\"*/opt/psa/admin/bin/*\", \"*/usr/local/psa/admin/*\")) or\n (process.parent.name == \"httpd\" and process.command_line like (\"*/datastore/htdocs/control-states/compass*\", \"*/dev/shm/netmon-log*\")) or\n (process.parent.name == \"asterisk\" and process.args like \"/bin/chmod 777 */gravacoes/*.WAV\") or\n (process.parent.name == \"nginx\" and process.command_line like \"sh -c gcc -print-multiarch 2>/dev/null > /tmp/lua_*\") or\n (process.parent.name == \"varnishd\" and process.args like \"exec gcc*\") or\n (process.parent.name == \"zabbix_server\" and process.command_line like \"*/usr/sbin/sendmail*\") or\n (process.parent.executable == \"/opt/morpheus/embedded/java/jre/bin/java\" and process.command_line like \"*morpheus-local*\") or\n (\n process.parent.name == \"ruby\" and\n process.command_line in (\n \"sh -c echo \\\"^d\\\" | openssl s_client -connect 127.0.0.1:443 2>&1\",\n \"sh -c cat /etc/hosts.allow 2>/dev/null\"\n )\n ) or\n (process.parent.name == \"java\" and process.args like \"chmod 777 *.csv\") or\n process.command_line == \"sh -c node -v || nodejs -v\" or\n process.working_directory like (\"/var/lib/puppet/rack/puppetmasterd\", \"/u01/app/*/sysman/emd\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6148b9f5-5b12-4704-9ef7-f4b4c5dd9bb5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "6148b9f5-5b12-4704-9ef7-f4b4c5dd9bb5_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json b/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json deleted file mode 100644 index b8056f7a1e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.", - "false_positives": [ - "Administrators legitimately enabling external sharing for a new collaboration site or project.", - "Organizational policy changes that intentionally broaden sharing capabilities across sites.", - "Migration or onboarding projects that temporarily require external sharing to be enabled." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-o365.audit-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "M365 SharePoint Site Sharing Policy Weakened", - "note": "## Triage and Analysis\n\n### Investigating M365 SharePoint Site Sharing Policy Weakened\n\nThis rule detects when SharePoint or OneDrive sharing policies are modified to weaken security controls. The `SharingPolicyChanged` event captures modifications to site-level sharing settings stored in `ModifiedProperties`, where the setting name is a dynamic field key and `OldValue`/`NewValue` track the transition. This rule targets specific transitions that represent a security posture degradation. Note that Microsoft uses inconsistent keyword value formats across settings, some use `True`/`False` while others use `Enabled`/`Disabled`.\n\n#### Possible Investigation Steps\n\n- Identify the user who performed the change via `user.id` and determine if they have a legitimate administrative role.\n- Check if the acting user is a service principal (e.g., `ServiceOperator`, `app@sharepoint`) or a human account. Service principal changes may indicate automated processes or compromised application credentials.\n- Review which specific setting was changed by examining the `o365.audit.ModifiedProperties.*` fields:\n - ShareWithGuests: Guest/external sharing was enabled on the site. External users can now be invited to access content.\n - ShareUsingAnonymousLinks: Anonymous \"Anyone\" link sharing was enabled. Content can now be shared via unauthenticated links.\n - IsPublic: The site or group was changed from private to public visibility.\n - AllowGuestUser: Guest user access was enabled for the site.\n - AllowFederatedUsers: Federated (external organization) user access was enabled.\n - AllowTeamsConsumer: Teams personal account (consumer) user access was enabled.\n- Identify the affected site via `o365.audit.ObjectId` (the site URL) and assess the sensitivity of its content.\n- Review Azure AD / Entra ID sign-in logs for the acting account to check for authentication anomalies (unusual location, device code flow, new device).\n- Look for subsequent sharing activity on the same site \u2014 `SharingSet`, `AnonymousLinkCreated`, `SharingInvitationCreated`, or file download events shortly after the policy change.\n- Determine if the change was part of a planned change request or occurred outside of normal change windows.\n\n### False Positive Analysis\n\n- IT administrators enabling external sharing for legitimate collaboration needs. Correlate with change management tickets or Slack/Teams messages.\n- Automated provisioning scripts that configure sharing settings during site creation. These typically use service principal accounts with predictable patterns.\n- Microsoft service operations (`ServiceOperator`) may modify settings as part of tenant-level policy propagation.\n\n### Response and Remediation\n\n- If the change is unauthorized, immediately revert the sharing policy to its previous restrictive state.\n- Revoke sessions and reset credentials for the compromised account.\n- Review what content was accessed or shared after the policy change using `FileAccessed`, `FileDownloaded`, and sharing audit events.\n- Audit all sites for similar unauthorized sharing policy changes.\n- Implement Conditional Access policies to restrict administrative actions to trusted networks and compliant devices.\n- Enable Privileged Identity Management (PIM) for SharePoint administrator roles to enforce just-in-time access.\n", - "query": "event.dataset: \"o365.audit\" and event.provider: (\"SharePoint\" or \"OneDrive\") and\n event.action: \"SharingPolicyChanged\" and event.outcome: \"success\" and\n (\n (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.IsPublic.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.IsPublic.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or \"Disabled\"))\n )\n", - "references": [ - "https://learn.microsoft.com/en-us/purview/audit-log-activities#site-administration-activities", - "https://learn.microsoft.com/en-us/purview/audit-log-sharing", - "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowGuestUser.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowGuestUser.OldValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.IsPublic.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.IsPublic.OldValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.ShareWithGuests.NewValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.ShareWithGuests.OldValue", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "632906c6-ba8f-44c0-8386-ec0bbc8518bf", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 - }, - "id": "632906c6-ba8f-44c0-8386-ec0bbc8518bf_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_12.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_12.json index 1995e63cd7b..f73e98b1899 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_12.json +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_12.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_12.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_12.json index c03ac0c2ebf..84332fe9c67 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_12.json +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_12.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_13.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_13.json index a4a7fa0121d..f2ba7789adb 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_13.json +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_13.json @@ -25,7 +25,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json deleted file mode 100644 index 90c16d00804..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule leverages the \"new_terms\" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the \"new_terms\" rule type approach helps to identify deviations from normal behavior.", - "from": "now-9m", - "history_window_start": "now-14d", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Web Server Command Execution", - "new_terms_fields": [ - "process.command_line" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Web Server Command Execution\n\nThis rule detects shells invoked by web server processes on Linux to run one-off commands, surfacing command lines the server has never executed before. Attackers exploit vulnerable apps or dropped webshells to launch bash -c from web roots, e.g., download a payload with wget/curl into /opt or /tmp, chmod +x and execute it, or open a reverse shell (nc -e sh) to implant services or cron-like tasks and persist under the web server account.\n\n### Possible investigation steps\n\n- Reconstruct the process tree around the event to identify the shell payload and parent service, determine if it chains downloads, reverse shells, or archive extraction, and hash/snapshot any referenced files.\n- Pivot to web server access and error logs at the timestamp to identify the request path, client IP, user agent, and HTTP verb that triggered execution, noting anomalies like POST uploads, long query strings, or 500s.\n- List and diff newly created or recently modified files under common web roots and application directories around the event time, looking for webshells, chmod+x artifacts, .php/.jsp backdoors, or systemd/cron writes by the same user.\n- Correlate with network telemetry to see if the web tier opened outbound connections or listeners (nc, bash -i, curl/wget), and capture any active sockets and destinations for rapid containment.\n- Validate whether the command matches expected maintenance tasks for the application (e.g., wkhtmltopdf or image processing), and if not, isolate the process and host while scoping for the same pattern across other servers and preserving volatile evidence.\n\n### False positive analysis\n\n- A legitimate web-admin workflow (plugin/module install, content import, or cache warmup) spawns sh -c from an apache/nginx parent in /var/www to run tar/chmod/chown steps, producing a command line the host has not previously executed under www-data.\n- A recently deployed application feature performs server-side document or image processing and rotates logs by calling sh -c from a framework parent (flask/rails/php) with a working directory in /opt or /usr/share/nginx, making the specific shell invocation a new term for this server.\n\n### Response and remediation\n\n- Quarantine the affected web server by removing it from the load balancer, stopping apache/nginx/httpd, and killing the spawned shell (e.g., bash -c) while capturing /proc//cmdline and /proc//environ, lsof, and active sockets for evidence.\n- Block outbound egress from the web server account and immediately deny destinations contacted by curl/wget or reverse shells (nc, bash -i to /dev/tcp), and rotate exposed API keys or credentials referenced in the command line.\n- Eradicate persistence by deleting newly dropped or modified files under /var/www, /usr/share/nginx, /srv/http, /opt, or /home/*/public_html (webshells, .php backdoors), removing downloaded binaries from /tmp or /opt, and cleaning cron/systemd units created by www-data/nginx.\n- Recover by restoring web content and application code from known-good backups or images, verifying file ownership and permissions, and restarting the service with monitored command allowlists and file integrity checks.\n- Escalate to full incident response and forensic imaging if any reverse shell artifacts (nc -e sh, bash -i >& /dev/tcp/*), privileged writes (/etc/systemd/system/*.service, /var/spool/cron/*), or sudo execution by the web server user are observed.\n- Harden by disabling risky exec paths (PHP exec/system/shell_exec and unsafe plugins), enforcing noexec,nodev,nosuid mounts on web roots, applying SELinux/AppArmor confinement to web processes, narrowing outbound egress, and deploying WAF/mod_security rules for upload and RCE vectors.\n", - "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and (\n process.parent.name:(\n \"apache\" or \"nginx\" or \"apache2\" or \"httpd\" or \"lighttpd\" or \"caddy\" or \"mongrel_rails\" or \"haproxy\" or\n \"gunicorn\" or \"uwsgi\" or \"openresty\" or \"cherokee\" or \"h2o\" or \"resin\" or \"puma\" or \"unicorn\" or \"traefik\" or \"uvicorn\" or\n \"tornado\" or \"hypercorn\" or \"daphne\" or \"twistd\" or \"yaws\" or \"webfsd\" or \"httpd.worker\" or \"flask\" or \"rails\" or \"mongrel\" or\n php* or ruby* or perl* or python* or \"node\" or \"java\"\n ) or\n user.name:(\"apache\" or \"www-data\" or \"httpd\" or \"nginx\" or \"lighttpd\" or \"tomcat\" or \"tomcat8\" or \"tomcat9\") or\n user.id:(\"33\" or \"498\" or \"48\" or \"54321\")\n) and process.working_directory:(\n /var/www/* or\n /usr/share/nginx/* or\n /srv/www/* or\n /srv/http/* or\n */webapps/* or\n /home/*/public_html/* or\n /home/*/www/* or\n /opt/* or\n /u0*/*\n) and\nprocess.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:\"-c\" and\nnot (\n (process.parent.name:java and not process.parent.executable:/u0*/*) or\n (process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or\n (process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or\n (process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or\n (process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or\n (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or\n process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or\n process.parent.executable:/tmp/* or\n process.args:/usr/local/bin/wkhtmltopdf*\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Domain: Web", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_5.json b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_5.json new file mode 100644 index 00000000000..d23d0783ce3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_5.json @@ -0,0 +1,184 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the \"new_terms\" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the \"new_terms\" rule type approach helps to identify deviations from normal behavior.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Command Execution via Web Server", + "new_terms_fields": [ + "process.command_line", + "host.id", + "process.parent.executable" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Command Execution via Web Server\n\nThis rule detects shells invoked by web server processes on Linux to run one-off commands, surfacing command lines the server has never executed before. Attackers exploit vulnerable apps or dropped webshells to launch bash -c from web roots, e.g., download a payload with wget/curl into /opt or /tmp, chmod +x and execute it, or open a reverse shell (nc -e sh) to implant services or cron-like tasks and persist under the web server account.\n\n### Possible investigation steps\n\n- Reconstruct the process tree around the event to identify the shell payload and parent service, determine if it chains downloads, reverse shells, or archive extraction, and hash/snapshot any referenced files.\n- Pivot to web server access and error logs at the timestamp to identify the request path, client IP, user agent, and HTTP verb that triggered execution, noting anomalies like POST uploads, long query strings, or 500s.\n- List and diff newly created or recently modified files under common web roots and application directories around the event time, looking for webshells, chmod+x artifacts, .php/.jsp backdoors, or systemd/cron writes by the same user.\n- Correlate with network telemetry to see if the web tier opened outbound connections or listeners (nc, bash -i, curl/wget), and capture any active sockets and destinations for rapid containment.\n- Validate whether the command matches expected maintenance tasks for the application (e.g., wkhtmltopdf or image processing), and if not, isolate the process and host while scoping for the same pattern across other servers and preserving volatile evidence.\n\n### False positive analysis\n\n- A legitimate web-admin workflow (plugin/module install, content import, or cache warmup) spawns sh -c from an apache/nginx parent in /var/www to run tar/chmod/chown steps, producing a command line the host has not previously executed under www-data.\n- A recently deployed application feature performs server-side document or image processing and rotates logs by calling sh -c from a framework parent (flask/rails/php) with a working directory in /opt or /usr/share/nginx, making the specific shell invocation a new term for this server.\n\n### Response and remediation\n\n- Quarantine the affected web server by removing it from the load balancer, stopping apache/nginx/httpd, and killing the spawned shell (e.g., bash -c) while capturing /proc//cmdline and /proc//environ, lsof, and active sockets for evidence.\n- Block outbound egress from the web server account and immediately deny destinations contacted by curl/wget or reverse shells (nc, bash -i to /dev/tcp), and rotate exposed API keys or credentials referenced in the command line.\n- Eradicate persistence by deleting newly dropped or modified files under /var/www, /usr/share/nginx, /srv/http, /opt, or /home/*/public_html (webshells, .php backdoors), removing downloaded binaries from /tmp or /opt, and cleaning cron/systemd units created by www-data/nginx.\n- Recover by restoring web content and application code from known-good backups or images, verifying file ownership and permissions, and restarting the service with monitored command allowlists and file integrity checks.\n- Escalate to full incident response and forensic imaging if any reverse shell artifacts (nc -e sh, bash -i >& /dev/tcp/*), privileged writes (/etc/systemd/system/*.service, /var/spool/cron/*), or sudo execution by the web server user are observed.\n- Harden by disabling risky exec paths (PHP exec/system/shell_exec and unsafe plugins), enforcing noexec,nodev,nosuid mounts on web roots, applying SELinux/AppArmor confinement to web processes, narrowing outbound egress, and deploying WAF/mod_security rules for upload and RCE vectors.\n", + "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and (\n process.parent.name:(\n apache2 or asterisk or caddy or daphne or flask or frankenphp or httpd or httpd.worker or\n lswsctrl or mongrel_rails or nginx or php-cgi or php-cgi.cagefs or php-fcgi or starman or\n sw-engine-fpm or uvicorn or uwsgi or varnishd or waitress-serve or zabbix_server or *.cgi\n or *.fcgi or gunicorn* or php-fpm*\n ) or\n process.parent.name:ruby* and process.parent.command_line:(*passenger* or *puma* or *rails*) or\n process.parent.name:python* and process.parent.command_line:(\n *app.py* or *asgi.py* or *django* or *flask* or *hypercorn* or *server.py* or *uvicorn* or *wsgi.py*\n ) or\n process.parent.name:perl* and process.parent.command_line:*plackup* or\n process.parent.name:java and process.parent.args:(\n com.atlassian.jira.startup.Launcher or com.caucho.server.resin.Resin or com.google.gerrit.pgm.Daemon or\n com.ibm.ws.kernel.boot.cmdline.Bootstrap or com.ibm.ws.runtime.WsServer or\n com.sun.enterprise.glassfish.bootstrap.ASMain or io.dropwizard.cli.ServerCommand or\n io.helidon.microprofile.server.Main or io.micronaut.runtime.Micronaut or io.quarkus.runner.GeneratedMain or\n io.vertx.core.Launcher or org.apache.catalina.startup.Bootstrap or org.eclipse.jetty.start.Main or\n org.elasticsearch.bootstrap.Elasticsearch or org.jboss.modules.Main or play.core.server.ProdServerStart or\n weblogic.Server or *-Dsolr.solr.home=* or *BitbucketServerLauncher* or *jenkins.war* or *quarkus-run.jar* or\n *weblogic-launcher.jar* or -Dcatalina.base=* or -Djboss.home.dir=* or -Djetty.home=* or -Dweblogic.Name=* or\n io.helidon.webserver* or org.apereo.cas* or org.keycloak* or org.springframework.boot.loader.*\n )\n) and\nprocess.command_line:* and\nprocess.name:(bash or busybox or csh or dash or fish or ksh or mksh or sh or tcsh or zsh) and\nprocess.args:(-c or -cl or -lc) and\nnot (\n process.parent.name:java and not process.parent.executable:/u0*/* or\n process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/db_* or /u0*/app/oracle/product/*/dbhome_* or /var/www/*edoc*) or\n process.args:(/usr/bin/rsvg-convert* or /usr/local/bin/wkhtmltopdf*) or\n process.command_line:*/opt/sc/bin/showvulns* or\n (process.parent.name:nginx and process.name:busybox and process.args:gcc*/tmp/lua_*) or\n (process.parent.name:apache2 and process.args:\\\"/usr/bin/7za*) or\n (process.parent.name:zabbix_server and process.command_line:*fping*) or\n (process.parent.name:php-fpm* and (process.command_line:*/usr/bin/pdftotext* or process.args:clamdscan*))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: Web", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 5 + }, + "id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_209.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_209.json index d15335f52fc..a8951eac95f 100644 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_209.json +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_209.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_6.json b/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_6.json deleted file mode 100644 index 49745544f91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_6.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.", - "from": "now-3660s", - "language": "esql", - "license": "Elastic License v2", - "name": "Rare Connection to WebDAV Target", - "note": "## Triage and analysis\n\n### Investigating Rare Connection to WebDAV Target\n\n### Possible investigation steps\n\n- Examine the reputation of the destination domain or IP address.\n- Verify if the target user opened any attachments or clicked links pointing to the same target within seconds from the alert timestamp.\n- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.\n\n### False positive analysis\n\n- User accessing legit WebDAV resources.\n\n### Response and remediation\n\n- Conduct a password reset for the target account that may have been compromised or are at risk, ensuring the use of strong, unique passwords.\n- Verify whether other users were targeted but did not open the lure..\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.", - "query": "from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index\n| where\n @timestamp > now() - 8 hours and\n event.category == \"process\" and\n event.type == \"start\" and\n process.name == \"rundll32.exe\" and\n process.command_line like \"*DavSetCookie*\"\n| keep host.id, process.command_line, user.name, user.id\n// extract domain or IP address from process cmdline\n| grok process.command_line \"\"\"(?((http|https)://[a-zA-Z0-9-\\.]{1,}\\.[a-zA-Z]{2,3}[@\\/]+)|(\\b(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.){3}(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\b)[@\\/]+)\"\"\"\n// remove sub domains from URL\n| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, \"\"\"((http|https)://[a-zA-Z0-9-]{1,}\\.)\"\"\", \"\")\n| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, \"/\", \"\")\n| where\n Esql.server_webdav_server is not null and\n not Esql.server_webdav_server in (\"www.google.com\", \"www.elastic.co\", \"sharepoint.com\", \"live.net\", \"google.com\", \"SHAREPOINT.COM\", \"github.com\") and\n // excludes private IP ranges\n not Esql.server_webdav_server rlike \"\"\"(10\\.(\\d{1,3}\\.){2}\\d{1,3}|172\\.(1[6-9]|2\\d|3[0-1])\\.(\\d{1,3}\\.)\\d{1,3}|192\\.168\\.(\\d{1,3}\\.)\\d{1,3})\"\"\"\n| stats\n Esql.event_count = count(*),\n Esql.host_id_count_distinct = count_distinct(host.id),\n Esql.host_id_values = values(host.id),\n Esql.user_name_values = values(user.name)\n by Esql.server_webdav_server\n| where\n Esql.host_id_count_distinct == 1 and Esql.event_count <= 3\n| eval host.id = MV_MIN(Esql.host_id_values), user.name = MV_MIN(Esql.user_name_values), destination.domain = MV_MIN(Esql.server_webdav_server)\n| KEEP host.id, user.name, destination.domain, Esql.*\n", - "references": [ - "https://attack.mitre.org/techniques/T1187/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "system", - "version": "^2.0.0" - }, - { - "package": "windows", - "version": "^3.0.0" - }, - { - "package": "m365_defender", - "version": "^3.0.0" - }, - { - "package": "crowdstrike", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.host_id_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.host_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.server_webdav_server", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.user_name_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "destination.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6756ee27-9152-479b-9b73-54b5bbda301c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1187", - "name": "Forced Authentication", - "reference": "https://attack.mitre.org/techniques/T1187/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "6756ee27-9152-479b-9b73-54b5bbda301c_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_212.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_212.json new file mode 100644 index 00000000000..7afa9fce3ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_212.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Assigning an administrative role to a user or group grants elevated privileges within Google Workspace, including access to the Google Admin console and the ability to manage domain resources and applications. Adversaries may assign administrator roles to an existing account or a newly created account/group to establish persistence, facilitate privilege escalation, and enable follow-on actions across the tenant. In particular, users with Super Admin privileges can bypass single sign-on (SSO) if it is enabled in Google Workspace.", + "false_positives": [ + "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.role.name", + "user.target.name", + "user.target.email" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Assigned to a User or Group", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User or Group\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. Because these roles can\ngrant broad administrative control over identity, devices, and security settings, role assignments should follow the\nprinciple of least privilege (PoLP) and be carefully controlled. Threat actors may assign high-privilege roles (for\nexample, Super Admin or other *_ADMIN_ROLE roles) to establish persistence, expand access, and perform follow-on actions\nsuch as creating OAuth tokens, modifying security controls, changing mail routing, or altering SSO settings. Unexpected\nadmin privileges can also lead to operational impact if changes are made unintentionally.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user or a group.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) account that performed the change by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the target principal that received the role assignment:\n - For assignments, review `user.target.email` and `user.target.name`.\n - For group assignments, determine which users are members of that group at the time of assignment.\n- Identify the role assigned by reviewing `google_workspace.admin.role.name`.\n- Determine whether the assignment is expected and authorized:\n - Validate there is an approved change request/ticket and that the actor account is authorized to grant this level of access.\n - If the role is high privilege (for example, Super Admin), treat as urgent until proven benign.\n- Scope for additional role assignments by searching for `event.action: ASSIGN_ROLE` over an expanded time window and filtering on:\n - The same `user.email` (actor) to find other role changes performed by the same account.\n - The same `google_workspace.admin.role.name` to identify other principals granted the role.\n - The same target (`user.target.email`) to identify multiple roles granted to the same principal.\n- Evaluate whether the target user (or group members) performed suspicious activity after receiving the role:\n - Review the last 48 hours of admin/audit events for security control changes, user or group changes, and Gmail configuration changes.\n - If available, correlate with sign-in events for unusual geolocation, impossible travel, unfamiliar devices, or sign-ins from the `source.ip`.\n- Determine whether the target user account was recently created by searching for `event.action: CREATE_USER` and filtering for `user.target.email`.\n\n### False positive analysis\n\n- Verify the role assignment aligns with approved administrative duties, an authorized change window, and the organization\u2019s access governance process.\n- Confirm the initiating admin account is legitimate and not performing role assignments from unusual IPs, devices, or locations.\n- For group assignments, verify the group is intended for administrative delegation and validate recent membership changes that could expand who effectively received the privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the assignment is not clearly authorized, remove the role assignment from the user/group and/or place the target account(s) under administrative restriction while the investigation proceeds.\n- For suspected compromise of the initiating admin account:\n - Reset credentials, revoke active sessions, enforce MFA re-enrollment, and review delegation/OAuth grants for persistence.\n - Validate recovery email/phone settings and account security posture.\n- Review the permissions assigned to the implicated user/group to ensure PoLP is being followed, and consider replacing broad roles with narrower delegated roles where feasible.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:\"google_workspace.admin\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.admin.role.name : *_ADMIN_ROLE\n", + "references": [ + "https://support.google.com/a/answer/172176?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.role.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 212 + }, + "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json index 30fc8f0a22b..46cefd7b2d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json +++ b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json @@ -38,10 +38,6 @@ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_211.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_211.json new file mode 100644 index 00000000000..91bc57b175c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_211.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "alert_suppression": { + "duration": { + "unit": "m", + "value": 130 + }, + "group_by": [ + "user.email", + "google_workspace.admin.role.name", + "source.ip" + ], + "missing_fields_strategy": "suppress" + }, + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role or its privileges are modified in Google Workspace. Adversaries may add or expand privileges on an existing role to elevate access for assigned users or groups without creating a new role or directly assigning a well-known admin role. Because privilege changes take effect for all principals assigned the role, modifying role permissions can silently expand access across multiple accounts.", + "false_positives": [ + "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.role.name", + "google_workspace.admin.privilege.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Role Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace allows administrators to modify custom admin roles by adding, removing, or updating privileges across\nservices such as Users, Groups, Gmail, Drive, and Security. Threat actors may expand privileges on an existing role to\nestablish persistence or escalate access for accounts already assigned that role, without triggering role assignment\nalerts. Selecting a privilege category in the Admin console (for example, Organization Units) can add multiple related\nprivilege groups in a single action, each logged as a separate `ADD_PRIVILEGE` event.\n\nThis rule identifies when a Google Workspace role is modified via `ADD_PRIVILEGE` or `UPDATE_ROLE` events. Alert\nsuppression groups alerts by `user.email`, `google_workspace.admin.role.name`, and `source.ip` within a 130-minute window\n(matching the rule lookback) so analysts receive one alert per role modification session instead of one alert per privilege.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) account that modified the role by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the role modified by reviewing `google_workspace.admin.role.name`.\n- Identify the privilege changed by reviewing `google_workspace.admin.privilege.name`. Because suppression may group multiple events, search for all related changes in the same session (see Kibana steps below).\n- Determine whether the modification is expected and authorized:\n - Validate there is an approved change request/ticket and that the actor account is authorized to modify admin roles.\n - If the actor account or source IP is unusual, treat the alert as higher priority until proven benign.\n- Review role permissions in the Google Admin console:\n - Navigate to Account > Admin roles.\n - Locate the role name from `google_workspace.admin.role.name` and select it to open the role details.\n - Review the Privileges tab to confirm which permissions were added or removed and whether they align with the organization's delegation model.\n - Review the Admins tab to identify which users or groups currently hold the role and will inherit the modified privileges.\n- Search Kibana for all privileges changed in the session:\n - In Discover (or the alert investigation workflow), search Google Workspace admin logs with a time range centered on the alert timestamp (\u00b15 minutes).\n - Use the following KQL example, replacing `` with the value from `google_workspace.admin.role.name`:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: (\"ADD_PRIVILEGE\" or \"UPDATE_ROLE\") and google_workspace.admin.role.name: \"\"\n ```\n - Optionally filter on the actor with `user.email` to isolate changes from the same administrator.\n - Review all `google_workspace.admin.privilege.name` values returned to understand the full scope of the modification.\n- Search Kibana for principals recently assigned the role to determine blast radius:\n - Use the following KQL example:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: \"ASSIGN_ROLE\" and google_workspace.admin.role.name: \"\"\n ```\n - Review `user.target.email` and `user.target.name` for user/group assignments.\n- Scope for related activity by searching for the same `user.email` (actor) performing other IAM or security actions such as `ASSIGN_ROLE`, `CREATE_ROLE`, `CREATE_USER`, or security policy changes within the last 48 hours.\n- Evaluate whether principals assigned the modified role performed suspicious activity after the change:\n - Review admin/audit events for security control changes, user or group changes, and Gmail configuration changes.\n\n### False positive analysis\n\n- Verify the role modification aligns with approved administrative duties, an authorized change window, and the organization's access governance process.\n- Confirm the initiating admin account is legitimate and not modifying roles from unusual IPs, devices, or locations.\n- Selecting a privilege category in the Admin console can add multiple related privileges in one action; alert suppression should consolidate these into a single alert.\n- Compare the modified role's privileges against the stated business need; overly broad privileges warrant closer review even if the change was authorized.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the modification is not clearly authorized, revert the role privileges to their prior state and/or remove the role assignment from affected users or groups while the investigation proceeds.\n- For suspected compromise of the initiating admin account:\n - Reset credentials, revoke active sessions, enforce MFA re-enrollment, and review delegation/OAuth grants for persistence.\n - Validate recovery email/phone settings and account security posture.\n- Review whether principals assigned the modified role require the new privileges, and replace broad custom roles with narrower delegated roles where feasible.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_12.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_12.json index 469a621cc33..38add73e714 100644 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_12.json +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_12.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_9.json b/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_9.json index 2c8cd703ba5..12156ae2962 100644 --- a/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_9.json +++ b/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_9.json @@ -33,10 +33,6 @@ "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_210.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_210.json index 43185561225..2b790722414 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_210.json +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/7811b5f7-9e07-4999-87aa-a950365cd327_1.json b/packages/security_detection_engine/kibana/security_rule/7811b5f7-9e07-4999-87aa-a950365cd327_1.json new file mode 100644 index 00000000000..a192cfff40d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7811b5f7-9e07-4999-87aa-a950365cd327_1.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects control-plane mutations to AWS Bedrock knowledge bases and their backing RAG data sources via CloudTrail. An adversary with access to Bedrock Agent APIs can poison the corpus that RAG-enabled models treat as authoritative by ingesting attacker-controlled documents (IngestKnowledgeBaseDocuments, StartIngestionJob), deleting legitimate documents (DeleteKnowledgeBaseDocuments), or repointing/altering the data source itself (CreateDataSource, UpdateDataSource, DeleteDataSource, UpdateKnowledgeBase). Because downstream applications and users trust model answers grounded in this stored data, tampering with the corpus is a stored data manipulation that can drive misinformation, fraud, or manipulated decisions at inference time. This is a New Terms rule that looks for the first time a given identity ARN performs one of these knowledge base or data source mutations within the history window.", + "false_positives": [ + "Legitimate knowledge base maintenance, content onboarding, and scheduled re-ingestion performed by data engineering teams, MLOps automation, or infrastructure-as-code pipelines will generate these events. Validate the calling identity, user agent, and source IP against known automation and approved operators. If a known maintenance workflow is causing noise, it can be exempted from this rule." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Knowledge Base or RAG Data Source Tampering", + "new_terms_fields": [ + "cloud.account.id" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Knowledge Base or RAG Data Source Tampering\n\nAWS Bedrock knowledge bases provide Retrieval-Augmented Generation (RAG) by grounding model responses in a stored\ncorpus that is synchronized from a configured data source. Because RAG-enabled applications present these grounded\nanswers as authoritative, an adversary who can ingest, delete, or repoint the underlying corpus can poison the answers\nreturned to downstream users and systems. This rule detects control-plane changes to knowledge bases and data sources\nthat could enable such corpus poisoning.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and\n `aws.cloudtrail.user_identity.access_key_id`.\n - Examine `source.ip`, `user_agent.original`, and `aws.cloudtrail.user_identity.invoked_by` to determine whether the\n change came from an approved operator, automation, or an unexpected origin.\n - Confirm a related change request exists (content update, data source migration, scheduled ingestion).\n- **Validate the specific action**\n - Inspect `event.action` and `aws.cloudtrail.flattened.request_parameters` to identify the knowledge base, data\n source, and any S3 bucket / ingestion configuration referenced.\n - For `CreateDataSource` / `UpdateDataSource`, verify the data source location (e.g., S3 bucket) is org-owned and not\n attacker-controlled.\n - For `IngestKnowledgeBaseDocuments` / `StartIngestionJob`, review what content was ingested and from where.\n - For `DeleteKnowledgeBaseDocuments` / `DeleteDataSource`, determine whether legitimate content was removed.\n- **Correlate activity**\n - Look for prior enumeration of Bedrock resources or anomalous IAM/STS activity from the same identity.\n - Review `cloud.account.id` and `cloud.region` to confirm the change occurred where expected.\n\n### False positive analysis\n\n- **Planned content maintenance**: Routine ingestion, document updates, and re-syncs by data teams or MLOps automation\n are expected. Validate against change tickets and known automation roles.\n- **Infrastructure-as-code**: Pipelines may create or update data sources during deployments. Confirm the source IP and\n ARN match expected automation.\n\n### Response and remediation\n\n- If unauthorized, suspend or disable the implicated knowledge base and data source to prevent further poisoned\n retrieval, and revert the corpus to a known-good state.\n- Disable or rotate the credentials identified in `aws.cloudtrail.user_identity.access_key_id` if compromise is\n suspected.\n- Audit recent ingestion jobs and document changes, and validate the integrity of the data source location.\n- Restrict Bedrock Agent knowledge base and data source mutation permissions to a small set of trusted roles.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\n \"IngestKnowledgeBaseDocuments\" or\n \"DeleteKnowledgeBaseDocuments\" or\n \"UpdateKnowledgeBase\" or\n \"CreateDataSource\" or\n \"UpdateDataSource\" or\n \"DeleteDataSource\" or\n \"StartIngestionJob\" or\n \"DeleteKnowledgeBase\"\n ) and\n event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Agents_for_Amazon_Bedrock.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7811b5f7-9e07-4999-87aa-a950365cd327", + "setup": "## Setup\n\nThis rule requires the AWS CloudTrail integration. The data source and knowledge base configuration actions are management \nevents (captured by default), but the direct document operations (`IngestKnowledgeBaseDocuments`, `DeleteKnowledgeBaseDocuments`) \nare Bedrock CloudTrail **data events** that are off by default. Without Bedrock data-event logging enabled on the trail, this rule \nprovides only **partial coverage** \u2014 it will see config changes but not direct document ingestion/deletion, the primary poisoning \nvector. Enable Bedrock data-event logging for full coverage.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "7811b5f7-9e07-4999-87aa-a950365cd327_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_211.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_211.json new file mode 100644 index 00000000000..ccde8ea7e05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_211.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator adds a Google Workspace Marketplace application to the domain. Adversaries with administrative access may register a malicious OAuth application to establish long-lived API access to mail, drive, and other Workspace data, maintaining persistence and enabling collection without relying on a single user password alone.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "user.domain", + "event.action", + "google_workspace.admin.application.name", + "google_workspace.admin.application.enabled" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace applications can request OAuth scopes to read or modify tenant data. When an administrator\nadds an application at the domain level, users may be able to install or authorize it broadly, creating a durable\nthird-party access path. Threat actors with admin rights may add an adversary-controlled app to maintain API-based\npersistence and access sensitive resources at scale.\n\nThis rule identifies when an administrator adds a Marketplace application via the `ADD_APPLICATION` event in the\n`google_workspace.admin` data stream.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) administrator by reviewing `user.email` or `user.name`, and note `@timestamp`.\n- Identify the application added by reviewing `google_workspace.admin.application.name` and related application metadata in the raw event.\n- Determine whether the change is expected and authorized:\n - Validate there is an approved change request or vendor onboarding record for the application.\n - If the actor account is unusual, treat the alert as higher priority until proven benign.\n- Review Marketplace apps in the Google Admin console:\n - Navigate to Apps > Google Workspace Marketplace apps.\n - Confirm whether the application is allowed domain-wide or for specific organizational units, and review requested API scopes against least-privilege expectations.\n- Search Kibana for related admin and OAuth activity:\n - Find other Marketplace changes by the same actor:\n ```\n data_stream.dataset: \"google_workspace.admin\" and user.email: \"\" and event.action: (\"ADD_APPLICATION\" or \"REMOVE_APPLICATION\")\n ```\n - After the add, review OAuth authorizations that may indicate users or admins granting access to the app:\n ```\n data_stream.dataset: \"google_workspace.token\" and event.action: \"authorize\"\n ```\n - Scope for other security-weakening admin actions from the same `user.email` within the last 48 hours, such as Marketplace restriction changes, blocklist removals, or role assignments.\n\n### False positive analysis\n\n- Verify the application is an approved business tool with documented vendor risk review and scope justification.\n- New application rollouts during migrations or acquisitions can trigger this rule, validate timing against change windows.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the add is not clearly authorized, remove or block the application under Google Workspace Marketplace apps while the investigation proceeds.\n- Revoke OAuth tokens for the application client if users have already authorized it (`Security` > Access and data control > API controls, or user token review in admin reports).\n- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.action:ADD_APPLICATION\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78c6559d-47a7-4f30-91fe-7e2e983206c2_3.json b/packages/security_detection_engine/kibana/security_rule/78c6559d-47a7-4f30-91fe-7e2e983206c2_3.json index aecd253489f..9180d2002b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/78c6559d-47a7-4f30-91fe-7e2e983206c2_3.json +++ b/packages/security_detection_engine/kibana/security_rule/78c6559d-47a7-4f30-91fe-7e2e983206c2_3.json @@ -25,7 +25,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_112.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_112.json new file mode 100644 index 00000000000..6c02e8a29f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_112.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", + "false_positives": [ + "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Bitlocker Setting Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Review `google_workspace.admin.org_unit.name`, `google_workspace.admin.setting.name`, and `google_workspace.admin.old_value` / `new_value` to confirm BitLocker was disabled and for which OU.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- Review Admin and Device logs, filtering on the user email identified from the alert.\n- Confirm the policy change under `Devices` (Windows device management) or the relevant Chrome/Windows endpoint settings area for the affected OU.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\"\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e2abdb3-c7b0-4e11-ba2f-6657602800a1_1.json b/packages/security_detection_engine/kibana/security_rule/7e2abdb3-c7b0-4e11-ba2f-6657602800a1_1.json new file mode 100644 index 00000000000..2517715f3fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7e2abdb3-c7b0-4e11-ba2f-6657602800a1_1.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Microsoft 365 user completing an OAuth device code grant (\"Cmsi:Cmsi\") from a non-compliant device for the first time within the rule's historical window, regardless of the requesting application or target resource. Device code phishing kits complete the full login (password and MFA) at the genuine Microsoft endpoint and harvest the resulting token by polling, so MFA does not stop them. Because the victim authorizes the flow in their own browser, the grant is frequently completed on a personal or attacker-controlled device that is not enrolled or compliant with the organization's device policies. A user appearing with this device code flow on a non-compliant device for the first time in the lookback window is a strong early indicator of device code phishing, and removing the application and target constraints catches grants against any first-party application, not just the Microsoft Authentication Broker.", + "false_positives": [ + "A user legitimately using the device code flow for the first time on a personal or otherwise non-compliant device, such as a smart TV, kiosk, IoT device, conference room device, or a personal laptop for a CLI or headless developer workflow. Review the source ASN, geolocation, application, and the user's device posture to confirm whether the activity is expected before escalating." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-o365.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)", + "new_terms_fields": [ + "o365.audit.UserId" + ], + "note": "## Triage and analysis\n\n### Investigating M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)\n\nThis rule detects a user completing an OAuth device code grant (`Cmsi:Cmsi`) from a device reported as non-compliant in the Microsoft 365 unified audit log for the first time within the rule's historical window (defined by the new terms history setting), independent of the requesting application or target resource. A match means the user has not been seen in this flow during the lookback window, not necessarily that it has never happened. Device code phishing kits (for example Kali365, Storm-2372 tradecraft) drive the device code flow against the genuine Microsoft endpoint and poll the token endpoint in the background, so the victim satisfies MFA while the attacker harvests a fully MFA-satisfied token, typically completed from a personal or attacker-controlled device that is not enrolled or compliant.\n\n### Possible investigation steps\n\n- Review `o365.audit.UserId` to identify the impacted account and confirm whether the user expected to perform a device code sign-in.\n- Examine `o365.audit.DeviceProperties` to understand the device posture (compliance, management state, OS, browser) and whether the device is recognized for this user.\n- Confirm `o365.audit.ApplicationId` and `o365.audit.Target.ID` to identify the application and resource the grant was for. Authentication Broker (`29d9ed98-a469-4536-ade2-f981bc1d605e`) and developer tooling (Azure CLI, PowerShell) are commonly abused.\n- Inspect `source.as.number`, `source.as.organization.name`, `source.ip`, and `source.geo.*` and compare with the user's normal sign-in origins. Hosting, VPN, or datacenter providers are unusual for interactive user authentication.\n- Examine `user_agent.original` for automation or headless-browser patterns.\n- Pivot to `azure.signinlogs` for the corresponding `deviceCode` sign-in, conditional access decisions, and any concurrent non-interactive token-issuance legs from a different ASN (the kit's polling backend).\n- Pivot to `azure.graphactivitylogs` for follow-up Graph activity (`/me` recon, mailbox or file enumeration).\n- Check `azure.auditlogs` for subsequent device registration events on the user, which device code phishing kits use to establish Primary Refresh Token persistence.\n\n### False positive analysis\n\n- A legitimate first-time device code sign-in on a personal or non-compliant device.\n- Provisioning of input-constrained devices (smart TVs, kiosks, IoT, conference room devices).\n- CLI or headless developer workflows using the device code flow on an unmanaged device.\n- If a user or device combination is confirmed benign and recurring, suppress it via a rule exception rather than broadening the query.\n\n### Response and remediation\n\n- Contact the user to confirm whether they initiated the device code sign-in or may have entered a code presented on a phishing page.\n- If unauthorized, revoke all refresh tokens for the user and reset credentials to invalidate the harvested token.\n- Review and remove any unauthorized device registrations to cut off Primary Refresh Token persistence.\n- Review recent Microsoft Graph, Exchange, SharePoint, and Teams activity for the user for signs of recon or exfiltration.\n- Restrict device code authentication to only the users and applications that require it, and require compliant or hybrid-joined devices, via Conditional Access policies.\n- Educate users on device code phishing and the risk of entering codes presented by unsolicited documents or messages.\n", + "query": "event.dataset: \"o365.audit\"\n and o365.audit.ExtendedProperties.RequestType: \"Cmsi:Cmsi\"\n and o365.audit.Actor.Type: (0 or 2 or 3 or 5 or 10)\n and o365.audit.DeviceProperties.Value: \"False\"\n", + "references": [ + "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/", + "https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/", + "https://www.ic3.gov/PSA/2026/PSA260521", + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/", + "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Actor.Type", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.DeviceProperties.Value", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ExtendedProperties.RequestType", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7e2abdb3-c7b0-4e11-ba2f-6657602800a1", + "setup": "#### Required Microsoft 365 Audit Logs\nThis rule requires the Microsoft 365 integration with unified audit logs (Azure AD / Entra sign-in events surfaced in the Microsoft 365 audit log) enabled and shipping to Elastic.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + }, + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "7e2abdb3-c7b0-4e11-ba2f-6657602800a1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b_2.json b/packages/security_detection_engine/kibana/security_rule/7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b_2.json index 2150064af44..d5007a84242 100644 --- a/packages/security_detection_engine/kibana/security_rule/7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b_2.json @@ -19,7 +19,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_108.json b/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_108.json new file mode 100644 index 00000000000..0e353a77fe4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_108.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common utilities to gather information about the system and its security configuration.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security File Access via Common Utilities", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Security File Access via Common Utilities\n\nIn Linux environments, common utilities like `cat`, `grep`, and `less` are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities.\n\n### Possible investigation steps\n\n- Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields.\n- Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account.\n- Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity.\n- Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts.\n- Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt.\n- If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation.\n\n### False positive analysis\n\n- System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions.\n- Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts.\n- Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations.\n- Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection.\n- Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities.\n- Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered.\n- Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access.\n- Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes.\n- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network.\n- Enhance monitoring and logging for similar activities to improve detection and response times for future incidents.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and\nprocess.name in (\"cat\", \"less\", \"more\", \"strings\", \"find\", \"xargs\") and\nprocess.parent.executable != null and \nprocess.args like (\n \"/etc/security/*\", \"/etc/pam.d/*\", \"/etc/login.defs\", \"/lib/security/*\", \"/lib64/security/*\",\n \"/usr/lib/security/*\", \"/usr/lib64/security/*\", \"/usr/lib/x86_64-linux-gnu/security/*\",\n \"/home/*/.aws/credentials\", \"/home/*/.aws/config\", \"/home/*/.config/gcloud/*credentials.json\",\n \"/home/*/.config/gcloud/configurations/config_default\", \"/home/*/.azure/accessTokens.json\",\n \"/home/*/.azure/azureProfile.json\"\n) and not (\n process.parent.name in (\"wazuh-modulesd\", \"lynis\") or\n process.command_line in (\"cat /etc/login.defs\" , \"cat /home/asterisk/.aws/credentials\") or\n ?process.parent.command_line in (\n \"/bin/sh /usr/sbin/lynis audit system --cronjob\",\n \"/usr/bin/find -L /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;\",\n \"/usr/bin/find /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;\"\n ) or\n ?process.parent.args in (\"/opt/imperva/ragent/bin/get_sys_resources.sh\", \"/usr/sbin/lynis\", \"./terra_linux.sh\") or\n process.args == \"/usr/bin/coreutils\" or\n (process.parent.name == \"pwsh\" and process.parent.command_line like \"*Evaluate-STIG*\") or\n ?process.parent.executable like (\n \"/usr/sap/audit_scripts/auto_audit_gral.sh\", \"/opt/saltstack/salt/bin/python3*\", \"/opt/puppetlabs/puppet/bin/ruby\"\n ) or\n ?process.entry_leader.executable like (\n \"/usr/sbin/ScanAssistant\", \"/opt/Tanium/TaniumClient/TaniumClient\", \"/tmp/CVU_*resource/exectask\", \"/opt/nessus/sbin/nessus-service\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entry_leader.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7efca3ad-a348-43b2-b544-c93a78a0ef92", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "7efca3ad-a348-43b2-b544-c93a78a0ef92_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80aa6cca-b343-457b-877e-5877cd71a1f8_1.json b/packages/security_detection_engine/kibana/security_rule/80aa6cca-b343-457b-877e-5877cd71a1f8_1.json new file mode 100644 index 00000000000..10993df9209 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80aa6cca-b343-457b-877e-5877cd71a1f8_1.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "alert_suppression": { + "duration": { + "unit": "m", + "value": 5 + }, + "group_by": [ + "user.id", + "azure.tenant_id" + ], + "missing_fields_strategy": "suppress" + }, + "author": [ + "Elastic" + ], + "description": "Detects an Azure AD Graph (graph.windows.net) burst from a user-agent identifying as \"aiohttp\" (the default HTTP library used by ROADrecon's \"gather\" command) where a single calling identity issues many requests in a short window. ROADrecon walks every interesting directory object type via aiohttp, producing a large volume of requests from one user / source IP / UA triple. The combination of \"aiohttp\" UA with a burst threshold is a structural ROADrecon signature; legitimate first-party Microsoft components do not identify as aiohttp.", + "false_positives": [ + "Developer activity using aiohttp against AAD Graph for prototyping. Rare in production tenants and typically low-volume; the burst threshold limits exposure.", + "Authorized red team activity exercising ROADrecon. Document the engagement window and add exceptions on the source IP or calling user." + ], + "from": "now-9m", + "investigation_fields": { + "field_names": [ + "user.id", + "azure.tenant_id" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Azure AD Graph Potential Enumeration (ROADrecon)", + "note": "## Triage and analysis\n\n### Investigating Azure AD Graph Potential Enumeration (ROADrecon)\n\nThis is an ES|QL aggregation rule. Alert documents contain summarized fields per burst window: the calling identity, the tenant, and a one-minute bucket. The alert itself is the signal that something resembling ROADrecon's `gather` walk happened against AAD Graph; the actual investigation happens against the raw `logs-azure.aadgraphactivitylogs-*` events for the same identity and window.\n\n### Possible investigation steps\n\n- Confirm the burst by filtering raw AAD Graph activity for the alerting user, tenant, and time window.\n - Filter `logs-azure.aadgraphactivitylogs-*` on the alerting user, tenant, and burst window.\n - ROADrecon's full `gather` walks ~16 directory collections; five or more in a single minute is the structural fingerprint.\n- Tool fingerprint: aiohttp UA plus the hardcoded internal API version.\n - `user_agent.original` contains `aiohttp`.\n - `api_version = 1.61-internal` (hardcoded in `gather.py`, returns internal-only fields like `strongAuthenticationDetail`).\n - No first-party Microsoft component identifies as aiohttp or pins `1.61-internal`.\n- Calling client + auth method: the typical device-code-flow ROADrecon entrypoint.\n - ROADrecon is usually pointed at the Azure CLI client (`04b07795-\u2026`) via the `-c` flag.\n - Uses a public-client auth method (no client secret or certificate).\n- HTTP shape distinguishes enumeration from operator follow-on.\n - `gather` reads only, so GETs dominate.\n - A 403/404 tail indicates the identity probing endpoints it lacks permission for.\n - PATCH / POST / DELETE in the same burst means the operator did more than enumerate.\n- Source posture: residential ISP, generic VPS, or anonymising-network egress raises triage priority.\n- Pivot to sign-in logs (`logs-azure.signinlogs-*`) via the sign-in correlation ID on each AAD Graph event to land on the originating token-mint.\n- Pivot to audit logs (`logs-azure.auditlogs-*`) for any directory writes by the same user near the burst that suggest persistence or modification activity.\n- Confirm the activity is not attributable to authorized testing before treating as malicious.\n - Check for red team engagement, penetration test, or internal tooling validation.\n - Validate against the engagement window and the operator's known source range.\n\n### Response and remediation\n\n- Enumerate device registrations created by the user during or around the burst window.\n - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`.\n - De-register anything not attributable to a known endpoint via `DELETE /v1.0/devices/{deviceObjectId}`.\n - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.\n- Revoke refresh tokens and active sessions for the calling user.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- Audit OAuth grants and app role assignments the user holds; revoke anything minted from a kit-egress or otherwise suspicious source.\n - `GET /v1.0/oauth2PermissionGrants?$filter=principalId eq '{id}'`, revoke via `DELETE /v1.0/oauth2PermissionGrants/{grantId}`.\n - `GET /v1.0/users/{id}/appRoleAssignments`, revoke via `DELETE /v1.0/servicePrincipals/{spId}/appRoleAssignedTo/{assignmentId}`.\n- Reset the user's password and audit authentication methods added during the window.\n - `GET /v1.0/users/{id}/authentication/methods` to list.\n - Remove anything unexpected via the method-type-specific endpoint.\n- Audit directory writes by the user near the burst and roll back unauthorized changes.\n - Query `logs-azure.auditlogs-*` for `Register device`, `Update user`, `User registered security info`, role assignment activity by the same user in the window.\n- If the calling application has no legitimate AAD Graph dependency, block further use by that app.\n - `PATCH /beta/applications/{id}` with body `{\"authenticationBehaviors\": {\"blockAzureADGraphAccess\": true}}`.\n - This property lives on the Graph beta endpoint, not v1.0.\n", + "query": "from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index\n\n| where data_stream.dataset == \"azure.aadgraphactivitylogs\"\n and to_lower(user_agent.original) like \"*aiohttp*\"\n\n| eval Esql.target_endpoints = case(\n url.path like \"*/eligibleRoleAssignments*\", \"eligibleRoleAssignments\",\n url.path like \"*/roleAssignments*\", \"roleAssignments\",\n url.path like \"*/users*\", \"users\",\n url.path like \"*/groups*\", \"groups\",\n url.path like \"*/servicePrincipals*\", \"servicePrincipals\",\n url.path like \"*/applications*\", \"applications\",\n url.path like \"*/devices*\", \"devices\",\n url.path like \"*/directoryRoles*\", \"directoryRoles\",\n url.path like \"*/roleDefinitions*\", \"roleDefinitions\",\n url.path like \"*/administrativeUnits*\", \"administrativeUnits\",\n url.path like \"*/contacts*\", \"contacts\",\n url.path like \"*/oauth2PermissionGrants*\", \"oauth2PermissionGrants\",\n url.path like \"*/authorizationPolicy*\", \"authorizationPolicy\",\n url.path like \"*/settings*\", \"settings\",\n url.path like \"*/policies*\", \"policies\",\n url.path like \"*/tenantDetails*\", \"tenantDetails\",\n \"other\"\n )\n| where Esql.target_endpoints != \"other\"\n\n| eval Esql.time_window = date_trunc(1 minutes, @timestamp)\n\n| stats\n Esql.request_count = count(*),\n Esql.distinct_endpoints = count_distinct(Esql.target_endpoints),\n Esql.api_versions = values(azure.aadgraphactivitylogs.properties.api_version),\n Esql.app_ids = values(azure.aadgraphactivitylogs.properties.app_id),\n Esql.user_agent = values(user_agent.original),\n Esql.http_methods = values(http.request.method),\n Esql.status_codes = values(http.response.status_code),\n Esql.source_ips = values(source.ip),\n Esql.source_asn_orgs = values(source.`as`.organization.name),\n Esql.source_countries = values(source.geo.country_name),\n Esql.actor_types = values(azure.aadgraphactivitylogs.properties.actor_type),\n Esql.client_auth_methods = values(azure.aadgraphactivitylogs.properties.client_auth_method),\n Esql.session_ids = values(azure.aadgraphactivitylogs.properties.session_id),\n Esql.sign_in_activity_ids = values(azure.aadgraphactivitylogs.properties.sign_in_activity_id),\n Esql.scopes = values(azure.aadgraphactivitylogs.properties.scopes),\n Esql.first_seen = min(@timestamp),\n Esql.last_seen = max(@timestamp)\n by\n user.id,\n azure.tenant_id,\n Esql.time_window\n\n| where Esql.distinct_endpoints >= 5\n\n| keep\n user.id,\n azure.tenant_id,\n Esql.*\n", + "references": [ + "https://github.com/dirkjanm/ROADtools", + "https://github.com/dirkjanm/ROADtools/blob/master/roadrecon/roadtools/roadrecon/gather.py", + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview" + ], + "related_integrations": [], + "required_fields": [ + { + "ecs": false, + "name": "azure.tenant_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "80aa6cca-b343-457b-877e-5877cd71a1f8", + "setup": "#### Azure AD Graph Activity Logs\nRequires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure integration. Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.003", + "name": "Cloud Groups", + "reference": "https://attack.mitre.org/techniques/T1069/003/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + }, + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "80aa6cca-b343-457b-877e-5877cd71a1f8_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80d7f4ef-c3b6-4466-80f4-805bdd10507d_1.json b/packages/security_detection_engine/kibana/security_rule/80d7f4ef-c3b6-4466-80f4-805bdd10507d_1.json new file mode 100644 index 00000000000..a1a9f01f69f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80d7f4ef-c3b6-4466-80f4-805bdd10507d_1.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute them immediately to establish command and control while evading application control focused on native Windows binaries.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "user.id", + "process.entity_id", + "process.executable", + "process.parent.executable" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Java Dropped and Executed With DNS Lookup", + "note": "## Triage and analysis\n\n### Investigating Java Dropped and Executed With DNS Lookup\n\nThis rule correlates a recently created or modified `javaw.exe` launch from `Users`, `ProgramData`, or `Windows\\Temp` with an immediate\nDNS lookup from the same process. Attackers often drop JAR-based payloads to user-writable locations and invoke them\nwith `-jar` or `-cp`/`-classpath` to blend in with legitimate Java usage while reaching out to command and control\ninfrastructure.\n\n#### Possible investigation steps\n\n- Review `process.executable`, `process.command_line`, and `process.args` to identify the JAR or classpath target and\n whether the path is user-writable or unexpected for the host role.\n- Inspect `process.Ext.relative_file_creation_time` and `process.Ext.relative_file_name_modify_time` to confirm the\n binary or payload was staged immediately before execution.\n- Examine the parent process tree for download, archive extraction, or script activity that may have dropped the JAR\n or `javaw.exe`.\n- Pivot on the DNS event for `dns.question.name`, `dns.resolved_ip`, and any follow-on connection attempts from the\n same `process.entity_id`.\n- Check code signature details for `javaw.exe` and any referenced JAR files when file telemetry is available.\n- Hunt for the same JAR hash, command line, or queried domain on other hosts.\n\n### False positive analysis\n\n- Developer workflows, local Java applications, and enterprise tools may run freshly updated JARs from user profiles or\n `ProgramData`. Validate the JAR path, signer, parent process, and queried domain against known software before\n closing as benign.\n- Some installers or updaters drop a private JRE under `ProgramData` and launch JAR utilities during setup. Confirm the\n activity aligns with a known deployment or update window.\n\n### Response and remediation\n\n- Isolate the host if the JAR, domain, or parent activity appears malicious.\n- Quarantine the dropped JAR, related Java runtime files, and any staging artifacts identified in the process tree.\n- Block malicious domains or IPs at DNS and network enforcement points.\n- Reset credentials for accounts active on the host during the suspicious session if follow-on activity is observed.", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and\n (process.name : \"javaw.exe\" or process.pe.original_file_name == \"javaw.exe\") and process.executable : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\") and user.id != \"S-1-5-18\" and\n (\n (process.args_count == 3 and process.args : \"-jar\") or\n (process.args_count == 4 and process.args : (\"-cp\", \"-classpath\") and process.command_line : \" *.* \")\n )]\n [network where host.os.type == \"windows\" and event.action: \"lookup_requested\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "80d7f4ef-c3b6-4466-80f4-805bdd10507d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "80d7f4ef-c3b6-4466-80f4-805bdd10507d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_6.json b/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_6.json index 1fa5942c2fd..9a7f6fc6d87 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_6.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_6.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_10.json b/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_10.json deleted file mode 100644 index ab74b25bb66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_10.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Command Execution from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Command Execution from Web Server Parent\n\nWeb servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.\n\n### Possible investigation steps\n\n- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.\n- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.\n- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.\n- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.\n- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.\n- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.\n\n### False positive analysis\n\n- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.\n- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.\n- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.\n- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.\n- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.\n\n- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.\n\n- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.\n\n- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.\n\n- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.\n\n- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.\n\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.command_line like \"* -c *\" and not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/vscode/vscode-server/*\" or\n process.parent.executable like \"/vscode/vscode-server/*\" or\n process.parent.executable == \"/usr/bin/xfce4-terminal\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n event.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.command_line, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.agent_id_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.agent_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_namespace_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_dataset_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.host_name_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 10 - }, - "id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_10", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_111.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_111.json new file mode 100644 index 00000000000..c050bc736e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_111.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "from": "now-9m", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RDP (Remote Desktop Protocol) from the Internet\n\nRDP allows administrators to remotely manage systems, but exposing it to the internet poses security risks. Adversaries exploit RDP for unauthorized access, often using it as an entry point for attacks. The detection rule identifies suspicious RDP traffic by monitoring TCP connections on port 3389 from external IPs, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the source IP address flagged in the alert to determine if it is known or associated with any previous malicious activity. Check threat intelligence sources for any reported malicious behavior.\n- Analyze the destination IP address to confirm it belongs to your internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and identify the specific system targeted by the RDP connection.\n- Examine network logs for any unusual or unexpected RDP traffic patterns from the source IP, such as repeated connection attempts or connections at odd hours, which may indicate brute force attempts or unauthorized access.\n- Check for any recent changes or updates to firewall rules or security policies that might have inadvertently exposed RDP to the internet.\n- Investigate the user accounts involved in the RDP session to ensure they are legitimate and have not been compromised. Look for any signs of unauthorized access or privilege escalation.\n- Correlate the RDP traffic with other security events or alerts to identify any potential lateral movement or further malicious activity within the network.\n\n### False positive analysis\n\n- Internal testing or maintenance activities may trigger the rule if RDP is temporarily exposed to the internet. To manage this, create exceptions for known internal IP addresses or scheduled maintenance windows.\n- Legitimate third-party vendors or partners accessing systems via RDP for support purposes can be mistaken for threats. Establish a list of trusted external IP addresses and exclude them from the rule.\n- Misconfigured network devices or security tools might inadvertently expose RDP to the internet, leading to false positives. Regularly audit network configurations and update the rule to exclude known benign sources.\n- Cloud-based services or remote work solutions that use RDP over the internet can be flagged. Identify and whitelist these services' IP ranges to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately block the external IP address identified in the alert from accessing the network to prevent further unauthorized RDP connections.\n- Isolate the affected system from the network to contain any potential compromise and prevent lateral movement by the threat actor.\n- Conduct a thorough review of the affected system for signs of compromise, such as unauthorized user accounts, changes in system configurations, or the presence of malware.\n- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.\n- Apply security patches and updates to the affected system and any other systems with RDP enabled to mitigate known vulnerabilities.\n- Implement network segmentation to restrict RDP access to only trusted internal IP addresses and consider using a VPN for secure remote access.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:3389 or data_stream.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Tactic: Initial Access", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + }, + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", + "timeline_title": "Comprehensive Network Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cbc7793-9ce4-4b7d-9c20-a30afbde2a05_1.json b/packages/security_detection_engine/kibana/security_rule/8cbc7793-9ce4-4b7d-9c20-a30afbde2a05_1.json new file mode 100644 index 00000000000..2e7aba7b62f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cbc7793-9ce4-4b7d-9c20-a30afbde2a05_1.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects an unusually high ratio of 4xx HTTP responses from Azure AD Graph (graph.windows.net) per calling identity in a short window. Post-identity compromise leading to recon often leaves a tail of 403s and 404s as tooling walks endpoints it does not have permission for, asks for object IDs it does not have, or uses an OAuth client that has been pulled off the AAD Graph allow-list. Surges or an unexpected ratio of 4xx responses concentrated on a single (user and ASN) pair are characteristic of automated tooling rather than human or first-party traffic.", + "false_positives": [ + "Legitimate first-party clients occasionally hit 4xx responses as part of conditional access flows, transient permission changes, or stale token retries. Tune the threshold for your tenant baseline.", + "Authorized red team activity. Document and add exceptions on the user, app ID, or source IP.", + "Legacy tooling may still be using AAD Graph. Validate and add exceptions on the calling app ID after review." + ], + "from": "now-8h", + "interval": "1h", + "investigation_fields": { + "field_names": [ + "user.id", + "user_agent.original" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Azure AD Graph High 4xx Error Ratio from User", + "note": "## Triage and analysis\n\n### Investigating Azure AD Graph High 4xx Error Ratio from User\n\nA high 4xx rate on AAD Graph from a single calling identity is consistent with automated permission probing,\nrecon against endpoints the caller is not authorized for, or a token whose client has been blocked from AAD\nGraph. The pattern is structurally distinct from sparse 4xx in first-party traffic.\n\n### Possible investigation steps\n\n- Confirm the surge volume and ratio.\n - Review `Esql.error_rate` (4xx as a fraction of total) and `Esql.total_calls` to assess the magnitude.\n- Identify the caller and calling client.\n - `user.id` for the calling identity, `source.ip` for the egress, and `Esql.app_ids` (from `azure.aadgraphactivitylogs.properties.app_id`) for the OAuth client.\n- Review which endpoints produced the errors.\n - `Esql.sample_paths` captures the distinct `url.path` values that 4xx'd.\n- Correlate with successful calls from the same user / source to understand what reached AAD Graph.\n- Pivot to sign-in logs (`logs-azure.signinlogs-*`) for the same user / source for token-mint context.\n- Confirm the activity is not attributable to authorized testing (red team engagement, penetration test, internal tooling validation) before treating as malicious.\n\n### Response and remediation\n\n- Revoke refresh tokens and active sessions for the calling user if the surge indicates unauthorized recon.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- If the calling application has no legitimate AAD Graph dependency, block further use by that app.\n - `PATCH /beta/applications/{id}` with body `{\"authenticationBehaviors\": {\"blockAzureADGraphAccess\": true}}`.\n - This property lives on the Graph beta endpoint, not v1.0.\n- Apply Conditional Access targeting the AAD Graph audience for the affected user population.\n", + "query": "from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index\n\n| where data_stream.dataset == \"azure.aadgraphactivitylogs\"\n| eval Esql.is_4xx = case(\n http.response.status_code >= 400 and\n http.response.status_code < 500, 1, 0\n )\n| eval Esql.time_window = date_trunc(2 minutes, @timestamp)\n| stats\n Esql.total_calls = count(*),\n Esql.azure_tenants = values(azure.tenant_id),\n Esql.errors = sum(Esql.is_4xx),\n Esql.url_path_count = count_distinct(url.path),\n Esql.api_versions = values(azure.aadgraphactivitylogs.properties.api_version),\n Esql.app_ids = values(azure.aadgraphactivitylogs.properties.app_id),\n Esql.source_ips = values(source.ip),\n Esql.source_asn_name = values(source.as.organization.name),\n Esql.user_agents = values(user_agent.original),\n Esql.first_seen = min(@timestamp),\n Esql.last_seen = max(@timestamp)\n by\n user.id,\n source.as.number,\n Esql.time_window\n| eval Esql.error_rate = round(Esql.errors * 1.0 / Esql.total_calls, 2)\n| where \n Esql.total_calls > 20 and Esql.errors >= 10 and\n Esql.error_rate >= 0.4 and Esql.url_path_count >= 15\n| keep\n user.id,\n source.as.number,\n Esql.*\n", + "references": [ + "https://github.com/dirkjanm/ROADtools", + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview", + "https://aadinternals.com/" + ], + "related_integrations": [], + "required_fields": [ + { + "ecs": true, + "name": "source.as.number", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8cbc7793-9ce4-4b7d-9c20-a30afbde2a05", + "setup": "#### Azure AD Graph Activity Logs\nRequires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure\nintegration. Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + }, + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "8cbc7793-9ce4-4b7d-9c20-a30afbde2a05_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66_1.json b/packages/security_detection_engine/kibana/security_rule/8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66_1.json index d4bd2357192..2feb7440cf1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66_1.json @@ -15,8 +15,9 @@ "query": "from logs-azure.graphactivitylogs-* metadata _id, _version, _index\n\n// Graph calls via delegated user tokens (any status, any method)\n| where event.dataset == \"azure.graphactivitylogs\"\n and azure.graphactivitylogs.properties.c_idtyp == \"user\"\n and azure.graphactivitylogs.properties.client_auth_method == 0\n\n// high-value recon endpoints by url.path\n| eval Esql.is_role_enum = case(\n url.path like \"*roleManagement/directory*\"\n or url.path like \"*memberOf/microsoft.graph.directoryRole*\"\n or url.path like \"*transitiveRoleAssignments*\",\n true,\n false\n )\n| eval Esql.is_cross_tenant_enum = case(\n url.path like \"*tenantRelationships*\"\n or url.path like \"*getResourceTenants*\",\n true,\n false\n )\n| eval Esql.is_mailbox_recon = case(\n url.path like \"*mailboxSettings*\"\n or url.path like \"*mailFolders*\"\n or url.path like \"*messages*\"\n or url.path like \"*inbox*\",\n true,\n false\n )\n| eval Esql.is_contact_harvest = case(\n url.path like \"*contacts*\"\n or url.path like \"*contactFolders*\",\n true,\n false\n )\n| eval Esql.is_org_recon = case(\n url.path like \"*subscribedSkus*\"\n or url.path like \"*appRoleAssign*\"\n or (\n url.path like \"*/organization*\"\n and not url.path like \"*branding*\"\n and not url.path like \"*localizations*\"\n ),\n true,\n false\n )\n\n// Combine: is this request hitting a high-value endpoint?\n| eval Esql.is_high_value = case(\n Esql.is_role_enum or Esql.is_cross_tenant_enum or Esql.is_mailbox_recon\n or Esql.is_contact_harvest or Esql.is_org_recon,\n true,\n false\n )\n| where Esql.is_high_value == true\n\n// Classify each hit into a recon category\n| eval Esql.recon_category = case(\n Esql.is_role_enum, \"role_discovery\",\n Esql.is_cross_tenant_enum, \"cross_tenant_recon\",\n Esql.is_mailbox_recon, \"mailbox_recon\",\n Esql.is_contact_harvest, \"contact_harvesting\",\n Esql.is_org_recon, \"org_and_licensing_recon\",\n \"other\"\n )\n\n// Flag failed requests (recon that errored is still recon)\n| eval Esql.is_failed_request = case(\n http.response.status_code >= 400, true, false\n )\n\n// Aggregate per user + session + source IP\n| stats\n Esql.total_high_value_calls = count(*),\n Esql.distinct_categories = count_distinct(Esql.recon_category),\n Esql.distinct_paths = count_distinct(url.path),\n Esql.failed_calls = sum(case(Esql.is_failed_request, 1, 0)),\n Esql.categories = values(Esql.recon_category),\n Esql.sample_paths = values(url.path),\n Esql.http_methods = values(http.request.method),\n Esql.status_codes = values(http.response.status_code),\n Esql.first_seen = min(@timestamp),\n Esql.last_seen = max(@timestamp),\n Esql.user_agents = values(user_agent.original),\n Esql.app_ids = values(azure.graphactivitylogs.properties.app_id)\n by\n azure.graphactivitylogs.properties.user_principal_object_id,\n source.ip,\n source.`as`.organization.name,\n source.`as`.number,\n azure.graphactivitylogs.properties.c_sid,\n azure.tenant_id\n\n// Threshold: 3+ distinct recon categories \n| where Esql.distinct_categories >= 4 and Esql.total_high_value_calls >= 20\n\n// Burst duration in seconds\n| eval Esql.burst_duration_seconds = date_diff(\"seconds\", Esql.first_seen, Esql.last_seen)\n| where Esql.burst_duration_seconds <= 60\n\n| keep\n azure.graphactivitylogs.properties.user_principal_object_id,\n azure.graphactivitylogs.properties.c_sid,\n azure.tenant_id,\n source.ip,\n source.`as`.organization.name,\n source.`as`.number,\n Esql.*\n", "related_integrations": [ { + "integration": "graphactivitylogs", "package": "azure", - "version": "^1.0.0" + "version": "^1.10.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/8efcd3da-103b-4a65-8ab2-6a3a9df7ba8b_1.json b/packages/security_detection_engine/kibana/security_rule/8efcd3da-103b-4a65-8ab2-6a3a9df7ba8b_1.json new file mode 100644 index 00000000000..1a10daec440 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8efcd3da-103b-4a65-8ab2-6a3a9df7ba8b_1.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic", + "descambiado" + ], + "description": "Identifies modifications to OAuth application redirect URIs (ReplyUrls) in Entra ID. Adding an attacker-controlled redirect URI to an existing trusted application allows interception of OAuth authorization codes when users authenticate through that application's normal login flow, enabling token theft without requiring a new application registration or consent event.", + "false_positives": [ + "Developers adding localhost redirect URIs for local development environments. CI/CD pipelines updating production redirect URIs during deployment. Application owners adding redirect URIs for new platform support." + ], + "from": "now-9m", + "index": [ + "logs-azure.auditlogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID OAuth Application Redirect URI Modified", + "note": "## Triage and analysis\n\n### Investigating Entra ID OAuth Application Redirect URI Modified\n\nA redirect URI addition to an existing trusted application does not generate a consent event and does\nnot require registering a new application -- both of which are commonly monitored. The modified\napplication retains all existing user consents.\n\n#### Possible investigation steps\n\n- Identify the actor who modified the application (`azure.auditlogs.properties.initiated_by`) and\n verify whether the change was authorized by the application owner or a change management ticket.\n- Review the specific URIs added by comparing `modifiedProperties.oldValue` and `newValue` for the\n `ReplyUrls` field in the audit event's `target_resources`.\n- Geolocate and WHOIS the domain of any newly added URI -- hosting providers, recently registered\n domains, or URL shorteners are strong indicators of compromise.\n- Check whether the actor recently became an owner of this application: look for\n \"Add owner to application\" events in AuditLogs for the same application object ID.\n- Review the application's Graph API permissions -- applications with Mail, Files, or directory\n scopes are the highest-value targets for redirect URI hijacking.\n\n### False positive analysis\n\n- Localhost and loopback URIs (`http://localhost:*`, `http://127.0.0.1:*`) added by developers are\n expected in non-production applications. Verify the application's sensitivity before closing.\n- CI/CD-driven URI updates typically originate from service principal actors, not human users.\n\n### Response and remediation\n\n- Remove the unauthorized redirect URI via Entra ID > App registrations > Authentication.\n- Revoke all tokens issued to the application since the modification timestamp.\n- Review sign-in logs for the application for any sign-ins from unexpected sources after the change.\n- If the URI was externally controlled, treat as a full OAuth token compromise for all users of\n the application and initiate token revocation and user notification.\n", + "query": "data_stream.dataset: \"azure.auditlogs\" and\nazure.auditlogs.operation_name: \"Update application\" and\nevent.outcome: (\"Success\" or \"success\") and\nazure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: \"AppAddress\"\n", + "references": [ + "https://learn.microsoft.com/en-us/entra/identity-platform/reply-url", + "https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8efcd3da-103b-4a65-8ab2-6a3a9df7ba8b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "8efcd3da-103b-4a65-8ab2-6a3a9df7ba8b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f985da6-66e8-4838-a63e-21636eb9adc5_1.json b/packages/security_detection_engine/kibana/security_rule/8f985da6-66e8-4838-a63e-21636eb9adc5_1.json new file mode 100644 index 00000000000..6de430d7639 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f985da6-66e8-4838-a63e-21636eb9adc5_1.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a change to an AWS Lambda function resource policy that grants invoke permissions to an AWS account principal. Using AddPermission, an adversary can authorize a principal in another account to call a function, creating a cross-account backdoor for execution or for relaying data to attacker-controlled infrastructure without modifying the function's code. This rule excludes public grants (principal set to \"*\"), which are covered by a separate rule, and grants to AWS service principals, which are common for legitimate event triggers.", + "false_positives": [ + "Cross-account invoke permissions are used for legitimate multi-account architectures and partner integrations. Verify the granted account in `aws.cloudtrail.request_parameters`, the function, and the `principal` value in `aws.cloudtrail.request_parameters` against approved cross-account access. Known partner or internal account ids can be excluded after validation. This rule cannot distinguish a grant to the function's own account from an external account, so same-account resource-policy grants (uncommon, since same-account invocation normally uses IAM identity-based policies) will also alert." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS Lambda Function Policy Updated to Allow Cross-Account Invocation", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function Policy Updated to Allow Cross-Account Invocation\n\nAWS Lambda resource policies control which principals may invoke a function. `AddPermission` granting `lambda:InvokeFunction` to a principal in another AWS account creates a cross-account invocation path. Adversaries use this to maintain execution access or to relay function output to infrastructure they control, without changing the function code that defenders typically scrutinize.\n\nThis rule detects grants of invoke permission to a specific external account, excluding public grants (handled by the related public-invocation rule) and AWS service principals used for normal event triggers.\n\n### Possible investigation steps\n\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName`, the `action` granted, and the `principal` account id receiving access; confirm whether that account is known and trusted.\n- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to understand how the change was made.\n- Determine whether the function processes or has access to sensitive data that the external account could now reach.\n- Correlate with other activity by the same principal, including function code or configuration changes and additional policy modifications.\n- Verify whether the cross-account grant aligns with an approved integration or change request.\n\n### False positive analysis\n\n- Multi-account architectures and partner integrations legitimately grant cross-account invoke permissions. Confirm the grant is approved and exclude known trusted account ids or service roles on `aws.cloudtrail.user_identity.arn` after validation.\n\n### Response and remediation\n\n- If the grant is unauthorized, remove the statement from the function's resource policy (`RemovePermission`) and review the function's code, configuration, and execution role.\n- Determine whether the external account invoked the function while the grant was in place and assess data exposure.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:AddPermission` to a small set of trusted roles.\n\n### Additional information\n\n- [Lambda resource-based policies](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html)\n- [AddPermission API](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html)\n", + "query": "any where data_stream.dataset == \"aws.cloudtrail\"\n and event.provider == \"lambda.amazonaws.com\"\n and event.outcome == \"success\"\n and event.action : \"AddPermission*\"\n and stringContains(aws.cloudtrail.request_parameters, \"lambda:InvokeFunction\")\n and not stringContains(aws.cloudtrail.request_parameters, \"principal=\\\\*\")\n and not stringContains(aws.cloudtrail.request_parameters, \".amazonaws.com\")\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", + "https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8f985da6-66e8-4838-a63e-21636eb9adc5", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.005", + "name": "Modify Cloud Compute Configurations", + "reference": "https://attack.mitre.org/techniques/T1578/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8f985da6-66e8-4838-a63e-21636eb9adc5_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93120a05-caf5-47f6-a305-e8abee463fb9_1.json b/packages/security_detection_engine/kibana/security_rule/93120a05-caf5-47f6-a305-e8abee463fb9_1.json index 570a822d49e..2ad6579c702 100644 --- a/packages/security_detection_engine/kibana/security_rule/93120a05-caf5-47f6-a305-e8abee463fb9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/93120a05-caf5-47f6-a305-e8abee463fb9_1.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_211.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_211.json new file mode 100644 index 00000000000..e5044d79716 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_211.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom administrative role is deleted in Google Workspace. Adversaries may delete a custom admin role to disrupt delegated administration, remove security team access, or hinder incident response. Deleting a role removes the privileges it granted from all assigned users and groups, which can cause operational impact or blind spots during an active investigation.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.role.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace allows administrators to create custom admin roles with granular privileges across services such as\nUsers, Groups, Gmail, Drive, and Security. Deleting a custom role removes it from the tenant and revokes the associated\nprivileges for all users and groups that held the role. Threat actors may delete roles to disrupt security operations,\nremove delegated admin access, or cover tracks after privilege escalation. Because the role no longer exists in the\nAdmin console after deletion, determining who was assigned the role and what privileges it contained requires reviewing\nhistorical audit logs.\n\nThis rule identifies when a custom administrative role is deleted in the Google Admin console.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) account that deleted the role by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name`.\n- Determine whether the deletion is expected and authorized:\n - Validate there is an approved change request/ticket and that the actor account is authorized to delete custom admin roles.\n - If the actor account or source IP is unusual, treat the alert as higher priority until proven benign.\n- Confirm the role is deleted in the Google Admin console:\n - Navigate to Account > Admin roles.\n - Search for the role name from `google_workspace.admin.role.name` and confirm it no longer appears in the role list.\n- Search Kibana for principals previously assigned the role to determine blast radius:\n - In Discover (or the alert investigation workflow), search Google Workspace admin logs with a time range before the deletion timestamp.\n - Use the following KQL example, replacing `` with the value from `google_workspace.admin.role.name`:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: \"ASSIGN_ROLE\" and google_workspace.admin.role.name: \"\"\n ```\n - Review `user.target.email` and `user.target.name` for user/group assignments.\n - Search for `event.action: \"UNASSIGN_ROLE\"` with the same role name to identify recent removals before deletion.\n- Search Kibana for privileges the deleted role contained:\n - Use the following KQL example to review any privileges that were granted to the role before deletion:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: \"ADD_PRIVILEGE\" and google_workspace.admin.role.name: \"\"\n ```\n - Review `google_workspace.admin.privilege.name` values to understand what access was removed from assigned principals.\n- Scope for related role activity by searching for the same `user.email` (actor) performing other IAM actions such as `DELETE_ROLE`, `ADD_PRIVILEGE`, `ASSIGN_ROLE`, or security policy changes within the last 48 hours.\n- Evaluate whether the deletion coincides with other suspicious activity:\n - Review admin/audit events around the deletion time for security control changes, additional role deletions, or attempts to modify Super Admin assignments.\n\n### False positive analysis\n\n- Verify the role deletion aligns with approved administrative duties, an authorized change window, and the organization's access governance process.\n- Confirm the initiating admin account is legitimate and not deleting roles from unusual IPs, devices, or locations.\n- Validate whether the role was deprecated or consolidated into another role as part of planned IAM cleanup.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the deletion is not clearly authorized, recreate the role with equivalent privileges and reassign affected users or groups while the investigation proceeds.\n- Identify affected users and groups from historical `ASSIGN_ROLE` events and confirm they retain necessary administrative access through other roles.\n- For suspected compromise of the initiating admin account:\n - Reset credentials, revoke active sessions, enforce MFA re-enrollment, and review delegation/OAuth grants for persistence.\n - Validate recovery email/phone settings and account security posture.\n- Review whether the deleted role contained security-relevant privileges (for example, audit log access or security settings management) that could impair detection or response if removed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.action:DELETE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Impact", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_111.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_111.json new file mode 100644 index 00000000000..9b62e9873c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_111.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Gmail routing, mail-forwarding, or custom mail-host setting is created or modified in Google Workspace. Adversaries with administrative access can add Routing rules (also deliver to / change envelope recipient), recipient address map forwarding, or mail hosts and outbound gateways to copy or redirect sensitive email for collection.", + "false_positives": [ + "Administrators may create or change Gmail routing, dual-delivery, address maps, or mail hosts for migrations, journaling, spam handling, or partner integrations." + ], + "from": "now-20m", + "index": [ + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.setting.metadata.rule.type", + "google_workspace.admin.USER_DEFINED_SETTING_NAME" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Gmail Routing or Forwarding Rule Created or Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Gmail Routing or Forwarding Rule Created or Modified\n\nGmail administrators can change where mail is delivered using several Admin console areas under Apps > Google Workspace > Gmail:\n\n- Routing \u2014 specialized rules (modify message, change route, also deliver to, change envelope recipient). Audit: `UNIFIED_MAIL_ROUTING` or `MESSAGE_SECURITY_RULE` (legacy); `google_workspace.admin.setting.metadata.rule.type` may repeat the legacy type on `RuleState` rows.\n- Email forwarding using recipient address map \u2014 rewrite or forward by address mapping. Audit: `ALIAS_TABLE`.\n- Hosts / Outbound gateway \u2014 custom SMTP routes. Audit: `EMAIL_ROUTE`.\n\nGoogle may emit multiple admin audit events per single save (legacy `CREATE_GMAIL_SETTING`, new `CREATE_APPLICATION_SETTING`, rule body, and rule enabled state). Expect duplicate documents at the same `@timestamp`; correlate on `user.name`, `google_workspace.admin.USER_DEFINED_SETTING_NAME` (rule id), and `event.id`.\n\n### Possible investigation steps\n\n- Identify the administrator (`user.name`, `user.email`) and confirm the change was authorized.\n- In Admin console, review the rule matching `google_workspace.admin.USER_DEFINED_SETTING_NAME`:\n - Routing (`UNIFIED_MAIL_ROUTING`, `MESSAGE_SECURITY_RULE`): Apps > Gmail > Routing\n - Recipient address map (`ALIAS_TABLE`): Apps > Gmail > Default routing > Email forwarding using recipient address map\n - Mail hosts / outbound gateway (`EMAIL_ROUTE`): Apps > Gmail > Hosts\n- Map the alert to the admin area using `google_workspace.admin.setting.name` and `google_workspace.admin.setting.metadata.rule.type`\n- Review whether the rule adds also deliver to, change envelope recipient, or routes to an external mail host or domain.\n- Review related `event.action` values for the same administrator in the last 48 hours.\n- If licensed for Gmail log events (BigQuery / Enterprise Plus), use Reporting > Audit and investigation > Gmail log events to confirm messages were delivered per the rule (`message_info.flattened_destinations`, `triggered_rule_info`).\n- Submit suspicious URLs or attachments from affected mail to reputational services as needed.\n\n### False positive analysis\n\n- Legitimate mail migrations, journaling, compliance archiving, and internal dual-delivery are common.\n- Tune with exceptions for known administrator accounts, rule ids (`USER_DEFINED_SETTING_NAME`), or approved external domains.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule uses `timestamp_override = event.ingested` and is configured to run every 10 minutes with a lookback of 20 minutes, aligned with the integration's default Admin poll interval (`interval`: 15m) and lag time (`lag_time`: 3m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/docs/reference/integrations/google_workspace", + "query": "data_stream.dataset:\"google_workspace.admin\" and event.action:(\n \"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\"\n or \"CREATE_APPLICATION_SETTING\" or \"CHANGE_APPLICATION_SETTING\"\n)\nand (\n google_workspace.admin.setting.name:(\n \"UNIFIED_MAIL_ROUTING\"\n or \"ALIAS_TABLE\"\n or \"EMAIL_ROUTE\"\n or \"MESSAGE_SECURITY_RULE\"\n )\n or google_workspace.admin.setting.metadata.rule.type:(\n \"UNIFIED_MAIL_ROUTING\"\n or \"ALIAS_TABLE\"\n or \"EMAIL_ROUTE\"\n )\n)\n", + "references": [ + "https://support.google.com/a/answer/2685650?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.metadata.rule.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", + "setup": "The Google Workspace Fleet integration with the Admin data stream (`logs-google_workspace.admin-*`) is required for this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "9510add4-3392-11ed-bd01-f661ea17fbce_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe_1.json b/packages/security_detection_engine/kibana/security_rule/97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe_1.json new file mode 100644 index 00000000000..b53c0c1357b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe_1.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network combination that has not been observed recently. The Serial Console provides text-based console access to a VM through the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows) or root (Linux).", + "false_positives": [ + "System or platform administrators may legitimately use the Serial Console to troubleshoot a VM that is unreachable over the network (boot failures, misconfigured firewall/NSG, lost SSH/RDP access). The first connection per identity and source ASN will alert; baseline expected break-glass principals and their corporate/VPN networks and exclude them if verified as authorized." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.activitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "event.outcome", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.activitylogs.identity.authorization.evidence.principal_type", + "azure.activitylogs.identity.claims_initiated_by_user.name", + "azure.resource.id", + "azure.resource.name", + "source.ip", + "source.as.number", + "source.as.organization.name", + "source.geo.country_name", + "azure.subscription_id", + "azure.activitylogs.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure VM Serial Console Connection with Unusual User and ASN", + "new_terms_fields": [ + "azure.activitylogs.identity.authorization.evidence.principal_id", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating Azure VM Serial Console Connection with Unusual User and ASN\n\nThe Azure Serial Console gives text-based console access to a VM over the boot diagnostics serial port. It works even\nwhen the VM has no inbound network connectivity, so a session bypasses NSGs, JIT, and other network controls. This rule\nflags successful `MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION` operations where the combination of acting\nprincipal and source ASN has not been seen in the history window.\n\nThis rule uses a new terms approach keyed on the acting principal and source ASN, so it surfaces a\nknown identity connecting from an unusual network as well as any new identity using the Serial Console.\n\n### Triage checklist\n\n- Identify the caller via `azure.activitylogs.identity.authorization.evidence.principal_id` and\n `azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal\n Serial Console access is unusual and warrants scrutiny.\n- Review `source.as.organization.name`, `source.as.number`, and `source.geo.country_name` - is the network a known\n corporate/VPN ASN or an unexpected hosting/residential provider?\n- Was the connect preceded by reconnaissance, role assignment changes, or Run Command / extension activity on the same VM?\n- Were there preceding failed Serial Console connect attempts (`event.outcome:failure`) suggesting access probing?\n- Does the target VM normally require Serial Console access, or is it a production system that should be reachable over\n the network?\n\n### Possible investigation steps\n\n- Review `azure.resource.id` to identify the VM and confirm boot diagnostics is enabled.\n- Correlate with Entra ID sign-in logs for the caller and review MFA / conditional access posture.\n- Pivot on the VM for endpoint telemetry around the connect timestamp (interactive shell, new local accounts, credential\n access) since Serial Console sessions execute as SYSTEM/root.\n- Review the principal's RBAC role assignments on the subscription, resource group, and VM.\n\n### Response and remediation\n\n- If unauthorized, terminate the session, rotate credentials reachable from the VM, and review RBAC on the affected scope.\n- Consider disabling the subscription-level Serial Console where it is not operationally required.\n- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.\n", + "query": "data_stream.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION\" and\n event.outcome:(\"success\" or \"Success\") and\n azure.activitylogs.identity.authorization.evidence.principal_id:* and\n source.as.number:*\n", + "references": [ + "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview", + "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors", + "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.identity.authorization.evidence.principal_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.008", + "name": "Direct Cloud VM Connections", + "reference": "https://attack.mitre.org/techniques/T1021/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_10.json b/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_10.json deleted file mode 100644 index 8465c45d3c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_10.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Process Spawned from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Process Spawned from Web Server Parent\n\nWeb servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.\n\n### Possible investigation steps\n\n- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.\n- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.\n- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.\n- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.\n- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.\n- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.\n\n### False positive analysis\n\n- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.\n- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.\n- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.\n- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.\n- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.\n- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.\n- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.\n- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.\n- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.\n- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and (\n process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\", \"openssl\", \"busybox\",\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"nc.traditional\", \"nohup\", \"setsid\", \"mkfifo\", \"mknod\",\n \"node\", \"socket\"\n ) or\n process.name like \"python*\" or\n process.name like \"php*\" or\n process.name like \"perl\" or\n process.name like \"ruby*\" or\n process.name like \"lua*\" or\n process.executable like \"/tmp/*\" or\n process.executable like \"/var/tmp/*\" or\n process.executable like \"/dev/shm/*\" or\n process.executable like \"/var/log/*\" or\n process.executable like \"/sys/*\" or\n process.executable like \"/media/*\" or\n process.executable like \"/proc/*\" or\n process.executable like \"/var/backups/*\" or\n process.executable like \"/var/mail/*\" or\n process.executable like \"/var/spool/*\" or\n process.executable like \"/var/www/*\" or\n process.executable like \"./*\" or\n process.name like \".*\"\n ) and \n not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/var/www/*.ch\" or\n process.parent.executable like \"/vscode/vscode-server/*\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n event.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.executable, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.executable, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.agent_id_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.agent_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_namespace_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_dataset_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.host_name_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "976b2391-413f-4a94-acb4-7911f3803346", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - }, - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - }, - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - }, - { - "id": "T1059.011", - "name": "Lua", - "reference": "https://attack.mitre.org/techniques/T1059/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 10 - }, - "id": "976b2391-413f-4a94-acb4-7911f3803346_10", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_10.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_10.json new file mode 100644 index 00000000000..40e5f6d3074 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_10.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an anonymous user views, copies, or downloads a private key or credential file from Google Drive via an anyone-with-the-link share. Adversaries who obtain or create open Drive links can harvest encryption keys and secrets stored in user drives, then use those materials to decrypt data, authenticate to services, or expand access beyond the initial compromise.", + "false_positives": [ + "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.drive-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.user.id", + "event.action", + "file.name", + "google_workspace.drive.file.type", + "google_workspace.drive.file.owner.email" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\n\nThreat actors and opportunistic scanners frequently abuse Google Drive links set to \"Anyone with the link\" to access\nsensitive files without authenticating. Private keys, keystores, and token files stored in user drives are high-value\ntargets. Possession of these files can enable decryption of protected data, signing or impersonation, and lateral\nmovement into systems that trust the exposed material.\n\nThis rule uses EQL to detect `view`, `copy`, or `download` activity in `google_workspace.drive` where\n`google_workspace.drive.visibility` is `people_with_link`, `source.user.email` is empty (anonymous access), and\n`file.extension` matches common key or credential file types.\n\n### Possible investigation steps\n\n- Identify the file accessed by reviewing `file.name` and `google_workspace.drive.file.type`, and note `event.action` (`view`, `copy`, or `download`) and `event.ingested`.\n- Identify the file owner by reviewing `google_workspace.drive.file.owner.email` and determine whether that user should store key material in Drive.\n- Review `source.user.id` and any available IP or user-agent context in the raw event to characterize the anonymous accessor.\n- Confirm sharing posture in Google Drive:\n - Open the file in Drive as an administrator or the owner and review Share settings.\n - Verify whether access is \"Anyone with the link\" and whether the link was intentionally published or may have been exposed after account compromise.\n- Search Kibana for related Drive activity for the same file or owner:\n ```\n data_stream.dataset: \"google_workspace.drive\" and google_workspace.drive.file.owner.email: \"\" and file.name: \"\"\n ```\n - Look for earlier `change_user_access`, `change_document_visibility`, or `rename` events that may indicate when the link was opened.\n - Search for other key-like files owned by the same user with `people_with_link` visibility.\n- Determine blast radius \u2014 identify which systems, applications, or cloud resources the key protects (VPN, TLS, code signing, service accounts, encrypted archives).\n- Contact the file owner and security stakeholders to confirm whether anonymous access was expected (for example, a documented external audit). Treat unexpected access as high priority.\n\n### False positive analysis\n\n- Legitimate use of link-based sharing for key files is rare; validate business justification before closing as benign.\n- Automated scanners or DLP tools may touch public links \u2014 correlate with known security tooling and owner intent.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- Revoke the open link or restrict sharing to specific users; move key material out of broadly link-shared locations.\n- If access is unauthorized, rotate or replace the exposed keys and review dependent systems for abuse.\n- Review the file owner's account for signs of compromise (unusual logins, OAuth grants, or mass sharing changes).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "file where data_stream.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", + "references": [ + "https://support.google.com/drive/answer/2494822", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.visibility", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Credential Access", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 10 + }, + "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1ba0ac-aa6f-4c0d-8c80-b7f6ea2efa36_1.json b/packages/security_detection_engine/kibana/security_rule/9a1ba0ac-aa6f-4c0d-8c80-b7f6ea2efa36_1.json new file mode 100644 index 00000000000..be85cf7bc23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a1ba0ac-aa6f-4c0d-8c80-b7f6ea2efa36_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects exploitation attempts targeting CVE-2025-49844 (RediShell), a CVSS 10.0 use-after-free vulnerability in the Redis Lua interpreter. An authenticated attacker sends an EVAL command containing a Lua script that calls string.rep() to create memory pressure and collectgarbage('collect') to force garbage collection, exploiting a use-after-free in the Lua parser to achieve remote code execution.", + "from": "now-9m", + "index": [ + "logs-network_traffic.redis*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Redis Lua Use-After-Free RCE Attempt (CVE-2025-49844 / RediShell)", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Redis Lua Use-After-Free RCE Attempt (CVE-2025-49844 / RediShell)\n\nCVE-2025-49844 is a use-after-free in the Redis Lua interpreter. An authenticated attacker sends an EVAL command whose Lua script calls `string.rep()` to create memory pressure, then `collectgarbage('collect')` to force GC, triggering the use-after-free to achieve RCE. This rule matches on the `network_traffic.redis.query` field populated by the network_traffic (Packetbeat) Redis protocol module.\n\n### Possible investigation steps\n\n- Identify the source IP and determine whether it is a known trusted host or an internet address. Internet-exposed Redis (port 6379) with this pattern is almost certainly malicious.\n- Confirm the destination Redis version. If unpatched (6.2.x branch: < 6.2.20; 7.2.x branch: < 7.2.11; 7.4.x branch: < 7.4.6; 8.0.x branch: < 8.0.4; 8.2.x branch: < 8.2.2), treat the alert as a high-confidence exploitation attempt.\n- Review surrounding Redis commands (AUTH, CONFIG, SLAVEOF, DEBUG) from the same source IP for evidence of post-exploitation configuration tampering.\n- Examine the destination host for evidence of reverse-shell establishment: outbound connections from the Redis process, new listening ports, or child process spawning (bash -i, nc, /dev/tcp patterns).\n- Pivot to endpoint telemetry on the Redis host for process execution anomalies at or after the alert time.\n\n### False positive analysis\n\n- `string.rep()` and `collectgarbage('collect')` are valid Lua functions individually. Their deliberate combination inside a Redis EVAL is almost exclusively associated with CVE-2025-49844 or explicit security testing.\n- Authorized penetration testing and vulnerability scanning against the CVE will trigger this rule. Validate against known scanner IPs and scheduled assessment windows before escalating.\n\n### Response and remediation\n\n- Immediately patch affected Redis instances: 6.2.x >= 6.2.20, 7.2.x >= 7.2.11, 7.4.x >= 7.4.6, 8.0.x >= 8.0.4, 8.2.x >= 8.2.2.\n- Restrict Redis network access to trusted hosts only. Redis should never be directly reachable from the internet.\n- Require authentication (`requirepass` or ACL) and rotate credentials if exploitation is suspected.\n- If Lua scripting is not required, restrict EVAL via ACLs (`ACL SETUSER -eval`).\n- If successful exploitation is suspected, isolate the host, collect artifacts, and rotate all credentials stored in or accessible via Redis.\n", + "query": "network where data_stream.dataset == \"network_traffic.redis\" and\n network_traffic.redis.query like~ \"*EVAL*\" and\n network_traffic.redis.query like~ \"*string.rep*\" and\n network_traffic.redis.query like~ \"*collectgarbage*\"\n", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2025-49844", + "https://redis.io/blog/redis-security-advisory-cve-2025-49844", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.wiz.io/blog/pwn2own-berlin-2025-redis-cve-2025-49844" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": false, + "name": "network_traffic.redis.query", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "9a1ba0ac-aa6f-4c0d-8c80-b7f6ea2efa36", + "setup": "## Setup\n\nThis rule requires the Elastic **network_traffic** integration (Packetbeat via Elastic Agent) with the Redis\nprotocol module enabled. The rule matches on the `network_traffic.redis.query` field (keyword \u2014 human-readable command text) populated\nfor every Redis transaction; the raw wire bytes are available in `network_traffic.redis.request` (text) if\ndeeper inspection is needed.\n\n### Enabling the Redis module\n\nIn the Elastic Agent `network_traffic` integration policy:\n1. Add or confirm **Redis** in the protocols list with `enabled: true`.\n2. Set **ports** to include `6379` (or the custom port your Redis instances listen on).\n3. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.\n\n### TLS limitation \u2014 this rule only covers unencrypted Redis\n\nRedis uses a plaintext protocol by default (port 6379, no TLS). Packetbeat can inspect the full request payload\non unencrypted connections, which is the configuration used by the vast majority of internet-exposed instances\n(8,500+ vulnerable instances identified as of October 2025 were all unencrypted).\n\nIf TLS is configured for Redis (`tls-port`, `tls-cert-file`, and `tls-key-file` in redis.conf), Packetbeat cannot\ninspect the payload without TLS decryption. For TLS-protected Redis deployments, supplement this rule with\nendpoint detection (process command-line arguments, system call monitoring) on the Redis host itself.\n\n", + "severity": "critical", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.011", + "name": "Lua", + "reference": "https://attack.mitre.org/techniques/T1059/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "9a1ba0ac-aa6f-4c0d-8c80-b7f6ea2efa36_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17f2e5f-de52-49e8-9d86-ccfe91cd54d4_1.json b/packages/security_detection_engine/kibana/security_rule/a17f2e5f-de52-49e8-9d86-ccfe91cd54d4_1.json new file mode 100644 index 00000000000..2711cc1f93e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a17f2e5f-de52-49e8-9d86-ccfe91cd54d4_1.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an AWS principal using long-term IAM user credentials (AKIA* access key) enumerates available Bedrock foundation models and then invokes a model within the same 15-minute window. Most legitimate Bedrock workloads run under IAM roles with short-lived credentials; the combination of model enumeration followed by direct model invocation from a long-term IAM user key is unusual in production environments and consistent with an adversary using stolen credentials to discover and exploit available AI model capabilities. This pattern is associated with LLMjacking attacks where threat actors abuse compromised cloud credentials to run high-volume or high-cost model inference at the account owner's expense.", + "false_positives": [ + "First-time Bedrock onboarding by a developer using long-term IAM user credentials. Verify the requesting identity is a known engineer, the use case description is legitimate, and the model invocation follows expected application behavior. Consider migrating Bedrock workloads to IAM roles to eliminate this pattern." + ], + "from": "now-30m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.additionalEventData.inputTokens", + "aws.cloudtrail.additionalEventData.outputTokens" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key\n\nThis rule fires when the same long-term IAM user access key (AKIA*) calls `ListFoundationModels` and then\ninvokes a model within 15 minutes. This sequence \u2014 enumerate available models, then immediately use one \u2014 is\nconsistent with LLMjacking: an adversary using stolen IAM user credentials to discover and abuse available\nAI model capabilities at the account owner's expense.\n\nLong-term access keys (`AKIA*` prefix) belong to IAM users, not roles. Legitimate Bedrock workloads in\nproduction almost always run under IAM roles with short-lived credentials. A long-term key performing both\nmodel discovery and invocation is unusual and warrants investigation.\n\n### Possible investigation steps\n\n- **Identify the key and owner**: Review `aws.cloudtrail.user_identity.arn` and\n `aws.cloudtrail.user_identity.access_key_id`. Determine who owns the key and whether it is authorized for\n Bedrock usage.\n- **Check for credential exposure**: Search for the access key in source code, CI/CD logs, and secret scanning\n alerts. A key used from an unexpected source IP is a strong indicator of compromise.\n- **Examine the invocation**: Review `aws.cloudtrail.request_parameters` on the `InvokeModel` event to identify\n which model was invoked. Cross-reference with Bedrock invocation logs for prompt and response content.\n- **Correlate source IP and user agent**: Confirm `source.ip` and `user_agent.original` match the key owner's\n expected environment. Residential IPs, VPNs, or unexpected tools are suspicious.\n- **Look for volume**: Check whether this is the first invocation or part of a burst of `InvokeModel` calls.\n High-volume invocations following enumeration are a strong LLMjacking signal.\n\n### False positive analysis\n\n- **Developer testing**: Engineers using long-term IAM user keys for local Bedrock development may trigger this\n rule when they first explore available models. Validate against a known developer identity and source IP.\n Encourage migration to IAM roles for all Bedrock workloads.\n\n### Response and remediation\n\n- Immediately disable or rotate the access key if compromise is suspected.\n- Review all Bedrock invocations made by the key before and after this event.\n- Check whether the same key accessed other AWS services (S3, EC2, Secrets Manager).\n- Enforce IAM roles for all Bedrock workloads and restrict long-term key usage via SCP.\n", + "query": "sequence by aws.cloudtrail.user_identity.access_key_id with maxspan=15m\n [any where data_stream.dataset == \"aws.cloudtrail\"\n and event.provider == \"bedrock.amazonaws.com\"\n and event.action == \"ListFoundationModels\"\n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.access_key_id like \"AKIA*\"]\n [any where data_stream.dataset == \"aws.cloudtrail\"\n and event.provider == \"bedrock.amazonaws.com\"\n and event.action : (\"InvokeModel\", \"InvokeModelWithResponseStream\", \"Converse\", \"ConverseStream\")\n and event.outcome == \"success\"]\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModels.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_InvokeModel.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.access_key_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a17f2e5f-de52-49e8-9d86-ccfe91cd54d4", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: Amazon Web Services", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Discovery", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a17f2e5f-de52-49e8-9d86-ccfe91cd54d4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890_3.json b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890_3.json index 284ed716fb3..40b7968b931 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890_3.json @@ -44,7 +44,7 @@ "related_integrations": [ { "package": "azure", - "version": "^1.0.0" + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_113.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_113.json new file mode 100644 index 00000000000..5441125d373 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_113.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Confirm `google_workspace.admin.new_value` is `ALLOW_ALL` and review `google_workspace.admin.old_value` for the prior restriction.\n- In the admin console, verify the change under `Apps > Google Workspace Marketplace apps` (global allowlist access setting).\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally enable allow-all marketplace access based on organizational needs.\n - Follow up with the administrator who made the change to ensure this was intended.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\"\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", + "references": [ + "https://support.google.com/a/answer/6089179?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 113 + }, + "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2951930-dd35-438c-b10e-1bbdc5881cb4_2.json b/packages/security_detection_engine/kibana/security_rule/a2951930-dd35-438c-b10e-1bbdc5881cb4_2.json index aef36bf11d9..1a77e1505bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2951930-dd35-438c-b10e-1bbdc5881cb4_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a2951930-dd35-438c-b10e-1bbdc5881cb4_2.json @@ -18,7 +18,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a_1.json b/packages/security_detection_engine/kibana/security_rule/a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a_1.json index df8ac79552f..cf846f8074b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a_1.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a643e6b8-ba2a-45f1-8d71-d265bfe2ae43_1.json b/packages/security_detection_engine/kibana/security_rule/a643e6b8-ba2a-45f1-8d71-d265bfe2ae43_1.json index 6a9442aa879..8aba21d6c5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a643e6b8-ba2a-45f1-8d71-d265bfe2ae43_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a643e6b8-ba2a-45f1-8d71-d265bfe2ae43_1.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a6d4e070-b9b9-4294-b028-d9e21ad47413_4.json b/packages/security_detection_engine/kibana/security_rule/a6d4e070-b9b9-4294-b028-d9e21ad47413_4.json index b0bccfd13b8..f55da12a3a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6d4e070-b9b9-4294-b028-d9e21ad47413_4.json +++ b/packages/security_detection_engine/kibana/security_rule/a6d4e070-b9b9-4294-b028-d9e21ad47413_4.json @@ -24,6 +24,10 @@ { "package": "azure", "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_4.json index 43c8f17806e..90ac802acec 100644 --- a/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_4.json @@ -23,10 +23,6 @@ "https://gtfobins.github.io/" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "package": "endpoint", "version": "^8.2.0" diff --git a/packages/security_detection_engine/kibana/security_rule/a953f6d5-01cd-4f4c-94dc-207e34965cac_1.json b/packages/security_detection_engine/kibana/security_rule/a953f6d5-01cd-4f4c-94dc-207e34965cac_1.json new file mode 100644 index 00000000000..1a37bb81fd0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a953f6d5-01cd-4f4c-94dc-207e34965cac_1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modification of deployed Amazon Bedrock agents and their action groups, collaborators, or aliases via the Bedrock Agent control plane. Adversaries with access to an AWS account can tamper with an existing, trusted agent by altering its instructions (UpdateAgent), adding or changing action groups that wire the agent to Lambda functions or APIs (CreateAgentActionGroup, UpdateAgentActionGroup), attaching or modifying collaborators (AssociateAgentCollaborator, UpdateAgentCollaborator), or repointing an alias to a tampered version (CreateAgentAlias, UpdateAgentAlias). A PrepareAgent call is required to make a tampered configuration live. By implanting malicious behavior into an agent that legitimate users continue to invoke, an attacker can maintain durable access through a trusted component. Creation of brand-new agents (CreateAgent) is intentionally excluded as lower-signal activity.", + "false_positives": [ + "Bedrock agent and action group changes are common during legitimate development, prompt tuning, and CI/CD deployments. Verify whether the user identity, user agent, and/or source IP should be modifying agents in your environment, and confirm a corresponding change request exists. Automation roles (IaC pipelines, deployment tooling) may routinely call these APIs and can be exempted from the rule if they generate false positives." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.invoked_by", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Agent or Action Group Manipulation", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Agent or Action Group Manipulation\n\nAmazon Bedrock agents orchestrate foundation models with developer-defined instructions and action groups that connect\nthe agent to Lambda functions or APIs. Because end users and applications repeatedly invoke deployed agents, an attacker\nwho modifies an existing agent's instructions, action groups, collaborators, or alias can implant durable malicious\nbehavior into a trusted component without deploying any new infrastructure. The `PrepareAgent` call makes a tampered\nconfiguration live, and updating an alias repoints traffic to the tampered version.\n\nThis rule identifies changes to existing Bedrock agents while intentionally excluding `CreateAgent`, which represents\nnet-new resource creation rather than tampering with established, trusted agents.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and\n `aws.cloudtrail.user_identity.access_key_id` to determine who made the change.\n - Inspect `source.ip`, `user_agent.original`, and `aws.cloudtrail.user_identity.invoked_by` to establish whether the\n change came from an interactive session, automation, or an unfamiliar location.\n - Confirm whether a corresponding change request or deployment exists for the affected agent.\n- **Examine the change**\n - Review `aws.cloudtrail.request_parameters` and `aws.cloudtrail.flattened.request_parameters` for the targeted agent\n ID, action group definition, Lambda ARN, collaborator, or alias routing configuration.\n - For `UpdateAgent`, inspect the modified instruction text for prompt-injection or data-exfiltration intent.\n - For action group changes, validate the referenced Lambda function or API schema ownership and intent.\n - For alias changes, confirm which agent version the alias now points to.\n- **Correlate activity**\n - Look for a `PrepareAgent` call following configuration changes, which indicates the tampered config was made live.\n - Search for surrounding IAM, Lambda, or STS activity from the same identity that could indicate broader compromise.\n\n### False positive analysis\n\n- **Planned development and tuning**: Legitimate developers regularly update agent instructions and action groups.\n Validate against change tickets and known engineering activity.\n- **Automation**: IaC pipelines and deployment tooling may call these APIs on every release. Exempt known automation\n roles if they cause recurring false positives.\n\n### Response and remediation\n\n- If the change is unauthorized, revert the agent, action group, collaborator, and alias to a known-good version and\n re-run `PrepareAgent` to restore trusted behavior.\n- Disable or rotate the credentials identified in `aws.cloudtrail.user_identity.access_key_id` if compromise is\n suspected.\n- Review the affected agent's action group Lambda functions and APIs for malicious code or data flows.\n- Restrict `bedrock:UpdateAgent`, `bedrock:*AgentActionGroup`, `bedrock:*AgentCollaborator`, `bedrock:*AgentAlias`, and\n `bedrock:PrepareAgent` permissions to a small set of administrative roles.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\n \"UpdateAgent\" or\n \"CreateAgentActionGroup\" or\n \"UpdateAgentActionGroup\" or\n \"AssociateAgentCollaborator\" or\n \"UpdateAgentCollaborator\" or\n \"CreateAgentAlias\" or\n \"UpdateAgentAlias\" or\n \"PrepareAgent\"\n ) and\n event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgent.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PrepareAgent.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a953f6d5-01cd-4f4c-94dc-207e34965cac", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "a953f6d5-01cd-4f4c-94dc-207e34965cac_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_211.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_211.json new file mode 100644 index 00000000000..20fb0677f2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_211.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "alert_suppression": { + "duration": { + "unit": "m", + "value": 130 + }, + "group_by": [ + "user.email", + "google_workspace.admin.org_unit.name", + "source.ip" + ], + "missing_fields_strategy": "suppress" + }, + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace administrator modifies organization password policy settings. Adversaries with administrative access may weaken password requirements, such as disabling strong password enforcement, allowing password reuse, or reducing minimum length, to increase the success of password spraying and credential stuffing against tenant accounts and to sustain access after initial compromise.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "source.ip", + "event.action", + "google_workspace.admin.setting.name", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nThreat actors with Google Workspace administrative access may modify tenant password policies to weaken authentication\ncontrols across an organizational unit or domain. Relaxing password complexity, reuse, or rotation requirements increases\nthe likelihood of successful password spraying, credential stuffing, and reuse of passwords exposed in third-party\nbreaches. Because policy changes apply to all users in scope, a single modification can materially expand the attack\nsurface for the entire unit.\n\nSaving changes in the Admin console can update multiple password settings at once. Google logs each setting change as a\nseparate `CHANGE_APPLICATION_SETTING` or `CREATE_APPLICATION_SETTING` event (for example, minimum length, maximum\nlength, reset frequency, strong password enforcement, and password reuse). Alert suppression groups by `user.email`,\n`google_workspace.admin.org_unit.name`, and `source.ip` within the rule lookback so analysts receive one alert per\npassword policy modification session instead of one alert per setting.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) administrator by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the setting changed in the alert by reviewing `google_workspace.admin.setting.name`.\n- Review `google_workspace.admin.old_value` and `google_workspace.admin.new_value` to determine whether the change weakened policy. Examples of high-risk changes include:\n - `Password Management - Enforce strong password` set to disabled\n - `Password Management - Enable password reuse` set to enabled\n - `Password Management - Minimum password length` reduced\n - `Password Management - Password reset frequency` increased (less frequent rotation)\n- Identify the scope of impact by reviewing `google_workspace.admin.org_unit.name` and determining which users inherit the updated policy.\n- Determine whether the modification is expected and authorized:\n - If the actor account or `source.ip` is unusual, treat the alert as higher priority until proven benign.\n- Search Kibana for all password settings changed in the session:\n - In Discover (or the alert investigation workflow), search Google Workspace admin logs with a time range centered on the alert timestamp (\u00b15 minutes).\n - Use the following KQL example, replacing `` and `` as needed:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: (\"CHANGE_APPLICATION_SETTING\" or \"CREATE_APPLICATION_SETTING\") and user.email: \"\" and google_workspace.admin.setting.name: Password Management - *\n ```\n - Optionally filter on `google_workspace.admin.org_unit.name: \"\"` to isolate changes for the same organizational unit.\n - Review all `google_workspace.admin.setting.name`, `google_workspace.admin.old_value`, and `google_workspace.admin.new_value` fields returned to understand the full scope of the modification.\n- Scope for related activity by searching for the same `user.email` performing other security-weakening admin actions within the last 48 hours, such as MFA enforcement changes, SSO/SAML modifications, or role assignments.\n\n### False positive analysis\n\n- Verify the password policy change aligns with an approved change window, compliance exception, or migration activity.\n- Policy hardening can also generate alerts for this rule \u2014 use `old_value` and `new_value` to distinguish benign hardening from weakening changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the modification is not clearly authorized, restore password policy settings to their prior values for the affected organizational unit while the investigation proceeds.\n- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\n- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", + "references": [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_111.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_111.json new file mode 100644 index 00000000000..6eb9bd8512c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_111.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*", + "logs-panw.*", + "logs-pfsense.log-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IPSEC NAT Traversal Port Activity", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating IPSEC NAT Traversal Port Activity\n\nIPSEC NAT Traversal facilitates secure VPN communication across NAT devices by encapsulating IPSEC packets in UDP, typically using port 4500. While essential for legitimate encrypted traffic, adversaries exploit this to mask malicious activities, bypassing network defenses. The detection rule identifies unusual UDP traffic on port 4500, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the source and destination IP addresses associated with the UDP traffic on port 4500 to determine if they are known or expected within your network environment.\n- Analyze the volume and frequency of the detected traffic to assess whether it aligns with typical IPSEC NAT Traversal usage or if it appears anomalous.\n- Check for any associated network traffic events in the same timeframe that might indicate a pattern of suspicious activity, such as unusual data transfer volumes or connections to known malicious IP addresses.\n- Investigate the endpoint or device generating the traffic to verify if it is authorized to use IPSEC NAT Traversal and if it has any history of security incidents or vulnerabilities.\n- Correlate the detected activity with any recent changes in network configurations or security policies that might explain the traffic pattern.\n- Consult threat intelligence sources to determine if the destination IP address or domain has been associated with known threat actors or command and control infrastructure.\n\n### False positive analysis\n\n- Legitimate VPN traffic using IPSEC NAT Traversal can trigger alerts. Regularly review and whitelist known IP addresses or subnets associated with authorized VPN connections to reduce false positives.\n- Network devices or services that rely on IPSEC for secure communication may generate expected traffic on port 4500. Identify and document these devices, then create exceptions in the detection rule to prevent unnecessary alerts.\n- Automated backup or synchronization services that use IPSEC for secure data transfer might be flagged. Monitor these services and exclude their traffic patterns if they are verified as non-threatening.\n- Some enterprise applications may use IPSEC NAT Traversal for secure communication. Conduct an inventory of such applications and adjust the rule to exclude their traffic after confirming their legitimacy.\n- Regularly update the list of known safe IP addresses and services to ensure that new legitimate sources of IPSEC NAT Traversal traffic are promptly excluded from triggering alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further potential malicious activity and lateral movement.\n- Conduct a thorough analysis of the isolated system to identify any signs of compromise, such as unauthorized access or data exfiltration, focusing on logs and network traffic related to UDP port 4500.\n- Block all suspicious IP addresses associated with the detected traffic on port 4500 at the network perimeter to prevent further communication with potential threat actors.\n- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to ensure they effectively block unauthorized IPSEC NAT Traversal traffic, particularly on UDP port 4500.\n- Restore the affected system from a known good backup if any signs of compromise are confirmed, ensuring that all security patches and updates are applied before reconnecting to the network.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for UDP traffic on port 4500 to detect and respond to any future suspicious activity promptly.", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\n", + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Tactic: Command and Control", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: PAN-OS", + "Data Source: pfSense", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + }, + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa04377a-19b5-4940-952f-aad173790d23_1.json b/packages/security_detection_engine/kibana/security_rule/aa04377a-19b5-4940-952f-aad173790d23_1.json new file mode 100644 index 00000000000..0b54eb0f327 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa04377a-19b5-4940-952f-aad173790d23_1.json @@ -0,0 +1,196 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with an access or refresh token bound to the targeted resource without ever handling the user's password or MFA factor. When the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around against the directory under the same identity to read user, group, service principal, application, role assignment, directory object, policy, OAuth permission grant, or tenant detail collections.", + "false_positives": [ + "Authorized red team or audit activity (ROADrecon, ROADtools, AADInternals, roadtx). Document the engagement window and add exceptions on the calling user.", + "A developer or operator legitimately running first-party tooling under the device-code flow that then enumerates directory objects during onboarding or troubleshooting. Validate the calling app and source IP and exclude as appropriate." + ], + "from": "now-9m", + "index": [ + "logs-azure.signinlogs-*", + "logs-azure.aadgraphactivitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "user.id", + "azure.tenant_id", + "azure.signinlogs.properties.user_principal_name", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.resource_id", + "azure.signinlogs.properties.authentication_protocol", + "azure.signinlogs.properties.device_detail.is_managed", + "azure.aadgraphactivitylogs.properties.app_id", + "azure.aadgraphactivitylogs.properties.api_version", + "url.path", + "user_agent.original", + "source.ip", + "source.as.organization.name", + "source.geo.country_name" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration", + "note": "## Triage and analysis\n\n### Investigating Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration\n\nDevice-code phishing redeems an OAuth access token directly into the adversary's hands without\never touching the victim's password or MFA factor. When the redemption targets the legacy AAD\nGraph audience from an unmanaged device, the resulting token is overwhelmingly used to drive\ndirectory recon under the compromised identity. ROADrecon / ROADtools, AADInternals\n(`Get-AADIntTenantDetails`, `Get-AADIntUsers`), and manual `roadtx` flows all match this shape.\n\n### Possible investigation steps\n\n- Confirm the sign-in shape.\n - `azure.signinlogs.properties.authentication_protocol` is `deviceCode`.\n - `azure.signinlogs.properties.resource_id` is `00000002-0000-0000-c000-000000000000` (legacy AAD Graph audience).\n - `azure.signinlogs.properties.device_detail.is_managed` is `false`.\n- Identify the calling client used to drive the device-code grant.\n - `azure.signinlogs.properties.app_id`, `azure.signinlogs.properties.app_display_name`.\n - FOCI / pre-consented Microsoft clients (Teams, Office, Azure CLI, Azure PowerShell) are the canonical ride-along clients for device-code phishing because they bypass app consent.\n- Review source posture for the redemption and the Graph follow-on independently.\n - `source.ip`, `source.as.organization.name`, `source.geo.country_name`. Residential / VPS / anonymising-network egress raises priority.\n - A code redeemed from one IP and Graph driven from another is a strong adversary-in-the-middle signal: the user clicked, the attacker is now driving the session.\n- Review what was queried on the Graph side.\n - `url.path` on the second event. `applicationRefs`, `eligibleRoleAssignments`, and `directoryObjects` casts (`$/Microsoft.DirectoryServices.ServicePrincipal`) are the textbook ROADrecon signature; `tenantDetails` from an `AADInternals` user-agent is the AADInternals signature.\n- Check the API version on the Graph call.\n - `azure.aadgraphactivitylogs.properties.api_version`. `1.61-internal` is a strong tooling indicator and returns data the public surface withholds (Conditional Access policies, MFA configuration on user objects).\n- Pivot to surrounding sign-ins for the same user. Other device-code redemptions to Microsoft Graph, Azure Resource Manager, or Exchange in the same window suggest the attacker is multi-homing the token harvest.\n- Confirm the activity is not attributable to authorized testing before treating as malicious.\n\n### Response and remediation\n\n- Revoke refresh tokens and active sessions for the compromised user.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- Check for device registrations created by the user during or around the burst window and remove rogue devices.\n - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.\n - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.\n- If the calling application has no legitimate AAD Graph dependency, block further use by that app.\n - `PATCH /beta/applications/{id}` with body `{\"authenticationBehaviors\": {\"blockAzureADGraphAccess\": true}}`.\n - This property lives on the Graph beta endpoint, not v1.0.\n- Apply Conditional Access targeting the device-code grant: require a managed / compliant device or block the device-code grant outside of explicitly approved app + user populations.\n", + "query": "sequence by user.id, azure.tenant_id with maxspan=5m\n[authentication where\n data_stream.dataset == \"azure.signinlogs\" and\n event.outcome == \"success\" and\n azure.signinlogs.properties.authentication_protocol == \"deviceCode\" and\n azure.signinlogs.properties.device_detail.is_managed == false and\n azure.signinlogs.properties.resource_id == \"00000002-0000-0000-c000-000000000000\"]\n[web where\n data_stream.dataset == \"azure.aadgraphactivitylogs\" and\n url.path : (\n \"*/users*\",\n \"*/groups*\",\n \"*/servicePrincipals*\",\n \"*/applications*\",\n \"*/applicationRefs*\",\n \"*/devices*\",\n \"*/directoryRoles*\",\n \"*/roleAssignments*\",\n \"*/eligibleRoleAssignments*\",\n \"*/roleDefinitions*\",\n \"*/directoryObjects*\",\n \"*/policies*\",\n \"*/oauth2PermissionGrants*\",\n \"*/administrativeUnits*\",\n \"*/tenantDetails*\",\n \"*/directorySettingTemplates*\",\n \"*/me*\"\n )]\n", + "references": [ + "https://github.com/dirkjanm/ROADtools", + "https://github.com/Gerenios/AADInternals", + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.authentication_protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.device_detail.is_managed", + "type": "boolean" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.resource_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.tenant_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "aa04377a-19b5-4940-952f-aad173790d23", + "setup": "#### Microsoft Entra ID Sign-in Logs and Azure AD Graph Activity Logs\nRequires both data streams ingested via the Elastic Azure integration:\n- Microsoft Entra ID sign-in logs into `logs-azure.signinlogs-*` (enable the `SignInLogs` diagnostic-settings category on Entra ID).\n- Azure AD Graph Activity Logs into `logs-azure.aadgraphactivitylogs-*` (enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID).\n", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Initial Access", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.003", + "name": "Cloud Groups", + "reference": "https://attack.mitre.org/techniques/T1069/003/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + }, + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "aa04377a-19b5-4940-952f-aad173790d23_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_12.json b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_12.json index 0fa1039e849..3fce3816527 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_12.json +++ b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_12.json @@ -43,10 +43,6 @@ "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/abb7bc31-b865-4318-80a9-b9ee4edd57b6_1.json b/packages/security_detection_engine/kibana/security_rule/abb7bc31-b865-4318-80a9-b9ee4edd57b6_1.json index 5d3a6d0d045..9a70ee0421c 100644 --- a/packages/security_detection_engine/kibana/security_rule/abb7bc31-b865-4318-80a9-b9ee4edd57b6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/abb7bc31-b865-4318-80a9-b9ee4edd57b6_1.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_212.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_212.json new file mode 100644 index 00000000000..1a1dac51b4d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_212.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a super administrator authorizes domain-wide delegation (DWD) API client access for a Google Cloud service account or OAuth client. DWD lets an application impersonate users and access Workspace APIs across the tenant. Adversaries with admin access may register or authorize a malicious client with broad scopes to maintain API-based persistence and access mail, drive, and directory data without relying on a single user's password alone.", + "false_positives": [ + "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "user.domain", + "event.action", + "google_workspace.admin.api.client.name", + "google_workspace.admin.api.scopes", + "google_workspace.admin.domain.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace API Access Granted via Domain-Wide Delegation", + "note": "## Triage and analysis\n\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\n\nDomain-wide delegation (DWD) allows a Google Cloud service account or OAuth client to access Workspace user data on\nbehalf of users across the domain. Only super administrators can authorize DWD, and each grant specifies API scopes\nthat define what the client can read or modify (for example Gmail, Drive, Directory, or Calendar APIs). Over-scoped DWD\ngrants create durable third-party access paths that survive individual user password resets.\n\nThis rule matches `AUTHORIZE_API_CLIENT_ACCESS` events in the `google_workspace.admin` data stream.\n\n### Possible investigation steps\n\n- Identify the administrator who authorized access by reviewing `user.email` or `user.name`, and note `user.domain` and\n `event.ingested` if present in the alert.\n- Identify the authorized client by reviewing `google_workspace.admin.api.client.name` and confirm the affected tenant\n with `google_workspace.admin.domain.name`.\n- Review granted API scopes in `google_workspace.admin.api.scopes` against least-privilege expectations. Broad scopes\n (for example full mail or drive access) warrant higher urgency.\n- Determine whether the change is expected and authorized:\n - Validate there is an approved change request or vendor onboarding record for the client and scopes.\n - If the actor account is unusual or the scopes exceed documented requirements, treat as higher priority until proven benign.\n- Review DWD configuration in the Google Admin console:\n - Sign in to [admin.google.com](https://admin.google.com) with an authorized administrator account.\n - Navigate to Security > Access and data control > API controls > Domain-wide delegation.\n - Confirm the client ID, client name, and scopes match the alert fields.\n- Search Kibana for related admin activity:\n - Find other DWD grants or revocations by the same administrator:\n ```\n data_stream.dataset: \"google_workspace.admin\" and user.email: \"\" and event.action: (\"AUTHORIZE_API_CLIENT_ACCESS\" or \"REVOKE_API_CLIENT_ACCESS\")\n ```\n - Scope for all grants to the same API client:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: \"AUTHORIZE_API_CLIENT_ACCESS\" and google_workspace.admin.api.client.name: \"\"\n ```\n - Correlate with other high-risk admin actions from the same actor in the last 48 hours:\n ```\n data_stream.dataset: \"google_workspace.admin\" and user.email: \"\" and event.action: (\"ASSIGN_ROLE\" or \"ADD_APPLICATION\" or \"CREATE_ROLE\")\n ```\n- If GCP audit logs are ingested, pivot on the service account or client:\n - Search for the client name in `gcp.audit.resource_name` and review `event.action` over the last 48 hours to determine\n how the service account is being used after authorization.\n\n### False positive analysis\n\n- Platform or security teams may authorize DWD for approved automation, backup, or migration tooling \u2014 validate against\n known service accounts and documented scope requirements.\n- Vendor onboarding sometimes requires temporary broad scopes; confirm timing against change windows before closing as benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the grant is not clearly authorized, revoke domain-wide delegation for the client under Security > Access and data\n control > API controls > Domain-wide delegation while the investigation proceeds.\n- Rotate or disable the associated GCP service account keys if the client is suspected malicious.\n- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review\n delegated admin roles assigned to that account.\n- Review activity performed with the authorized client based on scopes in `google_workspace.admin.api.scopes`.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", + "references": [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 212 + }, + "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_211.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_211.json new file mode 100644 index 00000000000..844ec5c3d1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_211.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom administrative role is created in Google Workspace. Unlike prebuilt admin roles, custom roles allow granular selection of privileges across Google services and can be assigned to users or groups. Adversaries may create a custom admin role to craft elevated permissions tailored to their objectives, then assign that role to a compromised or attacker-controlled account to establish persistence and enable follow-on actions such as modifying security controls, granting OAuth access, or changing mail routing.", + "false_positives": [ + "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.role.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Admin Role Created", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace allows administrators to create custom admin roles with granular privileges across services such as\nUsers, Groups, Gmail, Drive, and Security. Custom roles are often used for delegated administration, but they can also\nbe abused to establish persistence: an adversary may create a role with only the privileges they need, then assign it to\na compromised account or group without modifying well-known prebuilt roles. Because role creation alone does not grant\naccess, determining whether the new role was assigned, and what privileges it contains, is a critical part of triage.\n\nThis rule identifies when a custom administrative role is created in the Google Admin console.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) account that created the role by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the role created by reviewing `google_workspace.admin.role.name`.\n- Determine whether the role creation is expected and authorized:\n - Validate there is an approved change request/ticket and that the actor account is authorized to create custom admin roles.\n - If the actor account or source IP is unusual, treat the alert as higher priority until proven benign.\n- Review role permissions in the Google Admin console:\n - Navigate to Account > Admin roles.\n - Locate the role name from `google_workspace.admin.role.name` and select it to open the role details.\n - Review the Privileges tab to confirm which administrative permissions were granted.\n - Review the Admins tab to see which users or groups are currently assigned the role.\n- Search Kibana for role assignments to identify principals that received the new role:\n - Search Google Workspace admin logs with a time range starting at the role creation timestamp.\n - Use the following KQL example, replacing `` with the value from `google_workspace.admin.role.name`:\n ```\n data_stream.dataset: \"google_workspace.admin\" and event.action: \"ASSIGN_ROLE\" and google_workspace.admin.role.name: \"\"\n ```\n - Review `user.target.email` and `user.target.name` for user/group assignments.\n - Expand the time range if needed; role assignment may occur shortly after creation or during a later persistence step.\n- Scope for related role activity by searching for:\n - `event.action: ADD_PRIVILEGE` or `event.action: UPDATE_ROLE` filtered on the same `google_workspace.admin.role.name` to identify privilege changes after creation.\n - The same `user.email` (actor) performing other IAM actions such as `ASSIGN_ROLE`, `CREATE_USER`, or security policy changes.\n- Evaluate whether assigned users (or members of assigned groups) performed suspicious activity after receiving the role:\n - Review the last 48 hours of admin/audit events for security control changes, user or group changes, and Gmail configuration changes.\n\n### False positive analysis\n\n- Verify the role creation aligns with approved administrative duties, an authorized change window, and the organization\u2019s access governance process.\n- Confirm the initiating admin account is legitimate and not creating roles from unusual IPs, devices, or locations.\n- Compare the custom role\u2019s privileges against the stated business need; overly broad privileges (for example, Super Admin\u2013equivalent access) warrant closer review even if the creation was authorized.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the role is not clearly authorized, delete or disable the custom role and remove any user/group assignments while the investigation proceeds.\n- For suspected compromise of the initiating admin account:\n - Reset credentials, revoke active sessions, enforce MFA re-enrollment, and review delegation/OAuth grants for persistence.\n - Validate recovery email/phone settings and account security posture.\n- Review whether assigned principals require the granted privileges, and replace broad custom roles with narrower delegated roles where feasible.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.action:CREATE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aed4b9d5-f853-40cf-8489-4fdcff03e272_1.json b/packages/security_detection_engine/kibana/security_rule/aed4b9d5-f853-40cf-8489-4fdcff03e272_1.json new file mode 100644 index 00000000000..b0004825ad2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aed4b9d5-f853-40cf-8489-4fdcff03e272_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when access to an Amazon Bedrock foundation model is enabled at the account level, either by granting a foundation-model entitlement, submitting a use case for model access, or creating a foundation-model agreement (accepting the EULA). These account-level \"model access\" actions unlock a foundation model so that it can subsequently be invoked. Adversaries or a compromised principal may enable model access to abuse expensive models (LLMjacking), to establish a durable ability to invoke models within the account, or to bypass organizational controls. This activity is distinct from changes to a resource-based model invocation policy and is identified by the Bedrock control-plane API calls that grant model entitlements and agreements.", + "false_positives": [ + "Cloud administrators and machine-learning teams routinely enable model access, submit use cases, and accept model end-user license agreements (EULAs) during account onboarding or when adopting a new foundation model. Verify that the principal, source IP, and user agent are expected and that the change aligns with a known onboarding or provisioning activity before escalating. If this activity is expected and authorized for specific principals, consider adding exceptions for those users or roles." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Foundation Model Access Enabled or Entitlement Granted", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS Bedrock Foundation Model Access Enabled or Entitlement Granted\n\nAmazon Bedrock exposes account-level \"model access\" controls that determine which foundation models a principal is allowed to invoke. Granting an entitlement (`PutFoundationModelEntitlement`), submitting a use case for model access (`PutUseCaseForModelAccess`), or creating a foundation-model agreement (`CreateFoundationModelAgreement`, which accepts the model EULA) all unlock a model for subsequent `InvokeModel`/`InvokeModelWithResponseStream` calls.\n\nAdversaries who gain access to a privileged principal may enable model access to abuse high-cost models (LLMjacking), to maintain a durable capability to invoke models, or to circumvent organizational guardrails on which models are usable.\n\nThis rule detects successful Bedrock control-plane API calls that enable model access at the account level. It is distinct from changes to a resource-based model invocation policy.\n\n### Possible investigation steps\n\n- Identify the principal by reviewing `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`, and determine whether the identity is a human user, role, or service account that is expected to manage Bedrock model access.\n- Review `event.action` to determine which model-access action was taken, and examine `aws.cloudtrail.request_parameters` to identify the specific foundation model, model ID, or use case involved.\n- Verify the `source.ip` and `user_agent.original` of the request. Console-driven onboarding differs from programmatic SDK/CLI calls; an unexpected IP, geolocation, or automation user agent is suspicious.\n- Confirm the `cloud.account.id` and `cloud.region` are expected for Bedrock usage in your environment, and whether model access is normally enabled in that region.\n- Correlate with recent activity from the same principal, such as new access key creation, IAM permission changes, or other Bedrock control-plane calls, to determine whether this is part of a broader compromise.\n- Check for subsequent `InvokeModel`/`InvokeModelWithResponseStream` activity from the same principal or account, especially high-volume invocations that could indicate model abuse (LLMjacking).\n- Contact the resource owner to confirm whether enabling this model access was planned and authorized.\n\n### False positive analysis\n\n- Legitimate administrators and ML teams enable model access and accept EULAs during account onboarding or when adopting new foundation models. Validate the change against change-management records and known provisioning workflows.\n- Infrastructure-as-code or automation pipelines may enable model access programmatically; confirm the automation identity and source are expected.\n\n### Response and remediation\n\n- If the activity is unauthorized, revoke the model entitlement/agreement and remove model access for the affected model.\n- Disable or rotate the credentials (`aws.cloudtrail.user_identity.access_key_id`) associated with the principal that performed the action.\n- Review and constrain IAM permissions so that only approved principals can call Bedrock model-access APIs.\n- Investigate for any model invocations that occurred after access was granted and assess potential cost impact and data exposure.\n- Implement preventative guardrails (SCPs, IAM conditions) to limit which principals and models can be enabled, and add monitoring for Bedrock control-plane changes.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: (\n \"PutFoundationModelEntitlement\" or\n \"PutUseCaseForModelAccess\" or\n \"CreateFoundationModelAgreement\"\n )\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutFoundationModelEntitlement.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutUseCaseForModelAccess.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateFoundationModelAgreement.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aed4b9d5-f853-40cf-8489-4fdcff03e272", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "aed4b9d5-f853-40cf-8489-4fdcff03e272_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2f0ea08-2b60-4a2d-93d7-fe996a30031a_2.json b/packages/security_detection_engine/kibana/security_rule/b2f0ea08-2b60-4a2d-93d7-fe996a30031a_2.json new file mode 100644 index 00000000000..49cd79f9124 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2f0ea08-2b60-4a2d-93d7-fe996a30031a_2.json @@ -0,0 +1,189 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the \"new_terms\" rule type to detect unusual child process executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical child process executions. As child process spawns from web server parent processes are common, the \"new_terms\" rule type approach helps identify deviations from normal behavior.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Child Execution via Web Server", + "new_terms_fields": [ + "process.command_line", + "host.id", + "process.executable" + ], + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Child Execution via Web Server\n\nThis alert flags a Linux web service starting a child program it does not normally launch, which can reveal a compromised application server being used for persistence or follow-on actions. A common pattern is an attacker exploiting a web app bug, then making nginx, Apache, or a Python app server spawn a shell or script interpreter that downloads tools, runs system commands, or installs a backdoor under the web service context.\n\n### Possible investigation steps\n\n- Review the full parent-to-descendant execution chain to determine whether the web service launched a shell, interpreter, downloader, or archive utility that then executed additional payloads.\n- Correlate the process start time with web access, error, reverse-proxy, and WAF logs to identify the triggering request, source IP, requested path, upload activity, and signs of exploitation such as command injection or remote file inclusion.\n- Determine whether the spawned program is part of a legitimate deployment or maintenance task by validating its file path, package ownership, hash, modification time, deployment records, and recent change windows.\n- Examine activity under the web service account around the alert for suspicious file writes, new scheduled tasks or service entries, privilege escalation attempts, credential access, and unusual outbound network connections.\n- If the execution is not explained by approved application behavior, contain the affected host or web service, preserve forensic artifacts, remove unauthorized files or persistence mechanisms, rotate exposed secrets, and hunt for the same behavior across other internet-facing servers.\n\n### False positive analysis\n\n- A newly deployed or updated web application may legitimately cause the web server or app server to launch a previously unseen helper binary for application functionality, so verify the child executable path, package ownership, and command line against recent approved deployment or configuration changes.\n- A CGI, FastCGI, or application framework process may spawn a custom maintenance or content-processing program only for specific requests, so confirm the parent-child relationship by correlating the execution time and arguments with the triggering web request and expected application behavior.\n\n### Response and remediation\n\n- Immediately isolate the affected Linux web host or remove it from the load balancer, stop the compromised web service if business impact allows, and block the source IPs and outbound destinations associated with the malicious child process and any follow-on downloads.\n- Preserve forensic evidence and remove persistence by collecting the suspicious executable or script, web-accessible backdoors, recent uploads, cron jobs, systemd service files, rc.local changes, modified SSH authorized_keys entries, and any attacker-created accounts before deleting them.\n- Terminate all attacker-controlled processes spawned by the web service, then delete dropped payloads and staging files from locations such as /tmp, /var/tmp, /dev/shm, and the web root, and revert any unauthorized permission, sudoers, or startup changes used to maintain execution.\n- Restore the application and host to a known-good state by rebuilding from a trusted image or clean backup, redeploying verified packages and web content, rotating credentials and tokens exposed on the server, and confirming no unauthorized binaries or modified files remain.\n- Escalate to incident response immediately if the web child process launched a shell or interpreter, established outbound command-and-control traffic, modified authentication material, moved laterally, or if sensitive data, production secrets, or customer-facing systems may have been exposed.\n- Harden the environment by patching the exploited web component, disabling unnecessary script execution from upload and web content directories, enforcing least privilege for the web service account, restricting outbound network access, and expanding monitoring for similar child-process launches and persistence artifacts across peer web servers.\n\n", + "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and (\n process.parent.name:(\n apache2 or asterisk or caddy or daphne or flask or frankenphp or httpd or httpd.worker or\n lswsctrl or mongrel_rails or nginx or php-cgi or php-cgi.cagefs or php-fcgi or starman or\n sw-engine-fpm or uvicorn or uwsgi or varnishd or waitress-serve or zabbix_server or *.cgi\n or *.fcgi or gunicorn* or php-fpm*\n ) or\n process.parent.name:ruby* and process.parent.command_line:(*passenger* or *puma* or *rails*) or\n process.parent.name:python* and process.parent.command_line:(\n *app.py* or *asgi.py* or *django* or *flask* or *hypercorn* or *server.py* or *uvicorn* or *wsgi.py*\n ) or\n process.parent.name:perl* and process.parent.command_line:*plackup* or\n process.parent.name:java and process.parent.args:(\n com.atlassian.jira.startup.Launcher or com.caucho.server.resin.Resin or com.google.gerrit.pgm.Daemon or\n com.ibm.ws.kernel.boot.cmdline.Bootstrap or com.ibm.ws.runtime.WsServer or\n com.sun.enterprise.glassfish.bootstrap.ASMain or io.dropwizard.cli.ServerCommand or\n io.helidon.microprofile.server.Main or io.micronaut.runtime.Micronaut or io.quarkus.runner.GeneratedMain or\n io.vertx.core.Launcher or org.apache.catalina.startup.Bootstrap or org.eclipse.jetty.start.Main or\n org.elasticsearch.bootstrap.Elasticsearch or org.jboss.modules.Main or play.core.server.ProdServerStart or\n weblogic.Server or *-Dsolr.solr.home=* or *BitbucketServerLauncher* or *jenkins.war* or *quarkus-run.jar* or\n *weblogic-launcher.jar* or -Dcatalina.base=* or -Djboss.home.dir=* or -Djetty.home=* or -Dweblogic.Name=* or\n io.helidon.webserver* or org.apereo.cas* or org.keycloak* or org.springframework.boot.loader.*\n )\n) and\nprocess.executable:* and process.command_line:* and\nnot (\n process.name:(\n arp or aws or az or base16 or base32 or base64 or base64mime or base64pem or base64plain or base64url or\n basenc or basez or bash or busybox or cat or chmod or chpasswd or cp or crictl or csh or ctr or curl or dash or\n df or dig or docker or du or fish or gcloud or helm or host or htop or ifconfig or ip or ksh or kubectl or ln or\n lsblk or lsof or ltrace or mkdir or mksh or mv or nc or nc.openbsd or nc.traditional or ncat or netcat or ngrok or\n nmap or nslookup or openssl or passwd or rm or sh or socat or ss or strace or sudo or tcpdump or tcsh or telnet or\n top or touch or traceroute or wget or whoami or xxd or zsh or *.bin or *.elf or *.jar or *.lua* or *.mjs or\n *.js or *.php* or *.pl or *.py or *.rb or *.sh or .*\n ) or\n process.executable:(\n ./* or /boot/* or /dev/shm/* or /home/*/* or /lost+found/* or /proc/* or /root/* or /run/* or /sys/* or /tmp/* or\n /var/mail/* or /var/run/* or /var/tmp/* or /var/www/* or \"/usr/bin/ffprobe\" or \"/usr/bin/ffmpeg\"\n ) or\n process.parent.name:java and not process.parent.executable:/u0*/* or\n process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/db_* or /u0*/app/oracle/product/*/dbhome_* or /var/www/*edoc*) or\n process.args:(/usr/bin/rsvg-convert* or /usr/local/bin/wkhtmltopdf*) or\n process.command_line:*/opt/sc/bin/showvulns*\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2f0ea08-2b60-4a2d-93d7-fe996a30031a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: Web", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "b2f0ea08-2b60-4a2d-93d7-fe996a30031a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4a80990-e028-4792-83eb-09e59959059f_1.json b/packages/security_detection_engine/kibana/security_rule/b4a80990-e028-4792-83eb-09e59959059f_1.json new file mode 100644 index 00000000000..3824c8ea8dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4a80990-e028-4792-83eb-09e59959059f_1.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or update of a managed Azure Run Command resource (\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE\" or the virtual machine scale set equivalent) by an identity that has not performed this operation recently. Unlike the action-based Run Command (\"runCommand/action\"), the managed Run Command is a persistent resource on the VM whose creation or update executes the supplied script as System (Windows) or root (Linux). Because creating a managed run command both executes code and leaves a durable object, adversaries can use it as an alternative to the action invocation to evade detections that only watch \"runCommand/action\". Alerting on the first time a given principal performs this operation surfaces unusual or unauthorized use while suppressing routine automation that repeatedly manages the same run commands.", + "false_positives": [ + "Infrastructure-as-code, configuration management, and patching automation may create or update managed run commands. The first occurrence per principal will alert; baseline expected service principals, managed identities, and admin users and exclude them if the activity is verified as authorized." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.activitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "event.outcome", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.activitylogs.identity.authorization.evidence.principal_type", + "azure.activitylogs.identity.claims.appid", + "azure.activitylogs.identity.claims_initiated_by_user.name", + "azure.resource.id", + "azure.resource.name", + "source.ip", + "source.geo.country_name", + "source.as.organization.name", + "azure.subscription_id", + "azure.activitylogs.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure VM Managed Run Command Created or Updated with Unusual Principal", + "new_terms_fields": [ + "azure.activitylogs.identity.authorization.evidence.principal_id" + ], + "note": "## Triage and analysis\n\n### Investigating Azure VM Managed Run Command Created or Updated with Unusual Principal\n\nThe managed Run Command (`runCommands/write`) creates or updates a persistent run command resource on a VM or VM scale\nset. Creating the resource executes the supplied script as SYSTEM (Windows) or root (Linux). This rule uses a new terms\napproach keyed on the acting principal, so it fires the first time a given identity performs this operation within the\nhistory window.\n\n### Triage checklist\n\n- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and\n `azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal or\n managed identity activity is more suspicious than a known admin user.\n- Is the source IP/ASN consistent with corporate infrastructure or a known VPN?\n- Inspect `azure.resource.id` for the target VM/VMSS and the run command resource name. Attacker-created names are often\n random or descriptive of intent.\n- Did the same principal recently perform reconnaissance, role assignments, or other VM operations\n (`runCommand/action`, `extensions/write`, serial console connect)?\n- Correlate with endpoint telemetry on the target host: process activity parented by the Azure guest agent\n (`WaAppAgent.exe` / `walinuxagent`) within ~120 seconds of the write timestamp.\n\n### Possible investigation steps\n\n- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.\n- Retrieve the run command script content from the VM (the activity log does not contain the script body) to assess\n intent.\n- Pivot on the VM for credential access, new local accounts, or outbound C2 connections following execution.\n\n### Response and remediation\n\n- If unauthorized, delete the managed run command resource, isolate the VM, rotate credentials reachable from it, and\n review RBAC on the affected scope.\n- Collect endpoint and activity log artifacts per incident procedures.\n", + "query": "data_stream.dataset:azure.activitylogs and\n event.action:(\n \"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMANDS/WRITE\"\n ) and event.outcome:(success or Success) and\n azure.activitylogs.identity.authorization.evidence.principal_id: *\n", + "references": [ + "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/", + "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command-managed", + "https://hackingthe.cloud/azure/run-command-abuse/", + "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors", + "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.identity.authorization.evidence.principal_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b4a80990-e028-4792-83eb-09e59959059f", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1651", + "name": "Cloud Administration Command", + "reference": "https://attack.mitre.org/techniques/T1651/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "b4a80990-e028-4792-83eb-09e59959059f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c_2.json b/packages/security_detection_engine/kibana/security_rule/b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c_2.json index 7d7dd3bcab8..7ce244896a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c_2.json @@ -16,7 +16,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_9.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_9.json deleted file mode 100644 index cc5e435f008..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_9.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via OverlayFS", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privilege Escalation via OverlayFS\n\nOverlayFS is a union filesystem used in Linux environments to overlay one filesystem on top of another, allowing for efficient file management and updates. Adversaries exploit vulnerabilities in Ubuntu's OverlayFS modifications to execute crafted executables that escalate privileges to root. The detection rule identifies suspicious sequences involving the 'unshare' command with specific arguments and subsequent UID changes to root, indicating potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the 'unshare' command with the specific arguments '-r', '-rm', 'm', and '*cap_setuid*' as indicated in the query. This will help verify if the command execution aligns with the known exploitation pattern.\n- Check the process tree and parent process information using the process.parent.entity_id to understand the context in which the 'unshare' command was executed. This can provide insights into whether the command was part of a legitimate operation or a potential attack.\n- Investigate the user account associated with the process execution (user.id != \"0\") to determine if the account has a history of suspicious activity or if it has been compromised.\n- Examine the host.id and host.os.type fields to identify the specific Linux host involved and assess its vulnerability status regarding CVE-2023-2640 and CVE-2023-32629. This can help determine if the host is susceptible to the exploitation attempt.\n- Analyze any subsequent UID changes to root (user.id == \"0\") to confirm if the privilege escalation was successful and identify any unauthorized access or actions taken by the elevated process.\n- Review system logs and other security alerts around the time of the event to identify any additional indicators of compromise or related suspicious activities that might corroborate the exploitation attempt.\n\n### False positive analysis\n\n- Legitimate administrative tasks using the 'unshare' command with similar arguments may trigger the rule. Review the context of the command execution and verify if it aligns with routine system maintenance or configuration changes.\n- Automated scripts or system management tools that utilize 'unshare' for containerization or namespace isolation might cause false positives. Identify these scripts and consider excluding their specific process names or paths from the rule.\n- Development environments where developers frequently test applications with elevated privileges could inadvertently match the rule criteria. Implement user-based exceptions for known developer accounts to reduce noise.\n- Security tools or monitoring solutions that simulate privilege escalation scenarios for testing purposes may be flagged. Whitelist these tools by their process hash or signature to prevent unnecessary alerts.\n- Custom applications that require temporary privilege elevation for legitimate operations should be reviewed. If deemed safe, add these applications to an exception list based on their unique identifiers.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further exploitation or lateral movement by the adversary.\n- Terminate any suspicious processes identified by the detection rule, particularly those involving the 'unshare' command with the specified arguments.\n- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized changes have been made, especially focusing on accounts with root access.\n- Apply the latest security patches and updates to the affected system, specifically addressing CVE-2023-2640 and CVE-2023-32629, to mitigate the vulnerability in OverlayFS.\n- Monitor for any further attempts to exploit the vulnerability by setting up alerts for similar sequences of commands and UID changes.\n- Escalate the incident to the security operations team for a detailed forensic analysis to understand the scope and impact of the exploitation attempt.\n- Implement additional security measures, such as enhanced logging and monitoring, to detect and respond to privilege escalation attempts more effectively in the future.", - "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and\n user.id == \"0\"]\n", - "references": [ - "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "eql", - "version": 9 - }, - "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e_1.json b/packages/security_detection_engine/kibana/security_rule/b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e_1.json index 12bed1d65b3..a7432d330ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e_1.json @@ -26,10 +26,6 @@ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b_1.json b/packages/security_detection_engine/kibana/security_rule/bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b_1.json new file mode 100644 index 00000000000..efd0d642106 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b_1.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS Lambda function. Deleting a function removes its code, configuration, versions, and aliases. Adversaries may delete functions to disrupt business operations and automated workflows, to destroy attacker-deployed backdoors and remove evidence after achieving their objective, or to inhibit incident response. Because function deletion is destructive and often irreversible without redeployment, deletions performed by unexpected principals or outside change windows should be reviewed.", + "false_positives": [ + "Lambda functions are routinely deleted during application decommissioning, environment teardown, and infrastructure-as-code apply/destroy cycles. Verify whether the principal in `aws.cloudtrail.user_identity.arn` and the deleted function are expected for the workload, and whether the change aligns with an approved maintenance or deployment window. Known deployment roles and automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Function Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function Deletion\n\nDeleting an AWS Lambda function removes its code, configuration, published versions, and aliases. This can be a destructive action that disrupts serverless workloads and automation, or a cleanup step an adversary uses to remove a backdoor function and erase evidence after their objective is met.\n\nThis rule detects successful `DeleteFunction` calls. Investigate whether the principal and the deleted function are expected, and whether the deletion correlates with other suspicious activity.\n\n#### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine how the deletion was performed (console, CLI, SDK, automation).\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and map it to its application, owner, and environment (prod, staging, dev).\n- Determine whether the deletion aligns with an approved change, decommissioning, or infrastructure-as-code destroy operation by comparing `@timestamp` against deployment and change-management records.\n- Correlate with recent activity by the same principal or access key, such as `CreateFunction`, `UpdateFunctionCode`, `AddPermission`, `CreateEventSourceMapping`, log-group deletions, or other destructive or evasive actions.\n- Verify whether multiple functions were deleted in a short window, which may indicate broad disruption rather than a single planned change.\n\n### False positive analysis\n\n- Function deletions are common during decommissioning and infrastructure-as-code apply/destroy cycles. Deletions by approved deployment roles, CI/CD pipelines, or platform automation are expected. Tune on `aws.cloudtrail.user_identity.arn`, `user_agent.original`, or known automation roles after validation.\n\n### Response and remediation\n\n- If the deletion is unauthorized, restore the function from source control or an infrastructure-as-code definition and confirm its code, configuration, and execution role match a known-good state.\n- Review CloudTrail for related destructive or evasive actions by the same actor and assess operational impact.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:DeleteFunction` to a small set of trusted roles.\n\n### Additional information\n\n- [DeleteFunction API](https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.action: (DeleteFunction or DeleteFunction20*)\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html", + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + }, + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcf0e362-0a2f-4f5e-9dd8-0d34f901781f_5.json b/packages/security_detection_engine/kibana/security_rule/bcf0e362-0a2f-4f5e-9dd8-0d34f901781f_5.json index 17f3f2912f1..3d3b53baee8 100644 --- a/packages/security_detection_engine/kibana/security_rule/bcf0e362-0a2f-4f5e-9dd8-0d34f901781f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/bcf0e362-0a2f-4f5e-9dd8-0d34f901781f_5.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "azure", - "version": "^1.0.0" + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_8.json b/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_8.json new file mode 100644 index 00000000000..32a8de0f356 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_8.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity.", + "from": "now-9m", + "index": [ + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Data Exfiltration Through Curl", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Data Exfiltration Through Curl\n\nCurl is a command-line tool used for transferring data with URLs, commonly employed for legitimate data exchange tasks. However, adversaries can exploit curl to exfiltrate sensitive data by uploading compressed files to remote servers. The detection rule identifies suspicious curl usage by monitoring for specific command patterns and arguments indicative of data uploads, flagging abnormal activities for further investigation.\n\n### Possible investigation steps\n\n- Review the process command line to confirm the presence of suspicious arguments such as \"-F\", \"-T\", \"-d\", or \"--data*\" and check for any compressed file extensions like .zip, .gz, or .tgz being uploaded to an external server.\n- Investigate the parent process of the curl command to understand the context in which curl was executed, including the parent executable and its purpose.\n- Examine network logs to identify the destination IP address or domain to which the data was being uploaded, and assess whether it is a known or suspicious entity.\n- Check for any recent file creation or modification events on the host that match the compressed file types mentioned in the query, which could indicate data collection prior to exfiltration.\n- Correlate this event with other security alerts or logs from the same host to identify any patterns of behavior that might suggest a broader compromise or data exfiltration attempt.\n\n### False positive analysis\n\n- Legitimate data transfers using curl for system backups or data synchronization can trigger the rule. To manage this, identify and whitelist specific processes or scripts that are known to perform these tasks regularly.\n- Automated system updates or software installations that use curl to download and upload data might be flagged. Exclude these processes by verifying their source and adding them to an exception list if they are from trusted vendors.\n- Internal data transfers within a secure network that use curl for efficiency can be mistaken for exfiltration. Monitor the destination IP addresses and exclude those that are internal or known safe endpoints.\n- Developers or system administrators using curl for testing or development purposes may inadvertently trigger the rule. Educate these users on the potential alerts and establish a process for them to notify security teams of their activities to prevent unnecessary investigations.\n- Scheduled tasks or cron jobs that use curl for routine data uploads should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.\n- Terminate any suspicious curl processes identified by the detection rule to stop ongoing data transfers.\n- Conduct a forensic analysis of the affected system to identify any additional malicious activities or compromised data.\n- Change credentials and access keys that may have been exposed or used during the incident to prevent unauthorized access.\n- Notify the security operations team and relevant stakeholders about the incident for awareness and further action.\n- Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers.\n- Implement enhanced monitoring and logging for curl usage and similar data transfer tools to detect and respond to future exfiltration attempts promptly.\n", + "query": "process where event.type == \"start\" and \nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name : (\"curl\", \"curl.exe\") and \n(\n process.args in (\"-T\", \"--upload-file\") or\n (\n (process.args in (\"-F\", \"-d\", \"--form\") or process.args like \"--data*\") and process.command_line like \"*@*\"\n )\n) and\n(\n process.command_line like (\"*http:*\", \"*https:*\", \"*ftp:*\", \"*ftps:*\") or\n process.command_line regex \".*[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}.*\"\n) and \nnot (\n process.args : (\n \"https://*/ap/fleet/*\", \"https://*/api/saved_objects/*\", \"http*localhost:*\", \"http*127.0.0.*\", \"*ApiKey*\", \"http*.us-central1.run.app/*\",\n \"*Authorization*\", \"*session.id*\", \"http*.elastic-cloud.com*\", \"http*.elastic.dev*\", \"http*.elastic.cloud*\", \"http*.aws.found.io*\",\n \"http*.gcp.cloud.es.io*\", \"http*.cisco.com/api/*\", \"-u\", \"http://192.168*\"\n ) or\n process.parent.executable in (\"/usr/bin/clevis-decrypt-tang\", \"/bin/clevis-decrypt-tang\") or\n (\n process.working_directory == \"/home/oracle\" and\n process.args == \"--trace\" and\n process.parent.executable like \"/home/oracle/retina/vvaa-*-oracle/app/*.sh\"\n ) or\n (\n process.working_directory == \"/home/service/common/system.check\" and\n process.parent.command_line == \"/bin/bash ./check.sh\"\n ) or\n (\n process.parent.executable == \"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" and\n process.parent.args like \"?:\\\\*\\\\temp-app\\\\caller_batch_*.bat\"\n ) or\n (\n process.parent.executable == \"/opt/rudder/share/commands/agent-run\" and\n process.parent.command_line == \"/bin/sh /opt/rudder/share/commands/agent-run -uRN\" and\n process.args like \"/var/rudder/reports/ready/*\"\n ) or\n (\n process.parent.executable like \"/var/lib/docker/overlay2/*/merged/usr/bin/bash\" and\n process.parent.command_line like \"bash /home/*/old/scripts/crawler.sh start\"\n )\n)\n", + "references": [ + "https://everything.curl.dev/usingcurl/uploads", + "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be70614d-4295-473c-a953-582aef41c865", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Data Source: Auditd Manager", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/", + "subtechnique": [ + { + "id": "T1048.001", + "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/001/" + }, + { + "id": "T1048.003", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "be70614d-4295-473c-a953-582aef41c865_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c07f7898-5dc3-11f0-9f27-f661ea17fbcd_9.json b/packages/security_detection_engine/kibana/security_rule/c07f7898-5dc3-11f0-9f27-f661ea17fbcd_9.json index 2f2dbd097a7..58ba51ee9de 100644 --- a/packages/security_detection_engine/kibana/security_rule/c07f7898-5dc3-11f0-9f27-f661ea17fbcd_9.json +++ b/packages/security_detection_engine/kibana/security_rule/c07f7898-5dc3-11f0-9f27-f661ea17fbcd_9.json @@ -20,10 +20,6 @@ "https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html" ], "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - }, { "integration": "platformlogs", "package": "azure", diff --git a/packages/security_detection_engine/kibana/security_rule/c2a91e88-4f4b-4e1d-9c7b-8fde112a9403_2.json b/packages/security_detection_engine/kibana/security_rule/c2a91e88-4f4b-4e1d-9c7b-8fde112a9403_2.json index 653fd4161b4..266e0c06949 100644 --- a/packages/security_detection_engine/kibana/security_rule/c2a91e88-4f4b-4e1d-9c7b-8fde112a9403_2.json +++ b/packages/security_detection_engine/kibana/security_rule/c2a91e88-4f4b-4e1d-9c7b-8fde112a9403_2.json @@ -18,7 +18,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/c435defe-8438-4d5a-b4d0-86ab0faf9a49_1.json b/packages/security_detection_engine/kibana/security_rule/c435defe-8438-4d5a-b4d0-86ab0faf9a49_1.json new file mode 100644 index 00000000000..1221eae2914 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c435defe-8438-4d5a-b4d0-86ab0faf9a49_1.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an AWS Bedrock custom model is imported or deployed, or when a marketplace model endpoint is created or registered, via the CreateModelImportJob, CreateCustomModelDeployment, CreateMarketplaceModelEndpoint, or RegisterMarketplaceModelEndpoint API calls. These actions introduce a model artifact from outside the organization's trusted training and approval pipeline. A backdoored, poisoned, or attacker-supplied model that downstream applications subsequently invoke represents a software supply-chain compromise. New model imports and marketplace endpoint registrations should be validated for artifact provenance (S3 source ownership), the registering identity, and whether the model originates from an approved internal pipeline.", + "false_positives": [ + "Machine learning engineers, MLOps automation, or platform teams may legitimately import custom models or stand up marketplace model endpoints as part of normal model lifecycle operations. Verify whether the user identity, user agent, source IP, and model artifact source (S3 location) are expected for your environment. Imports performed by approved CI/CD or IaC pipelines can be exempted from this rule. Activity from unfamiliar identities or untrusted artifact sources should be investigated." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered\n\nAmazon Bedrock allows organizations to import custom models, deploy them, and register marketplace model endpoints for inference. Each of these paths introduces a model artifact that did not necessarily originate from the organization's trusted training and approval pipeline. Adversaries who can import a backdoored or poisoned model \u2014 or register an untrusted marketplace endpoint \u2014 can influence the output of any downstream application that invokes that model, constituting a supply-chain compromise. This detection identifies `CreateModelImportJob`, `CreateCustomModelDeployment`, `CreateMarketplaceModelEndpoint`, and `RegisterMarketplaceModelEndpoint` calls so responders can verify model provenance before the model is trusted for inference.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.\n - Confirm whether a related change request or model onboarding ticket exists.\n - Determine if the identity is an approved ML/MLOps role or automation principal.\n- **Validate the model artifact source**\n - In `aws.cloudtrail.flattened.request_parameters`, review the model source location (e.g., the S3 URI for an import job) and confirm the bucket belongs to your organization and is not attacker-controlled.\n - For marketplace endpoints, confirm the model package ARN / product corresponds to an approved vendor.\n- **Correlate activity**\n - Look for subsequent `InvokeModel` / `InvokeModelWithResponseStream` activity targeting the new model or endpoint.\n - Check for prior enumeration such as `ListFoundationModels`, `ListCustomModels`, or `ListImportedModels`.\n - Review other recent actions by the same identity for signs of broader compromise.\n\n### False positive analysis\n- **Planned model onboarding**: ML teams routinely import models and register endpoints. Validate against a ticket and confirm the artifact source.\n- **Automation**: IaC or MLOps pipelines may create these resources during deployment. Confirm the source IP and ARN match expected automation infrastructure.\n\n### Response and remediation\n- **If unauthorized**\n - Delete or disable the imported model, custom model deployment, or marketplace endpoint.\n - Prevent downstream applications from invoking the untrusted model until provenance is established.\n - Disable the access key in `aws.cloudtrail.user_identity.access_key_id` and rotate credentials if compromise is suspected.\n - Audit the S3 source bucket for tampering and review the model artifact for backdoors.\n- **Hardening**\n - Restrict `bedrock:CreateModelImportJob`, `bedrock:CreateCustomModelDeployment`, and marketplace endpoint creation/registration permissions to approved roles.\n - Enforce that model artifacts originate only from organization-owned, controlled S3 locations.\n\n### Additional information\n\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: (\n \"CreateModelImportJob\" or\n \"CreateCustomModelDeployment\" or\n \"CreateMarketplaceModelEndpoint\" or\n \"RegisterMarketplaceModelEndpoint\"\n )\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateModelImportJob.html", + "https://docs.aws.amazon.com/bedrock/latest/userguide/model-import.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c435defe-8438-4d5a-b4d0-86ab0faf9a49", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1525", + "name": "Implant Internal Image", + "reference": "https://attack.mitre.org/techniques/T1525/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "c435defe-8438-4d5a-b4d0-86ab0faf9a49_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c562a800-cf97-464e-9d6f-84db91e86e10_4.json b/packages/security_detection_engine/kibana/security_rule/c562a800-cf97-464e-9d6f-84db91e86e10_4.json index c773c9ca3c0..471c68d49ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/c562a800-cf97-464e-9d6f-84db91e86e10_4.json +++ b/packages/security_detection_engine/kibana/security_rule/c562a800-cf97-464e-9d6f-84db91e86e10_4.json @@ -12,13 +12,13 @@ "note": "## Triage and analysis\n### Investigating Elastic Defend and Email Alerts Correlation\n\nThis rule correlates any Elastic Defend alert with an email security related alert by target user name.\n\n### Possible investigation steps\n- Review the alert details to identify the specific host and users involved.\n- Investigate the individual alerts for the target user name and see if they are related.\n- Review all emails received from Esql.source_user_name and if there are other impacted users.\n- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.\n- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.\n\n### False positive analysis\n- Legitimate email marked as suspicious.\n- Legitimate file or behavior marked as suspicious by Elastic Defend.\n- Unrelated alerts where the target user name is too generic.\n\n### Response and remediation\n- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.\n- Conduct a thorough forensic analysis of the host.\n- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.\n- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.\n- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.\n- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.", "query": "from logs-endpoint.alerts-*, logs-checkpoint_email.event-* metadata _id\n// Email or Elastic Defend alerts where user name is populated\n| where\n (event.category == \"email\" and event.kind == \"alert\" and destination.user.name is not null) or\n (event.module == \"endpoint\" and data_stream.dataset == \"endpoint.alerts\" and user.name is not null)\n\n// extract target user name from email and endpoint alerts\n| eval email_alert_target_user_name = CASE(event.category == \"email\", destination.user.name, null),\n elastic_defend_alert_user_name = CASE(event.module == \"endpoint\" and data_stream.dataset == \"endpoint.alerts\", user.name, null)\n| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name)\n| where Esql.target_user_name is not null\n\n// group by Esql.target_user_name\n| stats Esql.alerts_count = COUNT(*),\n Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.event_module_values = VALUES(event.module),\n Esql.message_values = VALUES(message),\n Esql.event_action_values = VALUES(event.action),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.host_id_values = VALUES(host.id),\n Esql.source_user_name = VALUES(source.user.name),\n Esql.rule_name_values = VALUES(rule.name)\n by Esql.target_user_name\n// alert when same user is observed in an endpoint and email alert\n| where Esql.event_module_distinct_count >= 2\n| keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values\n", "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, { "package": "checkpoint_email", "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" } ], "risk_score": 73, diff --git a/packages/security_detection_engine/kibana/security_rule/c62733ff-9373-4fdf-9733-3d992e148c93_1.json b/packages/security_detection_engine/kibana/security_rule/c62733ff-9373-4fdf-9733-3d992e148c93_1.json index 1d9692a92b9..e458f947940 100644 --- a/packages/security_detection_engine/kibana/security_rule/c62733ff-9373-4fdf-9733-3d992e148c93_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c62733ff-9373-4fdf-9733-3d992e148c93_1.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_210.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_210.json index 182fa10d4eb..b0b47a34072 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_210.json +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_210.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_112.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_112.json new file mode 100644 index 00000000000..5c64d062f6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_112.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", + "from": "now-9m", + "history_window_start": "now-5d", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "new_terms_fields": [ + "source.ip" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMB (Windows File Sharing) Activity to the Internet\n\nSMB, a protocol for sharing files and resources within trusted networks, is vulnerable when exposed to the Internet. Adversaries exploit it for unauthorized access or data theft. The detection rule identifies suspicious SMB traffic from internal IPs to external networks, flagging potential threats by monitoring specific ports and excluding known safe IP ranges.\n\n### Possible investigation steps\n\n- Review the source IP address from the alert to identify the internal system initiating the SMB traffic. Check if this IP belongs to a known device or user within the organization.\n- Investigate the destination IP address to determine if it is associated with any known malicious activity or if it belongs to a legitimate external service that might require SMB access.\n- Analyze network logs to identify any patterns or anomalies in the SMB traffic, such as unusual data transfer volumes or repeated access attempts, which could indicate malicious activity.\n- Check for any recent changes or updates on the source system that might explain the SMB traffic, such as new software installations or configuration changes.\n- Correlate the alert with other security events or logs, such as authentication logs or endpoint security alerts, to gather additional context and determine if this is part of a broader attack or isolated incident.\n- Consult threat intelligence sources to see if there are any known vulnerabilities or exploits related to the SMB traffic observed, which could provide insight into potential attack vectors.\n\n### False positive analysis\n\n- Internal testing environments may generate SMB traffic to external IPs for legitimate reasons. Identify and whitelist these IPs to prevent false positives.\n- Cloud services or remote backup solutions might use SMB for data transfer. Verify these services and add their IP ranges to the exception list if they are trusted.\n- VPN connections can sometimes appear as external traffic. Ensure that VPN IP ranges are included in the list of known safe IPs to avoid misclassification.\n- Misconfigured network devices might inadvertently route SMB traffic externally. Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs.\n- Some third-party applications may use SMB for updates or data synchronization. Confirm the legitimacy of these applications and exclude their associated IPs from the detection rule.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445.\n- Perform a comprehensive scan of the isolated system for malware or unauthorized access tools, focusing on identifying any backdoors or persistence mechanisms.\n- Reset credentials and review access permissions for any accounts that may have been compromised or used in the suspicious activity.\n- Notify the security operations center (SOC) and relevant stakeholders about the incident for further analysis and potential escalation.\n- Implement additional monitoring and logging for SMB traffic to detect any future unauthorized attempts to access the Internet.\n- Review and update security policies and procedures to prevent similar incidents, ensuring that SMB services are only accessible within trusted network segments.", + "query": "(data_stream.dataset:(network_traffic.flow or zeek.smb_cmd or zeek.smb_files or zeek.smb_mapping) or event.category:(network or network_traffic))\n and network.transport:tcp and destination.port:(139 or 445)\n and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and not destination.ip:(10.0.0.0/8\n or 100.64.0.0/10\n or 127.0.0.0/8\n or 169.254.0.0/16\n or 172.16.0.0/12\n or 192.0.0.0/24\n or 192.0.0.0/29\n or 192.0.0.10/32\n or 192.0.0.170/32\n or 192.0.0.171/32\n or 192.0.0.8/32\n or 192.0.0.9/32\n or 192.0.2.0/24\n or 192.168.0.0/16\n or 192.175.48.0/24\n or 192.31.196.0/24\n or 192.52.193.0/24\n or 192.88.99.0/24\n or 198.18.0.0/15\n or 198.51.100.0/24\n or 203.0.113.0/24\n or 224.0.0.0/4\n or 240.0.0.0/4\n or \"::1\"\n or \"FE80::/10\"\n or \"FF00::/8\")\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "medium", + "tags": [ + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Domain: Network", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 112 + }, + "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_8.json b/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_8.json new file mode 100644 index 00000000000..aec3accc4b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_8.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects Polkit version discovery activity on Linux systems. Polkit version discovery can be an indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Polkit Version Discovery", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Polkit Version Discovery\n\nPolkit, a system service in Linux, manages system-wide privileges, enabling non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by discovering its version to identify vulnerabilities or misconfigurations. The detection rule identifies suspicious activities by monitoring specific command executions related to Polkit version checks, signaling potential reconnaissance efforts by attackers.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the command used for Polkit version discovery, focusing on the process name and arguments such as \"dnf\", \"rpm\", \"apt\", or \"pkaction\".\n- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.\n- Investigate the host from which the command was executed to assess if it has a history of suspicious activities or if it is a high-value target.\n- Correlate the event with other logs or alerts to identify if there are additional indicators of compromise or related reconnaissance activities.\n- Evaluate the necessity and frequency of Polkit version checks in the environment to determine if this behavior is expected or anomalous.\n\n### False positive analysis\n\n- Routine system updates or package management activities may trigger the rule when administrators use package managers like dnf, rpm, or apt to check for updates or verify installed packages. To mitigate this, create exceptions for known administrative scripts or user accounts that regularly perform these actions.\n- Automated system monitoring tools that check software versions for compliance or inventory purposes might also cause false positives. Identify these tools and exclude their processes from triggering the rule.\n- Developers or system administrators testing Polkit configurations or updates might execute version checks as part of their workflow. Consider excluding specific user accounts or process paths associated with development and testing environments.\n- Security audits or vulnerability assessments conducted by internal teams may involve version checks as part of their procedures. Coordinate with these teams to whitelist their activities during scheduled assessments.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent potential lateral movement by the attacker.\n- Terminate any suspicious processes identified in the alert, such as those involving the execution of Polkit version discovery commands.\n- Conduct a thorough review of system logs and command history to identify any unauthorized access or further malicious activities.\n- Apply any available security patches or updates to the Polkit service to address known vulnerabilities.\n- Implement stricter access controls and monitoring on systems running Polkit to prevent unauthorized version checks and other reconnaissance activities.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Enhance detection capabilities by configuring alerts for similar reconnaissance activities across the network to ensure early detection of potential threats.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"process_started\", \"executed\") and (\n (process.name == \"dnf\" and process.args == \"dnf\" and process.args == \"info\" and process.args == \"polkit\") or\n (process.name == \"rpm\" and process.args == \"polkit\") or\n (process.name == \"apt\" and process.args == \"show\" and process.args == \"policykit-1\") or\n (process.name == \"pkaction\" and process.args == \"--version\")\n) and\nnot (\n ?process.working_directory in (\"/opt/msp-agent\", \"/opt/CyberCNSAgent\") or\n ?process.parent.executable like (\"/usr/local/cpanel/3rdparty/perl/*/bin/perl\", \"/usr/share/vicarius/topiad\") or\n ?process.entry_leader.executable in (\"/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent\", \"/sf/edr/agent/bin/edr_monitor\") or\n (\n ?process.parent.args == \"/usr/lib/venv-salt-minion/bin/python.original\" and\n ?process.parent.args == \"/usr/lib/venv-salt-minion/bin/salt-minion\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ca3bcacc-9285-4452-a742-5dae77538f61", + "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "ca3bcacc-9285-4452-a742-5dae77538f61_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_213.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_213.json new file mode 100644 index 00000000000..f593cfd785d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_213.json @@ -0,0 +1,163 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator disables multi-factor authentication enforcement or removes the ability for users to enroll in 2-step verification across a Google Workspace organization or organizational unit. Adversaries with administrative access may weaken tenant-wide authentication requirements to enable password-only sign-ins, facilitate credential abuse at scale, and reduce friction for follow-on account takeover across the domain.", + "false_positives": [ + "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "source.ip", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace MFA Enforcement Disabled For Organization", + "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled For Organization\n\nThreat actors with Google Workspace administrative access may disable organization-wide 2-step verification (2SV)\ncontrols to weaken authentication for many users at once. Unlike a single user turning off 2SV on their own account,\nthis change affects tenant policy and can allow password-only sign-ins across an organizational unit or the entire\ndomain. This supports large-scale credential abuse, reduces MFA friction for follow-on compromise, and can blind\nsecurity teams if paired with other admin tampering.\n\nThis rule identifies when an administrator sets `google_workspace.admin.new_value` to `false` for either\n`ENFORCE_STRONG_AUTHENTICATION` (2SV enforcement turned off) or `ALLOW_STRONG_AUTHENTICATION` (users can no longer turn\non 2SV).\n\n### Possible investigation steps\n\n- Identify the initiating (actor) administrator by reviewing `user.email` or `user.name`, and note the `source.ip` and `event.ingested` timestamps.\n- Identify the setting changed by reviewing `event.action`:\n - `ENFORCE_STRONG_AUTHENTICATION` \u2014 2SV enforcement was disabled for the affected scope.\n - `ALLOW_STRONG_AUTHENTICATION` \u2014 users were prevented from turning on 2SV.\n- Review `google_workspace.admin.old_value` and `google_workspace.admin.new_value` to confirm the prior and updated policy state.\n- Determine the scope of impact by reviewing `google_workspace.admin.org_unit.name` (if present) and identifying which users or groups inherit the weakened policy.\n- Determine whether the change is expected and authorized:\n - Validate there is an approved change request/ticket and that the actor is authorized to modify authentication policy.\n - If the actor account or `source.ip` is unusual, treat the alert as higher priority until proven benign.\n- Search Kibana for related authentication and admin activity:\n - Use the following KQL example to find other MFA policy changes by the same actor:\n ```\n data_stream.dataset: \"google_workspace.admin\" and user.email: \"\" and event.action: (\"ENFORCE_STRONG_AUTHENTICATION\" or \"ALLOW_STRONG_AUTHENTICATION\")\n ```\n - Search for user-level 2SV disables that follow this change:\n ```\n data_stream.dataset: (\"google_workspace.login\" or \"google_workspace.user_accounts\") and event.action: \"2sv_disable\"\n ```\n - Scope for other security-weakening admin actions from the same `user.email` within the last 48 hours, such as password policy changes, SSO/SAML modifications, or role assignments.\n\n### False positive analysis\n\n- Verify the MFA policy change aligns with an approved change window, migration, or troubleshooting activity.\n- Confirm the initiating administrator is legitimate and not acting from unusual IPs, devices, or locations.\n- Even authorized changes materially weaken tenant security, validate business justification and time-bound rollback plans.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the change is not clearly authorized, restore 2SV enforcement and re-enable Allow users to turn on 2-Step Verification for the affected scope while the investigation proceeds.\n- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin\n and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION)\n and google_workspace.admin.new_value:false\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 213 + }, + "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_213", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cbda9a0e-2be4-4eaa-9571-8d6a503e9828_3.json b/packages/security_detection_engine/kibana/security_rule/cbda9a0e-2be4-4eaa-9571-8d6a503e9828_3.json index f27db1452bd..e425f8f1061 100644 --- a/packages/security_detection_engine/kibana/security_rule/cbda9a0e-2be4-4eaa-9571-8d6a503e9828_3.json +++ b/packages/security_detection_engine/kibana/security_rule/cbda9a0e-2be4-4eaa-9571-8d6a503e9828_3.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json deleted file mode 100644 index 3ec1b88de40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", - "false_positives": [ - "Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace User Organizational Unit Changed", - "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdf7b922-909c-440c-8df0-0efe72aa7bea_1.json b/packages/security_detection_engine/kibana/security_rule/cdf7b922-909c-440c-8df0-0efe72aa7bea_1.json new file mode 100644 index 00000000000..d0ff1675ee0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cdf7b922-909c-440c-8df0-0efe72aa7bea_1.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion, weakening, or version management of AWS Bedrock guardrails via the DeleteGuardrail, UpdateGuardrail, DeleteEnforcedGuardrailConfiguration, or PutEnforcedGuardrailConfiguration APIs. Bedrock guardrails enforce content, topic, word, and sensitive-information policies on model invocations. Deleting a guardrail, loosening its policies, removing or overwriting the organization-enforced guardrail configuration, or creating a new version to enforce a weakened configuration allows an adversary to bypass these protections \u2014 the cloud control-plane equivalent of disabling a security tool. This activity should be validated against approved change management and the responsible identity.", + "false_positives": [ + "Platform or ML engineering teams may legitimately tune, iterate on, or decommission guardrails as part of normal development. If this is expected in your environment, the responsible identities can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Guardrail Deleted or Weakened", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Guardrail Deleted or Weakened\n\nAWS Bedrock guardrails enforce content, topic, word, and sensitive-information policies on model\ninvocations. Adversaries who gain access to the Bedrock control plane may delete a guardrail (`DeleteGuardrail`),\nloosen its policies (`UpdateGuardrail`), remove or overwrite the organization-enforced guardrail\nconfiguration (`DeleteEnforcedGuardrailConfiguration` / `PutEnforcedGuardrailConfiguration`) to then enforce it on\nmodel deployments. This detection identifies those control-plane changes so responders can confirm\nintent before accepting the change.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,\n `aws.cloudtrail.user_identity.access_key_id`, `source.ip`, and `user_agent.original`.\n - Confirm a related change request exists and that the identity is authorized to manage guardrails.\n- **Validate the change**\n - For `UpdateGuardrail` / `PutEnforcedGuardrailConfiguration`, inspect\n `aws.cloudtrail.flattened.request_parameters` and `aws.cloudtrail.response_elements` to determine\n which content, topic, word, or sensitive-information policies were removed or weakened.\n - For `DeleteGuardrail` / `DeleteEnforcedGuardrailConfiguration`, identify the targeted guardrail\n or org configuration and whether protected workloads still reference it.\n- **Correlate activity**\n - Look for surrounding Bedrock `InvokeModel` / `Converse` activity and other defense-impairing\n actions (e.g., logging or detector changes) from the same identity.\n - Check for prior enumeration such as `ListGuardrails` or `GetGuardrail`.\n\n### Response and remediation\n\n- If unauthorized, restore the guardrail and/or org-enforced configuration to its approved state and\n re-associate it with affected Bedrock workloads.\n- Disable the access key in `aws.cloudtrail.user_identity.access_key_id` and review the actor's\n recent activity; rotate credentials if compromise is suspected.\n- Restrict `bedrock:DeleteGuardrail`, `bedrock:UpdateGuardrail`, and the enforced-configuration\n permissions to a small set of admin roles, and enforce guardrail state via AWS Config or SCPs.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"bedrock.amazonaws.com\"\n and event.action: (\n \"DeleteGuardrail\" or\n \"UpdateGuardrail\" or\n \"DeleteEnforcedGuardrailConfiguration\" or\n \"PutEnforcedGuardrailConfiguration\"\n ) and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteGuardrail.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_UpdateGuardrail.html", + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cdf7b922-909c-440c-8df0-0efe72aa7bea", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "cdf7b922-909c-440c-8df0-0efe72aa7bea_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_211.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_211.json new file mode 100644 index 00000000000..124ad3ee52d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_211.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator adds a domain to the Google Workspace allowlisted (trusted) domains list. Adversaries with administrative access may onboard a domain they control to relax cross-organization sharing restrictions, enabling data collection and exfiltration through Drive, Chat, and other services that honor the tenant trust boundary.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace.admin-*" + ], + "interval": "10m", + "investigation_fields": { + "field_names": [ + "user.name", + "user.email", + "source.ip", + "user.domain", + "event.action", + "google_workspace.admin.domain.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nGoogle Workspace allowlisted domains define which external organizations users may collaborate with across services such\nas Drive, Chat, and Classroom. Adding a domain to this list expands who can receive shared content under the tenant's\ntrust policies. Threat actors with administrative access may add a domain they operate to bypass out-of-domain sharing\ncontrols and establish a durable path for collection or exfiltration.\n\nThis rule identifies when an administrator adds a domain via the `ADD_TRUSTED_DOMAINS` event in the\n`google_workspace.admin` data stream.\n\n### Possible investigation steps\n\n- Identify the initiating (actor) administrator by reviewing `user.email` or `user.name`, and note `source.ip` and `event.ingested` if present in the alert.\n- Identify the domain added by reviewing `google_workspace.admin.domain.name`.\n- Determine whether the change is expected and authorized:\n - Validate there is an approved change request or partner onboarding record for the new domain.\n - If the actor account or `source.ip` is unusual, treat the alert as higher priority until proven benign.\n- Review allowlisted domains in the Google Admin console:\n - Navigate to Account > Domains > Allowlisted domains.\n - Confirm the domain from `google_workspace.admin.domain.name` appears on the list and whether it is appropriate for your organization's sharing model.\n- Assess domain reputation and ownership using external intelligence (for example, VirusTotal or WHOIS) to determine whether the domain is associated with your organization or a known partner.\n- Search Kibana for related admin and sharing activity:\n - Find other trust or sharing policy changes by the same actor:\n ```\n data_stream.dataset: \"google_workspace.admin\" and user.email: \"\" and event.action: (\"ADD_TRUSTED_DOMAINS\" or \"REMOVE_TRUSTED_DOMAINS\")\n ```\n - After the add, review Drive events for files shared to users outside your domain:\n ```\n data_stream.dataset: \"google_workspace.drive\" and event.action: (\"change_user_access\" or \"change_document_visibility\")\n ```\n - Scope for other security-weakening admin actions from the same `user.email` within the last 48 hours.\n\n### False positive analysis\n\n- Verify the domain belongs to an approved partner or subsidiary with a documented business need for cross-organization collaboration.\n- Adding test or lab domains during migrations is possible \u2014 validate timing against change windows.\n\n### Response and remediation\n\n- Initiate the incident response process based on triage findings.\n- If the add is not clearly authorized, remove the domain from Allowlisted domains while the investigation proceeds.\n- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.\n- Review recent Drive and Chat sharing to external users for sensitive data exposure tied to the newly trusted domain.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.action:ADD_TRUSTED_DOMAINS\n", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0088204-675b-4175-bf07-1665da2d4810_1.json b/packages/security_detection_engine/kibana/security_rule/d0088204-675b-4175-bf07-1665da2d4810_1.json new file mode 100644 index 00000000000..78fe40c5214 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0088204-675b-4175-bf07-1665da2d4810_1.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic", + "descambiado" + ], + "description": "Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP is a time-limited passcode that allows passwordless authentication and bypasses existing MFA requirements, including phishing-resistant methods. An attacker with User Administrator or Authentication Administrator privileges can issue a TAP for a target account, sign in without the current password, and register new persistent authentication methods before the TAP expires.", + "false_positives": [ + "Help desk teams issuing TAPs for locked-out users or new employee onboarding workflows. Automated identity lifecycle systems that provision TAPs during device enrollment." + ], + "from": "now-9m", + "index": [ + "logs-azure.auditlogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID Temporary Access Pass Created for User", + "note": "## Triage and analysis\n\n### Investigating Entra ID Temporary Access Pass Created for User\n\nA Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the\ntarget account. In a steady-state tenant, TAP creation is rare and should be correlated against help\ndesk records or onboarding workflows.\n\n#### Possible investigation steps\n\n- Identify the administrator who created the TAP (`azure.auditlogs.properties.initiated_by`) and verify\n whether the action was authorized by a help desk ticket or change management record.\n- Identify the target account and assess its privilege level -- TAPs issued for Global Administrators,\n Application Administrators, or accounts with high-value data access are highest risk.\n- Check for sign-ins by the target account using the TAP credential: look for sign-ins where\n `azure.signinlogs.properties.authentication_details` contains \"Temporary Access Pass\" shortly after\n the TAP creation event.\n- If the TAP was used to sign in, review what authentication methods were registered during or after\n the session -- an attacker will use the TAP window to add a persistent authenticator.\n- Check whether the creating administrator's account shows anomalous activity in the preceding 24 hours.\n\n### False positive analysis\n\n- TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help\n desk ticket correlation.\n- New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.\n\n### Response and remediation\n\n- Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.\n- Audit all authentication methods registered by the target account after TAP creation and remove any\n that were not previously present.\n- Reset the target account's password and revoke all active sessions.\n- Review the creating administrator's recent actions for signs of compromise.\n", + "query": "data_stream.dataset: \"azure.auditlogs\" and\n(\n (\n azure.auditlogs.operation_name: \"User registered security info\" and\n azure.auditlogs.properties.result_reason: \"User registered temporary access pass method\"\n ) or (\n azure.auditlogs.operation_name: \"Create Temporary Access Pass method for user\"\n ) or (\n azure.auditlogs.operation_name: \"Admin registered security info\" and\n azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*\n )\n) and\nevent.outcome: (\"Success\" or \"success\")\n", + "references": [ + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass", + "https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/", + "https://specterops.io/blog/2023/03/29/id-tap-that-pass/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.result_reason", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d0088204-675b-4175-bf07-1665da2d4810", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "d0088204-675b-4175-bf07-1665da2d4810_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7_1.json b/packages/security_detection_engine/kibana/security_rule/d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7_1.json index 2537beca706..7756ec7ba05 100644 --- a/packages/security_detection_engine/kibana/security_rule/d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7_1.json @@ -25,10 +25,6 @@ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html" ], "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, { "integration": "cloudtrail", "package": "aws", diff --git a/packages/security_detection_engine/kibana/security_rule/d69d05f8-d48a-4dcb-b226-fb2efbedd6ba_1.json b/packages/security_detection_engine/kibana/security_rule/d69d05f8-d48a-4dcb-b226-fb2efbedd6ba_1.json new file mode 100644 index 00000000000..f61930aa679 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d69d05f8-d48a-4dcb-b226-fb2efbedd6ba_1.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies create, read, update, or delete (CRUD) operations against Azure VM or VM scale set extensions (\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/*\" or the scale set equivalent) where the combination of the targeted extension resource name and the source autonomous system (AS) number has not been observed recently. VM extensions such as CustomScript and DSC run with high privilege on the guest (SYSTEM on Windows, root on Linux), so writing, modifying, or removing them is a common code-execution and persistence primitive. By keying a new terms approach on the extension resource name and the source AS number, this rule surfaces extension operations originating from networks that have not historically managed that extension, while routine first-party Microsoft automation (which originates from well-known Microsoft AS numbers) is excluded.", + "false_positives": [ + "Infrastructure-as-code, configuration management, and patching automation routinely create, update, and delete VM extensions. The first time a given extension resource name is operated on from a new source AS number will alert. Baseline expected management networks (corporate egress, CI/CD runners, third-party automation SaaS) and exclude their AS numbers if the activity is verified as authorized. Read operations are typically not emitted to the Azure activity log; the rule predominantly fires on WRITE and DELETE." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.activitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "event.outcome", + "azure.activitylogs.operation_name", + "azure.resource.name", + "azure.resource.id", + "source.ip", + "source.as.number", + "source.as.organization.name", + "source.geo.country_name", + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.activitylogs.identity.authorization.evidence.principal_type", + "azure.activitylogs.identity.claims.appid", + "azure.subscription_id", + "azure.activitylogs.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure VM Extension CRUD Operation with Unusual Source ASN", + "new_terms_fields": [ + "azure.resource.name", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating Azure VM Extension CRUD Operation with Unusual Source ASN\n\nAzure VM and VM scale set extensions (for example CustomScript, DSC, and AADSSHLoginForLinux) execute on the guest with\nhigh privilege. Creating or updating an extension (`EXTENSIONS/WRITE`) can run attacker-supplied code as SYSTEM or root,\nwhile deleting one (`EXTENSIONS/DELETE`) can remove security tooling or clean up after execution. This rule uses a new\nterms approach keyed on the pair (`azure.resource.name`, `source.as.number`), so it fires when a given extension resource\nis operated on from a source network that has not been seen managing it within the history window. Well-known Microsoft\nAS numbers used by first-party automation are excluded in the query.\n\n### Triage checklist\n\n- Identify the source via `source.ip`, `source.as.number`, and `source.as.organization.name`. Operations from cloud\n hosting, VPS, or anonymizing networks are more suspicious than known corporate egress.\n- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and\n `...principal_type` (User vs ServicePrincipal) and `azure.activitylogs.identity.claims.appid`.\n- Inspect `azure.resource.id` for the target VM/VMSS and `azure.resource.name` for the extension. CustomScript/DSC\n extensions and randomly named extensions warrant closer review.\n- Determine the operation: WRITE (create/update \u2014 code execution) vs DELETE (removal \u2014 possible defense evasion or\n cleanup).\n- Correlate with endpoint telemetry on the target host: process activity parented by the Azure guest agent\n (`WaAppAgent.exe` / `walinuxagent`) within ~120 seconds of the operation timestamp.\n\n### Possible investigation steps\n\n- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.\n- Retrieve the extension settings/protected settings from the VM (the activity log does not contain the script body) to\n assess intent.\n- Pivot on the VM for credential access, new local accounts, or outbound C2 connections following the operation.\n\n### Response and remediation\n\n- If unauthorized, remove the malicious extension, isolate the VM, rotate credentials reachable from it, and review RBAC\n on the affected scope.\n- Block or investigate the source AS/network if it is not an expected management path.\n- Collect endpoint and activity log artifacts per incident procedures.\n", + "query": "data_stream.dataset:azure.activitylogs and\n event.action:(\n \"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/DELETE\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/READ\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/DELETE\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/READ\" or\n \"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/WRITE\"\n ) and event.outcome:(Success or success) and\n azure.resource.name:* and\n source.as.number:(* and not (3598 or 8068 or 8069 or 8070 or 8071 or 8072 or 8073 or 8074 or 8075 or 12076))\n", + "references": [ + "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/", + "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows", + "https://hackingthe.cloud/azure/run-command-abuse/", + "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors", + "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.resource.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "d69d05f8-d48a-4dcb-b226-fb2efbedd6ba", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1651", + "name": "Cloud Administration Command", + "reference": "https://attack.mitre.org/techniques/T1651/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "d69d05f8-d48a-4dcb-b226-fb2efbedd6ba_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_112.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_112.json new file mode 100644 index 00000000000..600207469bd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_112.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP on Port 26/TCP", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMTP on Port 26/TCP\n\nSMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 by analyzing network traffic patterns, helping to uncover potential threats.\n\n### Possible investigation steps\n\n- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.\n- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.\n- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.\n- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.\n- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.\n- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.\n\n### False positive analysis\n\n- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.\n- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.\n- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.\n- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.\n- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.\n- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.\n- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.\n- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.\n- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication.", + "query": "(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\n", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.003", + "name": "Mail Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/003/" + } + ] + }, + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da0d4bae-33ee-11f0-a59f-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/da0d4bae-33ee-11f0-a59f-f661ea17fbcd_2.json index 1e425184b3b..06bd754e53a 100644 --- a/packages/security_detection_engine/kibana/security_rule/da0d4bae-33ee-11f0-a59f-f661ea17fbcd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/da0d4bae-33ee-11f0-a59f-f661ea17fbcd_2.json @@ -19,7 +19,7 @@ "related_integrations": [ { "package": "azure", - "version": "^1.0.0" + "version": "^1.4.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b_1.json b/packages/security_detection_engine/kibana/security_rule/de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b_1.json new file mode 100644 index 00000000000..c658c8019fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b_1.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for principal ownership and least-privilege intent.", + "false_positives": [ + "Resource policy changes may be performed by administrators, infrastructure-as-code pipelines, or automation during legitimate onboarding, sharing, or access-management activities. Verify whether the user identity, user agent, and source IP are expected to manage Bedrock resource policies in your environment. Known automation can be exempted from the rule." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Resource-Based Policy Modified or Deleted", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Resource-Based Policy Modified or Deleted\n\nAWS Bedrock resource-based policies control which principals can access Bedrock resources such as agents,\nknowledge bases, and custom models. Adversaries can attach a policy that grants an external principal\naccess for persistence or cross-account access, or delete a policy to break existing access controls. This\nrule detects successful `PutResourcePolicy` and `DeleteResourcePolicy` calls against the Bedrock control\nplane.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,\n `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.\n - Confirm the identity is expected to manage Bedrock resource policies and that a related change request\n exists.\n- **Validate the policy change**\n - For `PutResourcePolicy`, inspect `aws.cloudtrail.request_parameters` and\n `aws.cloudtrail.flattened.request_parameters` for the target resource ARN and the policy document.\n Look for `Principal` values referencing external AWS account IDs, `\"*\"`, or unfamiliar roles.\n - For `DeleteResourcePolicy`, determine which resource lost its policy and whether that resource should\n have remained restricted.\n- **Correlate activity**\n - Look for related Bedrock actions (model invocation, agent updates, knowledge base access) from the same\n identity or the newly granted principal.\n - Check for prior enumeration of Bedrock resources or other recent IAM/resource-policy changes.\n\n### False positive analysis\n\n- **Planned access management**: Legitimate sharing or onboarding may add or remove resource policies.\n Validate against change tickets and standard templates.\n- **Automation**: IaC or platform pipelines may set or remove resource policies during deployment. Confirm\n the actor matches known automation infrastructure.\n\n### Response and remediation\n\n- If the change is unauthorized, revert the resource policy to its approved state and remove any external\n or overly permissive principals.\n- Disable or rotate the credentials in `aws.cloudtrail.user_identity.access_key_id` if compromise is\n suspected.\n- Review all Bedrock and IAM activity from the same identity in the surrounding time window for further\n access grants or persistence.\n- Restrict `bedrock:PutResourcePolicy` and `bedrock:DeleteResourcePolicy` to administrative roles and\n enforce least-privilege resource policies.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\"PutResourcePolicy\" or \"DeleteResourcePolicy\") and\n event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutResourcePolicy.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteResourcePolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_210.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_210.json index 8f7b52189e9..ed1dba56abe 100644 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_210.json +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/e00c7862-43f1-48fd-aa30-950db838eded_1.json b/packages/security_detection_engine/kibana/security_rule/e00c7862-43f1-48fd-aa30-950db838eded_1.json new file mode 100644 index 00000000000..7383eca1b29 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e00c7862-43f1-48fd-aa30-950db838eded_1.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an AWS Lambda layer permission policy to grant another AWS account, an AWS Organization, or the public the ability to use a layer version. Lambda layers package code and dependencies that are loaded into the execution environment of any function that references them. Sharing a layer with an external account or with everyone can leak proprietary code or secrets bundled in the layer, and can serve as a supply-chain mechanism whereby downstream functions load attacker-influenced code. Layer sharing should be infrequent and deliberate, so newly granted external or public access warrants review.", + "false_positives": [ + "Organizations sometimes publish shared utility layers across their own accounts or to partners intentionally. Verify the layer, the granted principal in `aws.cloudtrail.request_parameters`, and the principal in `aws.cloudtrail.user_identity.arn` against approved sharing practices. Known shared layers and distribution accounts can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Layer Shared Externally", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Layer Shared Externally\n\nAWS Lambda layers bundle code and dependencies that are loaded into the runtime of any function referencing them. `AddLayerVersionPermission` modifies a layer version's permission policy to allow another AWS account, an organization, or the public (`principal=*`) to use it. This can expose code or secrets contained in the layer and can act as a supply-chain vector for any function that consumes the layer.\n\nThis rule detects successful `AddLayerVersionPermission` calls. Public grants (`principal=*`) are the highest concern; specific cross-account grants should be validated against approved sharing.\n\n### Possible investigation steps\n\n- Inspect `aws.cloudtrail.request_parameters` for the `layerName`, version number, `action`, and the granted `principal` (a specific account id, an organization id, or `*` for public).\n- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to understand how the grant was made.\n- Determine whether the layer contains sensitive code or secrets and whether external sharing was intended and approved.\n- Identify which functions reference the layer and whether the grant could influence their runtime.\n- Correlate with other activity by the same principal, such as layer publication (`PublishLayerVersion`) or function changes.\n\n### False positive analysis\n\n- Shared utility layers distributed across an organization's accounts or to partners are a legitimate pattern. Confirm the grant is approved and exclude known distribution accounts or layers on `aws.cloudtrail.user_identity.arn` or the layer name after validation.\n\n### Response and remediation\n\n- If the sharing is unauthorized, remove the layer permission (`RemoveLayerVersionPermission`) and rotate any secrets that may have been exposed in the layer.\n- Review which accounts accessed or copied the layer while the grant was in place and assess potential exposure.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:AddLayerVersionPermission` to a small set of trusted roles.\n\n### Additional information\n\n- [AWS Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/chapter-layers.html)\n- [AddLayerVersionPermission API](https://docs.aws.amazon.com/lambda/latest/api/API_AddLayerVersionPermission.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.action: AddLayerVersionPermission*\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/chapter-layers.html", + "https://docs.aws.amazon.com/lambda/latest/api/API_AddLayerVersionPermission.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e00c7862-43f1-48fd-aa30-950db838eded", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.005", + "name": "Modify Cloud Compute Configurations", + "reference": "https://attack.mitre.org/techniques/T1578/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "e00c7862-43f1-48fd-aa30-950db838eded_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912_1.json b/packages/security_detection_engine/kibana/security_rule/e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912_1.json index 0f549bb0445..b010d7317c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912_1.json @@ -23,10 +23,6 @@ "https://attack.mitre.org/techniques/T1552/007/" ], "related_integrations": [ - { - "package": "auditd_manager", - "version": "^1.0.0" - }, { "integration": "auditd", "package": "auditd_manager", diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_211.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_211.json new file mode 100644 index 00000000000..f3215d3c688 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_211.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated - MFA Disabled for Google Workspace Organization", + "note": "## Triage and analysis\n\n### Investigating Deprecated - MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", + "references": [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_313.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_313.json index 83364e2872a..4416d25ee10 100644 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_313.json +++ b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_313.json @@ -21,12 +21,12 @@ ], "related_integrations": [ { - "package": "windows", - "version": "^3.0.0" + "package": "endpoint", + "version": "^8.7.0" }, { - "package": "endpoint", - "version": "^8.2.0" + "package": "windows", + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/e7509f8f-e70b-4b67-b864-aaa4254b4484_1.json b/packages/security_detection_engine/kibana/security_rule/e7509f8f-e70b-4b67-b864-aaa4254b4484_1.json new file mode 100644 index 00000000000..9c72fc1b7c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7509f8f-e70b-4b67-b864-aaa4254b4484_1.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies retrieval of Azure VM boot diagnostics data (\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION\") by an identity that has not performed this operation recently. Boot diagnostics expose the VM serial console log and a console screenshot, which frequently contain plaintext boot-time output such as credentials, tokens, cloud-init/agent secrets, and command history. An adversary with VM read/contributor rights can retrieve this data over the control plane, without logging into the guest or touching the network, to harvest credentials.", + "false_positives": [ + "Support engineers, infrastructure-as-code, and VM health automation may legitimately retrieve boot diagnostics during troubleshooting. The first occurrence per principal will alert; baseline expected support users, service principals, and managed identities and exclude them if the activity is verified as authorized." + ], + "from": "now-9m", + "index": [ + "logs-azure.activitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "event.outcome", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.activitylogs.identity.authorization.evidence.principal_type", + "azure.activitylogs.identity.claims.appid", + "azure.resource.name", + "azure.resource.id", + "source.ip", + "source.as.number", + "source.as.organization.name", + "source.geo.country_name", + "azure.subscription_id", + "azure.activitylogs.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure VM Boot Diagnostics Retrieved", + "note": "## Triage and analysis\n\n### Investigating Azure VM Boot Diagnostics Retrieved\n\nRetrieving boot diagnostics (`retrieveBootDiagnosticsData/action`) returns SAS URIs to the VM serial console log and a\nconsole screenshot. The serial log often contains plaintext boot output: cloud-init/agent activity, command history, and\nsometimes credentials or tokens. The action is a control-plane read requiring only VM read/contributor rights, leaves no\nguest footprint, and bypasses NSG/JIT.\n\n### Triage checklist\n\n- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and\n `...principal_type` (User vs ServicePrincipal) and `azure.activitylogs.identity.claims.appid`. Service principal or\n managed identity retrieval is more suspicious than a known support user.\n- Review the source: `source.ip`, `source.as.number`, `source.as.organization.name`, `source.geo.country_name`.\n Retrieval from cloud hosting, VPS, or anonymizing networks is more suspicious than known corporate egress.\n- Inspect `azure.resource.id` / `azure.resource.name` to identify the target VM. Was the same principal recently granted\n access to it, or is this their first interaction?\n- Did the same principal recently perform reconnaissance, role assignments, Run Command, or extension operations on the\n VM or subscription?\n\n### Possible investigation steps\n\n- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.\n- Retrieve the boot diagnostics serial log and screenshot from the VM and assess whether they exposed credentials or\n other secrets that now require rotation.\n- Pivot on the VM and any credentials observed in the serial log for follow-on access, lateral movement, or persistence.\n\n### Response and remediation\n\n- If unauthorized, rotate any credentials/tokens exposed in the serial log, review RBAC on the affected scope, and revoke\n the principal's access if compromised.\n- Collect activity log artifacts per incident procedures.\n", + "query": "data_stream.dataset:azure.activitylogs and\n event.action:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION\" and\n event.outcome:(success or Success)\n", + "references": [ + "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors", + "https://www.microsoft.com/en-us/msrc/blog/2023/08/azure-serial-console-attack-and-defense-part-1", + "https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics", + "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7509f8f-e70b-4b67-b864-aaa4254b4484", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "e7509f8f-e70b-4b67-b864-aaa4254b4484_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b_2.json b/packages/security_detection_engine/kibana/security_rule/e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b_2.json index 790efa20e5c..afaca85ee4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b_2.json @@ -24,10 +24,6 @@ "https://gtfobins.github.io/gtfobins/wget/" ], "related_integrations": [ - { - "package": "auditd_manager", - "version": "^1.0.0" - }, { "integration": "auditd", "package": "auditd_manager", diff --git a/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_6.json index 6a3afd3c6f9..0660350dabf 100644 --- a/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_6.json +++ b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_6.json @@ -26,8 +26,9 @@ ], "related_integrations": [ { + "integration": "graphactivitylogs", "package": "azure", - "version": "^1.0.0" + "version": "^1.10.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_115.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_115.json new file mode 100644 index 00000000000..b03813c7e86 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_115.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file creation and modification on the host system from the Windows Subsystem for Linux. Adversaries may enable and use WSL to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Host File System Changes via Windows Subsystem for Linux", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Host File System Changes via Windows Subsystem for Linux\n\nWindows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, facilitating seamless file access between systems. Adversaries may exploit WSL to modify host files stealthily, bypassing traditional security measures. The detection rule identifies suspicious file operations initiated by WSL processes, particularly those involving the Plan9FileSystem, to flag potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the process details for the \"dllhost.exe\" instance that triggered the alert, focusing on the command line arguments to confirm the presence of the Plan9FileSystem CLSID \"{DFB65C4C-B34F-435D-AFE9-A86218684AA8}\".\n- Examine the file paths involved in the alert to determine if any sensitive or critical files were accessed or modified outside of typical user directories.\n- Investigate the parent process of \"dllhost.exe\" to understand the context of its execution and identify any potentially malicious parent processes.\n- Check the timeline of events leading up to and following the alert to identify any other suspicious activities or related alerts that may indicate a broader attack pattern.\n- Correlate the alert with user activity logs to determine if the actions were performed by a legitimate user or if there are signs of compromised credentials or unauthorized access.\n\n### False positive analysis\n\n- Routine file operations by legitimate applications using WSL may trigger alerts. Identify and whitelist these applications to prevent unnecessary alerts.\n- Development activities involving WSL, such as compiling code or running scripts, can generate false positives. Exclude specific development directories or processes from monitoring.\n- Automated backup or synchronization tools that interact with WSL might be flagged. Configure exceptions for these tools by specifying their process names or file paths.\n- System maintenance tasks that involve WSL, like updates or system checks, could be mistaken for suspicious activity. Schedule these tasks during known maintenance windows and adjust monitoring rules accordingly.\n- Frequent downloads or file transfers to directories outside the typical user download paths may appear suspicious. Define clear policies for acceptable file paths and exclude them from alerts.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes associated with \"dllhost.exe\" that are linked to the Plan9FileSystem CLSID to stop ongoing malicious activities.\n- Conduct a thorough review of recent file changes on the host system to identify and restore any unauthorized modifications or deletions.\n- Revoke any unauthorized access or permissions granted to WSL that may have been exploited by the adversary.\n- Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited.\n- Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving \"dllhost.exe\" and the Plan9FileSystem.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "query": "sequence by process.entity_id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n[file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not file.path : \"?:\\\\Windows\\\\Prefetch\\\\DLLHOST.exe-????????.pf\"]\n", + "references": [ + "https://github.com/microsoft/WSL", + "https://detect.fyi/the-interesting-case-of-wsl-for-payload-staging-bfaa0f69329a" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 115 + }, + "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_115", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json b/packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json index 42e3c18bb83..a74e5bd4958 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json +++ b/packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json @@ -119,6 +119,11 @@ "name": "client.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "client.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "client.bytes", @@ -244,6 +249,11 @@ "name": "client.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "client.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "client.user.group.domain", @@ -274,6 +284,11 @@ "name": "client.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "client.user.name.text", + "type": "text" + }, { "ecs": true, "name": "client.user.roles", @@ -539,6 +554,11 @@ "name": "destination.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "destination.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "destination.bytes", @@ -664,6 +684,11 @@ "name": "destination.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "destination.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "destination.user.group.domain", @@ -694,6 +719,11 @@ "name": "destination.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "destination.user.name.text", + "type": "text" + }, { "ecs": true, "name": "destination.user.roles", @@ -1059,6 +1089,11 @@ "name": "email.subject", "type": "keyword" }, + { + "ecs": false, + "name": "email.subject.text", + "type": "text" + }, { "ecs": true, "name": "email.to.address", @@ -1089,6 +1124,11 @@ "name": "error.stack_trace", "type": "wildcard" }, + { + "ecs": false, + "name": "error.stack_trace.text", + "type": "text" + }, { "ecs": true, "name": "error.type", @@ -1609,6 +1649,11 @@ "name": "file.path", "type": "keyword" }, + { + "ecs": false, + "name": "file.path.text", + "type": "text" + }, { "ecs": true, "name": "file.pe.architecture", @@ -1704,6 +1749,11 @@ "name": "file.target_path", "type": "keyword" }, + { + "ecs": false, + "name": "file.target_path.text", + "type": "text" + }, { "ecs": true, "name": "file.type", @@ -2409,6 +2459,11 @@ "name": "host.os.full", "type": "keyword" }, + { + "ecs": false, + "name": "host.os.full.text", + "type": "text" + }, { "ecs": true, "name": "host.os.kernel", @@ -2419,6 +2474,11 @@ "name": "host.os.name", "type": "keyword" }, + { + "ecs": false, + "name": "host.os.name.text", + "type": "text" + }, { "ecs": true, "name": "host.os.platform", @@ -2489,6 +2549,11 @@ "name": "http.request.body.content", "type": "wildcard" }, + { + "ecs": false, + "name": "http.request.body.content.text", + "type": "text" + }, { "ecs": true, "name": "http.request.bytes", @@ -2524,6 +2589,11 @@ "name": "http.response.body.content", "type": "wildcard" }, + { + "ecs": false, + "name": "http.response.body.content.text", + "type": "text" + }, { "ecs": true, "name": "http.response.bytes", @@ -2864,6 +2934,11 @@ "name": "observer.os.full", "type": "keyword" }, + { + "ecs": false, + "name": "observer.os.full.text", + "type": "text" + }, { "ecs": true, "name": "observer.os.kernel", @@ -2874,6 +2949,11 @@ "name": "observer.os.name", "type": "keyword" }, + { + "ecs": false, + "name": "observer.os.name.text", + "type": "text" + }, { "ecs": true, "name": "observer.os.platform", @@ -2999,6 +3079,11 @@ "name": "organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "organization.name.text", + "type": "text" + }, { "ecs": true, "name": "package.architecture", @@ -3129,6 +3214,11 @@ "name": "process.command_line", "type": "wildcard" }, + { + "ecs": false, + "name": "process.command_line.text", + "type": "text" + }, { "ecs": true, "name": "process.elf.architecture", @@ -3284,11 +3374,21 @@ "name": "process.entry_leader.attested_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.attested_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.command_line", "type": "wildcard" }, + { + "ecs": false, + "name": "process.entry_leader.command_line.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.entity_id", @@ -3309,6 +3409,11 @@ "name": "process.entry_leader.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.group.id", @@ -3329,6 +3434,11 @@ "name": "process.entry_leader.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.name.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.parent.entity_id", @@ -3394,6 +3504,11 @@ "name": "process.entry_leader.real_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.real_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.same_as_process", @@ -3419,6 +3534,11 @@ "name": "process.entry_leader.saved_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.saved_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.start", @@ -3454,6 +3574,11 @@ "name": "process.entry_leader.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.entry_leader.vpid", @@ -3464,6 +3589,11 @@ "name": "process.entry_leader.working_directory", "type": "keyword" }, + { + "ecs": false, + "name": "process.entry_leader.working_directory.text", + "type": "text" + }, { "ecs": true, "name": "process.env_vars", @@ -3474,6 +3604,11 @@ "name": "process.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.exit_code", @@ -3504,6 +3639,11 @@ "name": "process.group_leader.command_line", "type": "wildcard" }, + { + "ecs": false, + "name": "process.group_leader.command_line.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.entity_id", @@ -3514,6 +3654,11 @@ "name": "process.group_leader.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.group.id", @@ -3534,6 +3679,11 @@ "name": "process.group_leader.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.name.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.pid", @@ -3559,6 +3709,11 @@ "name": "process.group_leader.real_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.real_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.same_as_process", @@ -3584,6 +3739,11 @@ "name": "process.group_leader.saved_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.saved_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.start", @@ -3619,6 +3779,11 @@ "name": "process.group_leader.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.group_leader.vpid", @@ -3629,6 +3794,11 @@ "name": "process.group_leader.working_directory", "type": "keyword" }, + { + "ecs": false, + "name": "process.group_leader.working_directory.text", + "type": "text" + }, { "ecs": true, "name": "process.hash.cdhash", @@ -3764,6 +3934,11 @@ "name": "process.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.name.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.args", @@ -3829,6 +4004,11 @@ "name": "process.parent.command_line", "type": "wildcard" }, + { + "ecs": false, + "name": "process.parent.command_line.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.elf.architecture", @@ -3964,6 +4144,11 @@ "name": "process.parent.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.exit_code", @@ -4099,6 +4284,11 @@ "name": "process.parent.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.name.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.pe.architecture", @@ -4214,6 +4404,11 @@ "name": "process.parent.real_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.real_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.saved_group.id", @@ -4234,6 +4429,11 @@ "name": "process.parent.saved_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.saved_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.start", @@ -4274,6 +4474,11 @@ "name": "process.parent.title", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.title.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.tty.char_device.major", @@ -4299,6 +4504,11 @@ "name": "process.parent.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.parent.vpid", @@ -4309,6 +4519,11 @@ "name": "process.parent.working_directory", "type": "keyword" }, + { + "ecs": false, + "name": "process.parent.working_directory.text", + "type": "text" + }, { "ecs": true, "name": "process.pe.architecture", @@ -4419,6 +4634,11 @@ "name": "process.previous.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.previous.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.real_group.id", @@ -4439,6 +4659,11 @@ "name": "process.real_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.real_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.saved_group.id", @@ -4459,6 +4684,11 @@ "name": "process.saved_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.saved_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.args", @@ -4474,6 +4704,11 @@ "name": "process.session_leader.command_line", "type": "wildcard" }, + { + "ecs": false, + "name": "process.session_leader.command_line.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.entity_id", @@ -4484,6 +4719,11 @@ "name": "process.session_leader.executable", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.executable.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.group.id", @@ -4504,6 +4744,11 @@ "name": "process.session_leader.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.name.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.parent.entity_id", @@ -4569,6 +4814,11 @@ "name": "process.session_leader.real_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.real_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.same_as_process", @@ -4594,6 +4844,11 @@ "name": "process.session_leader.saved_user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.saved_user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.start", @@ -4629,6 +4884,11 @@ "name": "process.session_leader.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.session_leader.vpid", @@ -4639,6 +4899,11 @@ "name": "process.session_leader.working_directory", "type": "keyword" }, + { + "ecs": false, + "name": "process.session_leader.working_directory.text", + "type": "text" + }, { "ecs": true, "name": "process.start", @@ -4679,6 +4944,11 @@ "name": "process.title", "type": "keyword" }, + { + "ecs": false, + "name": "process.title.text", + "type": "text" + }, { "ecs": true, "name": "process.tty.char_device.major", @@ -4714,6 +4984,11 @@ "name": "process.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "process.user.name.text", + "type": "text" + }, { "ecs": true, "name": "process.vpid", @@ -4724,6 +4999,11 @@ "name": "process.working_directory", "type": "keyword" }, + { + "ecs": false, + "name": "process.working_directory.text", + "type": "text" + }, { "ecs": true, "name": "registry.data.bytes", @@ -4844,6 +5124,11 @@ "name": "server.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "server.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "server.bytes", @@ -4969,6 +5254,11 @@ "name": "server.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "server.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "server.user.group.domain", @@ -4999,6 +5289,11 @@ "name": "server.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "server.user.name.text", + "type": "text" + }, { "ecs": true, "name": "server.user.roles", @@ -5184,6 +5479,11 @@ "name": "source.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "source.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "source.bytes", @@ -5309,6 +5609,11 @@ "name": "source.user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "source.user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "source.user.group.domain", @@ -5339,6 +5644,11 @@ "name": "source.user.name", "type": "keyword" }, + { + "ecs": false, + "name": "source.user.name.text", + "type": "text" + }, { "ecs": true, "name": "source.user.roles", @@ -5409,6 +5719,11 @@ "name": "threat.indicator.as.organization.name", "type": "keyword" }, + { + "ecs": false, + "name": "threat.indicator.as.organization.name.text", + "type": "text" + }, { "ecs": true, "name": "threat.indicator.confidence", @@ -5724,6 +6039,11 @@ "name": "threat.indicator.file.path", "type": "keyword" }, + { + "ecs": false, + "name": "threat.indicator.file.path.text", + "type": "text" + }, { "ecs": true, "name": "threat.indicator.file.pe.architecture", @@ -5819,6 +6139,11 @@ "name": "threat.indicator.file.target_path", "type": "keyword" }, + { + "ecs": false, + "name": "threat.indicator.file.target_path.text", + "type": "text" + }, { "ecs": true, "name": "threat.indicator.file.type", @@ -6129,11 +6454,21 @@ "name": "threat.indicator.url.full", "type": "wildcard" }, + { + "ecs": false, + "name": "threat.indicator.url.full.text", + "type": "text" + }, { "ecs": true, "name": "threat.indicator.url.original", "type": "wildcard" }, + { + "ecs": false, + "name": "threat.indicator.url.original.text", + "type": "text" + }, { "ecs": true, "name": "threat.indicator.url.password", @@ -6354,6 +6689,11 @@ "name": "threat.technique.name", "type": "keyword" }, + { + "ecs": false, + "name": "threat.technique.name.text", + "type": "text" + }, { "ecs": true, "name": "threat.technique.reference", @@ -6369,6 +6709,11 @@ "name": "threat.technique.subtechnique.name", "type": "keyword" }, + { + "ecs": false, + "name": "threat.technique.subtechnique.name.text", + "type": "text" + }, { "ecs": true, "name": "threat.technique.subtechnique.reference", @@ -6789,11 +7134,21 @@ "name": "url.full", "type": "wildcard" }, + { + "ecs": false, + "name": "url.full.text", + "type": "text" + }, { "ecs": true, "name": "url.original", "type": "wildcard" }, + { + "ecs": false, + "name": "url.original.text", + "type": "text" + }, { "ecs": true, "name": "url.password", @@ -6854,6 +7209,11 @@ "name": "user.changes.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "user.changes.full_name.text", + "type": "text" + }, { "ecs": true, "name": "user.changes.group.domain", @@ -6884,6 +7244,11 @@ "name": "user.changes.name", "type": "keyword" }, + { + "ecs": false, + "name": "user.changes.name.text", + "type": "text" + }, { "ecs": true, "name": "user.changes.roles", @@ -6909,6 +7274,11 @@ "name": "user.effective.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "user.effective.full_name.text", + "type": "text" + }, { "ecs": true, "name": "user.effective.group.domain", @@ -6939,6 +7309,11 @@ "name": "user.effective.name", "type": "keyword" }, + { + "ecs": false, + "name": "user.effective.name.text", + "type": "text" + }, { "ecs": true, "name": "user.effective.roles", @@ -6954,6 +7329,11 @@ "name": "user.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "user.full_name.text", + "type": "text" + }, { "ecs": true, "name": "user.group.domain", @@ -6984,6 +7364,11 @@ "name": "user.name", "type": "keyword" }, + { + "ecs": false, + "name": "user.name.text", + "type": "text" + }, { "ecs": true, "name": "user.risk.calculated_level", @@ -7034,6 +7419,11 @@ "name": "user.target.full_name", "type": "keyword" }, + { + "ecs": false, + "name": "user.target.full_name.text", + "type": "text" + }, { "ecs": true, "name": "user.target.group.domain", @@ -7064,6 +7454,11 @@ "name": "user.target.name", "type": "keyword" }, + { + "ecs": false, + "name": "user.target.name.text", + "type": "text" + }, { "ecs": true, "name": "user.target.roles", @@ -7084,6 +7479,11 @@ "name": "user_agent.original", "type": "keyword" }, + { + "ecs": false, + "name": "user_agent.original.text", + "type": "text" + }, { "ecs": true, "name": "user_agent.os.family", @@ -7094,6 +7494,11 @@ "name": "user_agent.os.full", "type": "keyword" }, + { + "ecs": false, + "name": "user_agent.os.full.text", + "type": "text" + }, { "ecs": true, "name": "user_agent.os.kernel", @@ -7104,6 +7509,11 @@ "name": "user_agent.os.name", "type": "keyword" }, + { + "ecs": false, + "name": "user_agent.os.name.text", + "type": "text" + }, { "ecs": true, "name": "user_agent.os.platform", @@ -7219,6 +7629,11 @@ "name": "vulnerability.description", "type": "keyword" }, + { + "ecs": false, + "name": "vulnerability.description.text", + "type": "text" + }, { "ecs": true, "name": "vulnerability.enumeration", diff --git a/packages/security_detection_engine/kibana/security_rule/e8e7b6b6-78b0-4015-97fe-c2f28468e0d4_1.json b/packages/security_detection_engine/kibana/security_rule/e8e7b6b6-78b0-4015-97fe-c2f28468e0d4_1.json new file mode 100644 index 00000000000..f08c07db7e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8e7b6b6-78b0-4015-97fe-c2f28468e0d4_1.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a one-on-one Microsoft Teams chat created by a user from a foreign tenant whose display name, member profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant Teams external access to impersonate support personnel and socially engineer victims into granting remote access or disclosing credentials.", + "false_positives": [ + "Legitimate external partners or managed service providers with help desk-style display names may trigger this rule. Validate the sender tenant, domain, and business relationship before closing as benign." + ], + "from": "now-9m", + "index": [ + "logs-o365.audit-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user.email", + "user.domain", + "user.id", + "o365.audit.Members", + "o365.audit.Members.DisplayName", + "o365.audit.ChatThreadId", + "o365.audit.ResourceTenantId", + "o365.audit.CommunicationType", + "o365.audit.ParticipantInfo.HasForeignTenantUsers", + "o365.audit.ParticipantInfo.HasGuestUsers", + "o365.audit.ParticipantInfo.HasOtherGuestUsers", + "o365.audit.ParticipantInfo.ParticipatingDomains", + "event.action", + "event.provider" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "M365 Teams Rogue Help Desk Chat Created", + "note": "## Triage and analysis\n\n### Investigating M365 Teams Rogue Help Desk Chat Created\n\nThreat actors create external Microsoft 365 tenants and initiate unsolicited one-on-one Teams chats while impersonating\nIT help desk or Microsoft security personnel. These chats often precede vishing, Quick Assist abuse, or malicious link\ndelivery.\n\nReview `user.email`, `user.domain`, `o365.audit.Members.DisplayName`, `o365.audit.ChatThreadId`, and\n`o365.audit.ParticipantInfo`. Correlate follow-on `MessageSent` events for `source.ip` and `source.geo`, and\n`CallParticipantDetail` events sharing the same `o365.audit.CallId` or chat thread for vishing activity.\n\n#### Possible investigation steps\n\n- Identify the external sender from `user.email`, `user.domain`, and `o365.audit.Members` and determine whether the\n tenant or domain is known and trusted.\n- Compare `user.name` to `o365.audit.Members.DisplayName` \u2014 actors often use a lowercase mailbox alias such as\n `helpdesk` while presenting as `Help Desk` in Teams.\n- Confirm `o365.audit.ParticipantInfo.HasForeignTenantUsers` is true and that no guest users are involved.\n- Pivot on `o365.audit.ChatThreadId` for `MessageSent` and `CallParticipantDetail` events in the same session.\n- Review `MessageSent` `source.ip` and `source.geo` for unexpected origin countries relative to the sender profile.\n- Correlate with mail-flood, MFA fatigue, or URL click alerts for the targeted user in the same time window.\n- Review whether the victim accepted the chat or responded, and hunt for follow-on remote support tool execution on\n their endpoint.\n- Check whether the sender tenant appears newly created, trial-based, or otherwise anomalous for your environment.\n\n### False positive analysis\n\n- Approved external support vendors may use help desk-style display names. Maintain an allowlist of trusted external\n tenants or sender domains when recurring benign matches occur.\n- The `user.email` and `user.name` impersonation clauses target external mailbox aliases such as `helpdesk@`. Prefer\n exceptions anchored on verified tenant IDs or sender domains rather than broad name-based exclusions.\n\n### Response and remediation\n\n- Warn the targeted user not to engage and confirm whether they accepted the chat or shared credentials.\n- Block or restrict the external tenant via Teams federation policy if malicious.\n- Hunt for additional `ChatCreated` events from the same external tenant across the organization.\n- Review Teams external access settings and consider blocking trial tenants or restricting federation to an allowlist.", + "query": "data_stream.dataset:o365.audit and event.action:\"ChatCreated\" and event.provider:\"MicrosoftTeams\" and event.outcome:\"success\" and\n o365.audit.ParticipantInfo.HasOtherGuestUsers:false and o365.audit.ParticipantInfo.HasGuestUsers:false and\n o365.audit.ParticipantInfo.HasForeignTenantUsers:true and o365.audit.CommunicationType:\"OneOnOne\" and\n (\n o365.audit.Members:(\n \"Help Desk\" or \"Help Desk Team\" or \"Help Desk IT\" or \"IT Help Desk\" or\n \"Microsoft Security\" or \"Microsoft Security\" or \"Microsoft Support\"\n ) or\n user.email:(\n *helpdesk* or *help.desk* or *help-desk* or *help_desk* or\n *ithelp* or *it.help* or *itsupport* or *it.support* or *it-support*\n ) or\n user.name:(*helpdesk* or *help-desk* or *ithelp* or *itsupport*)\n )\n", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/", + "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.CommunicationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Members", + "type": "flattened" + }, + { + "ecs": false, + "name": "o365.audit.ParticipantInfo.HasForeignTenantUsers", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ParticipantInfo.HasGuestUsers", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ParticipantInfo.HasOtherGuestUsers", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e8e7b6b6-78b0-4015-97fe-c2f28468e0d4", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.003", + "name": "Spearphishing via Service", + "reference": "https://attack.mitre.org/techniques/T1566/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "e8e7b6b6-78b0-4015-97fe-c2f28468e0d4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec81962e-4bc8-48e6-bfb0-545fc97d8f6a_3.json b/packages/security_detection_engine/kibana/security_rule/ec81962e-4bc8-48e6-bfb0-545fc97d8f6a_3.json index fd0dec96771..30f5f0eb855 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec81962e-4bc8-48e6-bfb0-545fc97d8f6a_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ec81962e-4bc8-48e6-bfb0-545fc97d8f6a_3.json @@ -15,7 +15,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_211.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_211.json deleted file mode 100644 index 0209f59d45f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_211.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Gary Blackwell", - "Austin Songer" - ], - "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", - "false_positives": [ - "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-9m", - "index": [ - "logs-o365.audit-*", - "filebeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "M365 Exchange Inbox Forwarding Rule Created", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating M365 Exchange Inbox Forwarding Rule Created\n\nMicrosoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities.\n\n### Possible investigation steps\n\n- Review the event details to identify the user account associated with the creation of the forwarding rule by examining the o365.audit.Parameters.\n- Check the destination email address specified in the forwarding rule (ForwardTo, ForwardAsAttachmentTo, or RedirectTo) to determine if it is an external or suspicious address.\n- Investigate the user's recent activity logs in Microsoft 365 to identify any unusual or unauthorized actions, focusing on event.dataset:o365.audit and event.provider:Exchange.\n- Verify if the user has a legitimate reason to create such a forwarding rule by consulting with their manager or reviewing their role and responsibilities.\n- Assess if there have been any recent security incidents or alerts related to the user or the destination email address to identify potential compromise.\n- Consider disabling the forwarding rule temporarily and notifying the user and IT security team if the rule appears suspicious or unauthorized.\n\n### False positive analysis\n\n- Legitimate forwarding rules set by users for convenience or workflow purposes may trigger alerts. Review the context of the rule creation, such as the user and the destination address, to determine if it aligns with normal business operations.\n- Automated systems or third-party applications that integrate with Microsoft 365 might create forwarding rules as part of their functionality. Identify these systems and consider excluding their associated accounts from the rule.\n- Temporary forwarding rules set during user absence, such as vacations or leaves, can be mistaken for malicious activity. Implement a process to document and approve such rules, allowing for their exclusion from monitoring during the specified period.\n- Internal forwarding to trusted domains or addresses within the organization might not pose a security risk. Establish a list of trusted internal addresses and configure exceptions for these in the detection rule.\n- Frequent rule changes by specific users, such as IT administrators or support staff, may be part of their job responsibilities. Monitor these accounts separately and adjust the rule to reduce noise from expected behavior.\n\n### Response and remediation\n\n- Immediately disable the forwarding rule by accessing the affected user's mailbox settings in Microsoft 365 and removing any unauthorized forwarding rules.\n- Conduct a thorough review of the affected user's email account for any signs of compromise, such as unusual login activity or unauthorized changes to account settings.\n- Reset the password for the affected user's account and enforce multi-factor authentication (MFA) to prevent further unauthorized access.\n- Notify the user and relevant IT security personnel about the incident, providing details of the unauthorized rule and any potential data exposure.\n- Escalate the incident to the security operations team for further investigation and to determine if other accounts may have been targeted or compromised.\n- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes.\n- Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary.", - "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", - "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.ForwardAsAttachmentTo", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.ForwardTo", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.RedirectTo", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.003", - "name": "Email Forwarding Rule", - "reference": "https://attack.mitre.org/techniques/T1114/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 211 - }, - "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_211", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_6.json b/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_6.json deleted file mode 100644 index 06736ff7799..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_6.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*", - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Instance Metadata Service (IMDS) API Request", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Instance Metadata Service (IMDS) API Request\n\nThe Instance Metadata Service (IMDS) API provides essential instance-specific data, including configuration details and temporary credentials, to applications running on cloud instances. Adversaries exploit this by using scripts or tools to access sensitive data, potentially leading to unauthorized access. The detection rule identifies suspicious access attempts by monitoring specific processes and network activities, excluding known legitimate paths, to flag potential misuse.\n\n### Possible investigation steps\n\n- Review the process details such as process.name and process.command_line to identify the tool or script used to access the IMDS API and determine if it aligns with known malicious behavior.\n- Examine the process.executable and process.working_directory fields to verify if the execution path is unusual or suspicious, especially if it originates from directories like /tmp/* or /var/tmp/*.\n- Check the process.parent.entity_id and process.parent.executable to understand the parent process and its legitimacy, which might provide context on how the suspicious process was initiated.\n- Investigate the network event details, particularly the destination.ip field, to confirm if there was an attempted connection to the IMDS API endpoint at 169.254.169.254.\n- Correlate the host.id with other security events or logs to identify any additional suspicious activities or patterns on the same host that might indicate a broader compromise.\n- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.\n\n### False positive analysis\n\n- Security and monitoring tools like Rapid7, Nessus, and Amazon SSM Agent may trigger false positives due to their legitimate access to the IMDS API. Users can exclude these by adding their working directories to the exception list.\n- Automated scripts or processes running from known directories such as /opt/rumble/bin or /usr/share/ec2-instance-connect may also cause false positives. Exclude these directories or specific executables from the rule to prevent unnecessary alerts.\n- System maintenance or configuration scripts that access the IMDS API for legitimate purposes might be flagged. Identify these scripts and add their paths or parent executables to the exclusion list to reduce noise.\n- Regular network monitoring tools that attempt connections to the IMDS IP address for health checks or status updates can be excluded by specifying their process names or executable paths in the exception criteria.\n\n### Response and remediation\n\n- Immediately isolate the affected instance from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes identified in the alert that are attempting to access the IMDS API, especially those using tools like curl, wget, or python.\n- Revoke any temporary credentials that may have been exposed or accessed through the IMDS API to prevent unauthorized use.\n- Conduct a thorough review of the instance's security groups and IAM roles to ensure that only necessary permissions are granted and that there are no overly permissive policies.\n- Escalate the incident to the security operations team for further investigation and to determine if additional instances or resources are affected.\n- Implement network monitoring to detect and alert on any future attempts to access the IMDS API from unauthorized processes or locations.\n- Review and update the instance's security configurations and apply any necessary patches or updates to mitigate vulnerabilities that could be exploited in similar attacks.", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.executable != null and \n (\n process.name : (\n \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"ruby*\", \"lua*\", \"telnet\", \"pwsh\",\n \"openssl\", \"nc\", \"ncat\", \"netcat\", \"awk\", \"gawk\", \"mawk\", \"nawk\", \"socat\", \"node\"\n ) or \n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/cron*\", \"/etc/update-motd.d/*\", \"/boot/*\", \"/srv/*\", \"/run/*\", \"/etc/rc.local\"\n ) or\n process.command_line: \"*169.254.169.254*\" \n ) \n and not process.working_directory: (\n \"/opt/rapid7*\",\n \"/opt/nessus*\",\n \"/snap/amazon-ssm-agent*\",\n \"/var/snap/amazon-ssm-agent/*\",\n \"/var/log/amazon/ssm/*\",\n \"/srv/snp/docker/overlay2*\",\n \"/opt/nessus_agent/var/nessus/*\") \n and not process.executable: (\n \"/opt/rumble/bin/rumble-agent*\",\n \"/opt/aws/inspector/bin/inspectorssmplugin\",\n \"/snap/oracle-cloud-agent/*\",\n \"/lusr/libexec/oracle-cloud-agent/*\") \n and not process.parent.executable: (\n \"/usr/bin/setup-policy-routes\",\n \"/usr/share/ec2-instance-connect/*\",\n \"/var/lib/amazon/ssm/*\", \n \"/etc/update-motd.d/30-banner\", \n \"/usr/sbin/dhclient-script\", \n \"/usr/local/bin/uwsgi\", \n \"/usr/lib/skylight/al-extras\")\n]\n[network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip == \"169.254.169.254\"]\n", - "references": [ - "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ecc0cd54-608e-11ef-ab6d-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.005", - "name": "Cloud Instance Metadata API", - "reference": "https://attack.mitre.org/techniques/T1552/005/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1580", - "name": "Cloud Infrastructure Discovery", - "reference": "https://attack.mitre.org/techniques/T1580/" - } - ] - } - ], - "type": "eql", - "version": 6 - }, - "id": "ecc0cd54-608e-11ef-ab6d-f661ea17fbce_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed2461e1-d6bf-4550-87b9-c008d6ac15f4_1.json b/packages/security_detection_engine/kibana/security_rule/ed2461e1-d6bf-4550-87b9-c008d6ac15f4_1.json new file mode 100644 index 00000000000..5afb252a03f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ed2461e1-d6bf-4550-87b9-c008d6ac15f4_1.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Microsoft 365 OAuth device code grant (\"Cmsi:Cmsi\") with application Microsoft Authentication Broker (\"29d9ed98-a469-4536-ade2-f981bc1d605e\") for Microsoft Graph from a source ASN not previously observed for that user in a historical window. Phishing kits leveraging device code phishing complete the full login (password and MFA) at the genuine Microsoft endpoint and harvest the resulting token by polling, so MFA does not stop them and the authorization commonly originates from attacker-controlled residential proxy or hosting infrastructure rather than the user's normal network.", + "false_positives": [ + "A user authenticating via the device code flow for the first time from a new but legitimate network, such as travel, a new home or office ISP, a corporate VPN, or a mobile carrier. Device code authentication is expected when enrolling or signing in on input-constrained devices (smart TVs, kiosks, IoT, conference room devices) and for some CLI or headless developer workflows. Review the source ASN, geolocation, and the user's prior device code history to confirm whether the origin is plausible before escalating." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-o365.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "M365 Identity Device Code Grant with Unusual User and ASN", + "new_terms_fields": [ + "o365.audit.UserId", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating M365 Identity Device Code Grant with Unusual User and ASN\n\nThis rule detects a user completing an OAuth device code grant (`Cmsi:Cmsi`) to the Microsoft Authentication Broker for Microsoft Graph from a source ASN not seen for that user within the rule's historical window (defined by the new terms history setting). A match means the user has not authenticated via this flow from that ASN during the lookback window, not necessarily that it has never happened. Device code phishing kits (for example Kali365, Storm-2372 tradecraft) drive the device code flow against the genuine Microsoft endpoint and poll the token endpoint in the background, so the victim satisfies MFA while the attacker harvests a fully MFA-satisfied token. The grant therefore frequently appears from residential proxy or hosting/datacenter infrastructure the user has not authenticated from during the window.\n\n### Possible investigation steps\n\n- Review `o365.audit.UserId` to identify the impacted account and confirm whether the user expected to perform a device code sign-in.\n- Inspect `source.as.number` and `source.as.organization.name` for the source ASN. Hosting, VPN, or datacenter providers (for example Tencent, Alibaba, DigitalOcean) are unusual for interactive user authentication.\n- Review `source.ip`, `source.geo.country_name`, and `source.geo.city_name` and compare with the user's normal sign-in locations.\n- Examine `o365.audit.DeviceProperties` and `user_agent.original` for non-managed devices and automation or headless-browser patterns.\n- Confirm `o365.audit.ApplicationId` is the Microsoft Authentication Broker (`29d9ed98-a469-4536-ade2-f981bc1d605e`) and `o365.audit.Target.ID` is Microsoft Graph (`00000003-0000-0000-c000-000000000000`).\n- Pivot to `azure.signinlogs` for the corresponding `deviceCode` sign-in, including `is_interactive`, conditional access decisions, and any concurrent non-interactive token-issuance legs from a different ASN (the kit's polling backend).\n- Pivot to `azure.graphactivitylogs` for follow-up Graph activity (`/me` recon, mailbox or file enumeration) from the same or related ASNs.\n- Check `azure.auditlogs` for subsequent device registration events on the user, which device code phishing kits use to establish Primary Refresh Token persistence.\n\n### False positive analysis\n\n- A legitimate first-time device code sign-in from a new ISP, mobile carrier, corporate VPN, or while traveling.\n- Provisioning of input-constrained devices (smart TVs, kiosks, IoT, conference room devices).\n- CLI or headless developer workflows that use the device code flow against the Authentication Broker.\n- If a source ASN is confirmed benign and recurring for the environment, suppress it via a rule exception rather than broadening the query.\n\n### Response and remediation\n\n- Contact the user to confirm whether they initiated the device code sign-in or may have entered a code presented on a phishing page.\n- If unauthorized, revoke all refresh tokens for the user and reset credentials to invalidate the harvested token.\n- Review and remove any unauthorized device registrations to cut off Primary Refresh Token persistence.\n- Review recent Microsoft Graph, Exchange, SharePoint, and Teams activity for the user for signs of recon or exfiltration.\n- Restrict device code authentication to only the users and applications that require it via Conditional Access authentication flow policies.\n- Educate users on device code phishing and the risk of entering codes presented by unsolicited documents or messages.\n", + "query": "event.dataset: \"o365.audit\"\n and o365.audit.ExtendedProperties.RequestType: \"Cmsi:Cmsi\"\n and o365.audit.Actor.Type: (0 or 2 or 3 or 5 or 10)\n and o365.audit.ApplicationId: \"29d9ed98-a469-4536-ade2-f981bc1d605e\"\n and o365.audit.Target.ID: \"00000003-0000-0000-c000-000000000000\"\n and o365.audit.DeviceProperties.Value: \"False\"\n", + "references": [ + "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/", + "https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/", + "https://www.ic3.gov/PSA/2026/PSA260521", + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/", + "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Actor.Type", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ApplicationId", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.DeviceProperties.Value", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ExtendedProperties.RequestType", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Target.ID", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ed2461e1-d6bf-4550-87b9-c008d6ac15f4", + "setup": "#### Required Microsoft 365 Audit Logs\nThis rule requires the Microsoft 365 integration with unified audit logs (Azure AD / Entra sign-in events surfaced in the Microsoft 365 audit log) enabled and shipping to Elastic.\n", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + }, + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "ed2461e1-d6bf-4550-87b9-c008d6ac15f4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_111.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_111.json deleted file mode 100644 index 537d6a047da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_111.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privacy Control Bypass via TCCDB Modification", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privacy Control Bypass via TCCDB Modification\n\nThe Transparency, Consent, and Control (TCC) database in macOS manages app permissions for accessing sensitive resources. Adversaries may exploit this by using tools like sqlite3 to alter the TCC database, bypassing privacy controls. The detection rule identifies such attempts by monitoring for suspicious sqlite3 activity targeting the TCC database, excluding legitimate processes, to flag potential privacy control bypasses.\n\n### Possible investigation steps\n\n- Review the process details to confirm the use of sqlite3, focusing on the process name and arguments to ensure they match the pattern \"sqlite*\" and include the path \"/*/Application Support/com.apple.TCC/TCC.db\".\n- Investigate the parent process of the sqlite3 activity to determine if it is a known legitimate process or if it appears suspicious, especially if it is not from \"/Library/Bitdefender/AVP/product/bin/*\".\n- Check the timestamp of the sqlite3 activity to correlate it with any other unusual system behavior or alerts that occurred around the same time.\n- Examine the user account associated with the process to determine if it has a history of legitimate administrative actions or if it might be compromised.\n- Look for any recent changes or anomalies in the TCC database permissions that could indicate unauthorized modifications.\n- Assess the system for other signs of compromise, such as unexpected network connections or additional unauthorized processes running, to determine if the sqlite3 activity is part of a larger attack.\n\n### False positive analysis\n\n- Security software like Bitdefender may legitimately access the TCC database for scanning purposes. To prevent these from being flagged, ensure that the process parent executable path for such software is added to the exclusion list.\n- System maintenance tools that perform regular checks or backups might access the TCC database. Identify these tools and add their process paths to the exclusion list to avoid false alerts.\n- Developer tools used for testing applications may interact with the TCC database. If these tools are frequently used in your environment, consider excluding their process paths to reduce noise.\n- Administrative scripts that automate system configurations might modify the TCC database. Review these scripts and, if deemed safe, exclude their process paths from the detection rule.\n- Regular system updates or patches could trigger access to the TCC database. Monitor these events and, if consistent with update schedules, adjust the rule to exclude these specific update processes.\n\n### Response and remediation\n\n- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious sqlite3 processes identified in the alert to stop ongoing unauthorized modifications to the TCC database.\n- Restore the TCC database from a known good backup to ensure that all privacy settings are reverted to their legitimate state.\n- Conduct a thorough review of recent changes to the TCC database to identify any unauthorized access or modifications to sensitive resources.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring on the affected system to detect any further attempts to modify the TCC database or other unauthorized activities.\n- Review and update access controls and permissions for the TCC database to ensure only authorized processes can make changes, reducing the risk of future bypass attempts.", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sqlite*\" and\n process.args like \"/*/Application Support/com.apple.TCC/TCC.db\" and\n (process.parent.name like~ (\"osascript\", \"bash\", \"sh\", \"zsh\", \"Terminal\", \"Python*\") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))\n", - "references": [ - "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", - "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", - "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.code_signature.exists", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.parent.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 111 - }, - "id": "eea82229-b002-470e-a9e1-00be38b14d32_111", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_5.json b/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_5.json deleted file mode 100644 index ab57454ee6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_5.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address. Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud resources.", - "false_positives": [ - "Custom network security rules that triggers on a proxy or gateway used by users to access Azure or O365." - ], - "from": "now-60m", - "language": "esql", - "license": "Elastic License v2", - "name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", - "note": "## Triage and analysis\n\n### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source\n\n#### Possible investigation steps\n\n- Investiguate all the alerts associated with the source.ip.\n - Verify the network security alert details associated with this source.ip.\n - Verify all sign-in events associated with this source.ip.\n - Consider the source IP address and geolocation for the involved user account.\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*\n// query runs every 1 hour looking for activities occurred during last 8 hours to match on disparate events\n| where @timestamp > now() - 8 hours\n// filter for azure or m365 sign-in and external alerts with source.ip not null\n| where to_ip(source.ip) is not null\n and (event.dataset in (\"o365.audit\", \"azure.signinlogs\") or kibana.alert.rule.rule_id == \"eb079c62-4481-4d6e-9643-3ca499df7aaa\")\n and not cidr_match(\n to_ip(source.ip),\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\",\n \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\"\n )\n\n// capture relevant raw fields\n| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category\n\n// classify each source ip based on alert type\n| eval\n Esql.source_ip_mail_access_case = case(event.dataset == \"o365.audit\" and event.action == \"MailItemsAccessed\" and event.outcome == \"success\", to_ip(source.ip), null),\n Esql.source_ip_azure_signin_case = case(event.dataset == \"azure.signinlogs\" and event.outcome == \"success\", to_ip(source.ip), null),\n Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == \"eb079c62-4481-4d6e-9643-3ca499df7aaa\" and not event.dataset in (\"o365.audit\", \"azure.signinlogs\"), to_ip(source.ip), null)\n\n// aggregate by source ip\n| stats\n Esql.event_count = count(*),\n Esql.source_ip_mail_access_case_count_distinct = count_distinct(Esql.source_ip_mail_access_case),\n Esql.source_ip_azure_signin_case_count_distinct = count_distinct(Esql.source_ip_azure_signin_case),\n Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),\n Esql.event_dataset_count_distinct = count_distinct(event.dataset),\n Esql.event_dataset_values = values(event.dataset),\n Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),\n Esql.event_category_values = values(event.category)\n by Esql.source_ip = to_ip(source.ip)\n\n// correlation condition\n| where\n Esql.source_ip_network_alert_case_count_distinct > 0\n and Esql.event_dataset_count_distinct >= 2\n and (Esql.source_ip_mail_access_case_count_distinct > 0 or Esql.source_ip_azure_signin_case_count_distinct > 0)\n and Esql.event_count <= 100\n", - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - }, - { - "package": "o365", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.event_category_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_dataset_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_dataset_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.kibana_alert_rule_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.source_ip", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.source_ip_azure_signin_case_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_ip_mail_access_case_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_ip_network_alert_case_count_distinct", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "f0cc239b-67fa-46fc-89d4-f861753a40f5", - "setup": "The Azure Fleet integration, Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Rule Type: Higher-Order Rule" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 5 - }, - "id": "f0cc239b-67fa-46fc-89d4-f861753a40f5_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_111.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_111.json deleted file mode 100644 index 1c6f37bddf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_111.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", - "false_positives": [ - "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." - ], - "from": "now-9m", - "index": [ - "endgame-*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Code Execution via Web Server", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\",\n \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and process.args : (\n \"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\", \"ls\", \"cd\", \"python*\", \"php*\", \"perl\",\n \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and not process.name == \"phpquery\"\n", - "references": [ - "https://pentestlab.blog/tag/web-shell/", - "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: SentinelOne" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 111 - }, - "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_111", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_115.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_115.json new file mode 100644 index 00000000000..5753c28031f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_115.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Child Execution via Web Server", + "note": "## Triage and analysis\n\n### Investigating Suspicious Child Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n process.parent.name in (\n \"nginx\", \"apache2\", \"httpd\", \"caddy\", \"mongrel_rails\", \"uwsgi\", \"daphne\", \"httpd.worker\", \"flask\",\n \"php-cgi\", \"php-fcgi\", \"php-cgi.cagefs\", \"lswsctrl\", \"varnishd\", \"uvicorn\", \"waitress-serve\", \"starman\",\n \"frankenphp\", \"zabbix_server\", \"asterisk\", \"sw-engine-fpm\"\n ) or\n process.parent.name like (\"php-fpm*\", \"gunicorn*\", \"*.cgi\", \"*.fcgi\") or\n (\n process.parent.name like \"ruby*\" and\n process.parent.command_line like~ (\"*puma*\", \"*rails*\", \"*passenger*\")\n ) or\n (\n process.parent.name like \"python*\" and\n process.parent.command_line like~ (\n \"*hypercorn*\", \"*flask*\", \"*uvicorn*\", \"*django*\", \"*app.py*\", \"*server.py*\", \"*wsgi.py*\", \"*asgi.py*\"\n )\n ) or\n (process.parent.name like \"perl*\" and process.parent.command_line like~ \"*plackup*\") or\n (\n process.parent.name == \"java\" and (\n process.parent.args like~ (\n /* Tomcat */\n \"org.apache.catalina.startup.Bootstrap\", \"-Dcatalina.base=*\",\n\n /* Jetty */\n \"org.eclipse.jetty.start.Main\", \"-Djetty.home=*\",\n\n /* WildFly / JBoss */\n \"org.jboss.modules.Main\", \"-Djboss.home.dir=*\",\n\n /* WebLogic */\n \"weblogic.Server\", \"-Dweblogic.Name=*\", \"*weblogic-launcher.jar*\",\n\n /* WebSphere traditional + Liberty */\n \"com.ibm.ws.runtime.WsServer\", \"com.ibm.ws.kernel.boot.cmdline.Bootstrap\",\n\n /* GlassFish */\n \"com.sun.enterprise.glassfish.bootstrap.ASMain\",\n\n /* Resin */\n \"com.caucho.server.resin.Resin\",\n\n /* Spring Boot */\n \"org.springframework.boot.loader.*\",\n\n /* Quarkus */\n \"*quarkus-run.jar*\", \"io.quarkus.runner.GeneratedMain\",\n\n /* Micronaut */\n \"io.micronaut.runtime.Micronaut\",\n\n /* Dropwizard */\n \"io.dropwizard.cli.ServerCommand\",\n\n /* Play */\n \"play.core.server.ProdServerStart\",\n\n /* Helidon */\n \"io.helidon.microprofile.server.Main\", \"io.helidon.webserver*\",\n\n /* Vert.x */\n \"io.vertx.core.Launcher\",\n\n /* Keycloak */\n \"org.keycloak*\",\n\n /* Apereo CAS */\n \"org.apereo.cas*\",\n\n /* Elasticsearch */\n \"org.elasticsearch.bootstrap.Elasticsearch\",\n\n /* Atlassian / Gerrit */\n \"com.atlassian.jira.startup.Launcher\", \"*BitbucketServerLauncher*\", \"com.google.gerrit.pgm.Daemon\",\n\n /* Solr */\n \"*-Dsolr.solr.home=*\",\n\n /* Jenkins */\n \"*jenkins.war*\"\n ) or\n ?process.working_directory like \"/u0?/*\"\n )\n )\n) and (\n process.executable like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"./*\", \"/run/*\", \"/var/run/*\", \"/boot/*\", \"/sys/*\", \"/lost+found/*\",\n \"/proc/*\", \"/var/mail/*\", \"/var/www/*\", \"/home/*/*\", \"/root/*\" \n ) or\n process.name like~ (\n // Hidden processes\n \".*\",\n\n // Suspicious file formats\n \"*.elf\", \"*.sh\", \"*.py\", \"*.rb\", \"*.pl\", \"*.lua*\", \"*.php*\", \".js\", \"*.bin\", \"*.jar\", \"*.mjs\",\n\n // Network utilities often used for reverse shells\n \"nc\", \"netcat\", \"ncat\", \"telnet\", \"socat\", \"openssl\", \"nc.openbsd\", \"ngrok\", \"nc.traditional\",\n\n // Cloud CLI\n \"az\", \"gcloud\", \"aws\", \"kubectl\", \"helm\", \"docker\", \"ctr\", \"crictl\",\n\n // Misc. tools\n \"whoami\", \"ifconfig\", \"ip\", \"ss\", \"top\", \"htop\", \"du\", \"lsblk\", \"lsof\", \"tcpdump\",\n \"strace\", \"ltrace\", \"curl\", \"wget\", \"dig\", \"nslookup\", \"host\", \"nmap\", \"arp\", \"traceroute\",\n \"cat\", \"touch\", \"mv\", \"rm\", \"mkdir\", \"ln\", \"chmod\", \"sudo\", \"xxd\", \"base64\", \"basez\",\n \"base64plain\", \"base64url\", \"base64mime\", \"base64pem\", \"basenc\", \"base32\", \"base16\", \"chpasswd\",\n \"passwd\"\n ) \n) and \nnot (\n (\n process.parent.name == \"java\" and\n process.executable like (\"/tmp/CVU_19_resource_*/exectask*\", \"/u01/app/*/grid/bin/crsctl.bin\", \"/u01/app/*/grid/bin/olsnodes.bin\")\n ) or\n process.working_directory like (\"/u01/app/*/sysman/emd\", \"/run/systemd/mount-rootfs\") or\n (\n process.parent.executable == \"/opt/morpheus/embedded/java/jre/bin/java\" and\n process.command_line like (\n \"chmod -R g+w /var/opt/morpheus/morpheus-local/repo/git/*\",\n \"sudo -S -u morpheus-local*\"\n )\n ) or\n (\n process.parent.command_line == \"/bin/sh /etc/init.d/nginx rotate\" and\n process.working_directory == \"/var/lib/logrotate\" and\n process.name == \"cat\"\n )\n)\n", + "references": [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 115 + }, + "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_115", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_5.json deleted file mode 100644 index 3a83e6ce7bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_5.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", - "false_positives": [ - "To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", - "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Forwarded Google Workspace Security Alert", - "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", - "query": "event.dataset: google_workspace.alert\n", - "references": [ - "https://workspace.google.com/products/admin/alert-center/", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.31.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", - "rule_name_override": "google_workspace.alert.type", - "setup": "", - "severity": "high", - "severity_mapping": [ - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "low", - "value": "LOW" - }, - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "medium", - "value": "MEDIUM" - }, - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "high", - "value": "HIGH" - } - ], - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Resources: Investigation Guide" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 - }, - "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_216.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_216.json new file mode 100644 index 00000000000..180ea9b8dde --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_216.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential OpenSSH Backdoor Logging Activity\n\nOpenSSH is a widely used protocol for secure remote administration and file transfers. Adversaries may exploit OpenSSH by modifying its binaries to log credentials or maintain unauthorized access. The detection rule identifies suspicious file changes linked to SSH processes, focusing on unusual file names, extensions, and paths indicative of backdoor activity, thus helping to uncover potential security breaches.\n\n### Possible investigation steps\n\n- Review the file change event details to identify the specific file name, extension, and path involved in the alert. Pay particular attention to unusual file names or extensions and paths listed in the query, such as \"/usr/lib/*.so.*\" or \"/private/etc/ssh/.sshd_auth\".\n- Examine the process executable that triggered the alert, either \"/usr/sbin/sshd\" or \"/usr/bin/ssh\", to determine if it has been modified or replaced. Check the integrity of these binaries using hash comparisons against known good versions.\n- Investigate the user account associated with the process that made the file change. Determine if the account has a history of suspicious activity or if it has been compromised.\n- Check for any recent or unusual login attempts or sessions related to the SSH service on the host. Look for patterns that might indicate unauthorized access or credential harvesting.\n- Analyze system logs, such as auth.log or secure.log, for any anomalies or entries that coincide with the time of the file change event. This can provide additional context or evidence of malicious activity.\n- If a backdoor is suspected, consider isolating the affected system from the network to prevent further unauthorized access and begin remediation efforts, such as restoring from a clean backup or reinstalling the affected services.\n\n### False positive analysis\n\n- Routine system updates or package installations may trigger file changes in SSH-related directories. Users can create exceptions for known update processes to prevent false alerts.\n- Custom scripts or administrative tasks that modify SSH configuration files for legitimate purposes might be flagged. Users should whitelist these scripts or processes if they are verified as non-malicious.\n- Backup or synchronization tools that create temporary files with unusual extensions or names in SSH directories can cause false positives. Exclude these tools from monitoring if they are part of regular operations.\n- Development or testing environments where SSH binaries are frequently modified for testing purposes may generate alerts. Implement exclusions for these environments to reduce noise.\n- Automated configuration management tools like Ansible or Puppet that modify SSH settings as part of their operations can be excluded if they are part of authorized workflows.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious SSH processes identified in the alert to halt potential backdoor activity.\n- Conduct a thorough review of the modified files and binaries, particularly those listed in the query, to assess the extent of the compromise and identify any malicious code or unauthorized changes.\n- Restore affected files and binaries from a known good backup to ensure system integrity and remove any backdoor modifications.\n- Change all SSH credentials and keys associated with the compromised system to prevent unauthorized access using potentially logged credentials.\n- Implement additional monitoring on the affected system and network for any signs of persistence or further malicious activity, focusing on the paths and file types highlighted in the detection query.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring a coordinated response to the threat.", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and process.name in (\"ssh\", \"sshd\") and\n (\n (\n file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\n \".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\", \".jelenv\", \".csvignore\", \".rtreport\", \".git*\"\n )\n ) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/tmp/*\",\n \"/var/tmp/*\",\n \"/dev/shm/*\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/usr/bin/ssd\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n ) and\n not file.path like (\"/tmp/krb5cc*\", \"/tmp/ansible_*\", \"/storage/*\", \"/tmp/clearsigned.message.*\", \"/var/sftp/refinitiv/*\", \"/tmp/fileutil.message.*\")\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.001", + "name": "Local Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 216 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22_216", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2e21713-1eac-4908-a782-1b49c7e9d53b_3.json b/packages/security_detection_engine/kibana/security_rule/f2e21713-1eac-4908-a782-1b49c7e9d53b_3.json index bf7bb56f107..e88b761f458 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2e21713-1eac-4908-a782-1b49c7e9d53b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f2e21713-1eac-4908-a782-1b49c7e9d53b_3.json @@ -18,7 +18,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_2.json b/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_2.json index 3f4323156b3..ac58e74e8cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_2.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/fa830742-fd41-4b12-a287-2c57bdf079ef_1.json b/packages/security_detection_engine/kibana/security_rule/fa830742-fd41-4b12-a287-2c57bdf079ef_1.json new file mode 100644 index 00000000000..d3178bfc135 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa830742-fd41-4b12-a287-2c57bdf079ef_1.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique that should be validated against expected administrative change activity.", + "false_positives": [ + "Cloud or security administrators may legitimately delete or reconfigure Bedrock model invocation logging during onboarding, log destination migrations, or compliance changes. Verify whether the user identity, user agent, and source IP are expected to make this change. For PutModelInvocationLoggingConfiguration, confirm that the destination S3 bucket or CloudWatch log group remains owned and monitored by your organization. Known, planned changes can be exempted from this rule." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.provider", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Bedrock Model Invocation Logging Disabled or Modified", + "note": "## Triage and analysis\n\n### Investigating AWS Bedrock Model Invocation Logging Disabled or Modified\n\nAWS Bedrock model invocation logging captures the prompts and responses processed by foundation models and delivers them\nto an S3 bucket or CloudWatch log group. This data feeds the `logs-aws_bedrock.invocation-*` dataset that all data-plane\nBedrock detections depend on. Deleting the configuration stops this telemetry entirely, while overwriting it with `Put`\ncan silently redirect logs to a destination the defender does not monitor. Either action effectively blinds the\ndata-plane detection stack, making this a high-priority defense-evasion event.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.\n - Determine whether the identity is an approved Bedrock administrator and whether a change request exists.\n- **Determine the exact action**\n - For `DeleteModelInvocationLoggingConfiguration`, logging is being turned off entirely \u2014 confirm this is intentional.\n - For `PutModelInvocationLoggingConfiguration`, inspect `aws.cloudtrail.flattened.request_parameters` for the new\n `s3Config` bucket name / key prefix and `cloudWatchConfig` log group, and verify they are owned and monitored by your org.\n- **Correlate surrounding activity**\n - Pivot on the same identity, `source.ip`, and `cloud.account.id` for prior enumeration\n (`GetModelInvocationLoggingConfiguration`) or follow-on Bedrock data-plane activity (model invocations) that would now\n be unlogged.\n - Check for parallel logging-tampering against CloudTrail, Config, or GuardDuty.\n\n### False positive analysis\n\n- **Planned changes**: Logging migrations or compliance updates may legitimately reconfigure or remove the\n configuration. Validate against change tickets and infrastructure-as-code pipelines.\n\n### Response and remediation\n\n- If unauthorized, restore model invocation logging to the approved destination and verify log delivery resumes into\n `logs-aws_bedrock.invocation-*`.\n- Review and secure any attacker-specified S3 bucket or CloudWatch log group, and treat data sent there as exposed.\n- Audit the actor's recent Bedrock and IAM activity and rotate credentials if compromise is suspected.\n- Restrict `bedrock:DeleteModelInvocationLoggingConfiguration` and `bedrock:PutModelInvocationLoggingConfiguration` to a\n small set of administrative roles and alert on changes.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\" and\n event.provider: \"bedrock.amazonaws.com\" and\n event.action: (\"DeleteModelInvocationLoggingConfiguration\" or \"PutModelInvocationLoggingConfiguration\") and \n event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteModelInvocationLoggingConfiguration.html", + "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutModelInvocationLoggingConfiguration.html", + "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa830742-fd41-4b12-a287-2c57bdf079ef", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS CloudTrail", + "Data Source: Amazon Web Services", + "Data Source: Amazon Bedrock", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.008", + "name": "Disable or Modify Cloud Logs", + "reference": "https://attack.mitre.org/techniques/T1562/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "fa830742-fd41-4b12-a287-2c57bdf079ef_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_111.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_111.json new file mode 100644 index 00000000000..57396bcfc49 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_111.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as System32 DLL", + "note": "## Triage and analysis\n\n### Investigating Potential Masquerading as System32 DLL\n\nThis rule fires when a DLL with a name matching a known Windows System32 library is loaded from an unexpected path, is unsigned or signed by a non-Microsoft certificate, and was recently created or modified (within the last hour). This pattern is consistent with DLL Search Order Hijacking, DLL planting, or backdooring/resigning of legitimate system DLLs \u2014 all common defense evasion and persistence techniques used by both commodity malware and sophisticated threat actors.\n\n#### Possible investigation steps\n\n- Examine the full `dll.path` to determine where the suspicious DLL was loaded from. Paths under user-writable directories (`AppData`, `Temp`, `Downloads`, `ProgramData`) or application directories are high-fidelity indicators.\n- Review `dll.code_signature` fields \u2014 check whether the DLL is unsigned, self-signed, or signed by an unexpected publisher. A trusted signature from a legitimate vendor may indicate a false positive; an invalid or absent signature warrants deeper investigation.\n- Check `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` \u2014 a DLL dropped and loaded within seconds or minutes of each other strongly suggests staged execution.\n- Identify the loading process (`process.name`, `process.executable`, `process.pid`) and examine its parent chain for unusual ancestry (e.g. Office spawning a loader, or a browser dropping a DLL).\n- Retrieve the DLL and hash it with `Get-FileHash -Algorithm SHA256`. Search the hash across VirusTotal, Hybrid-Analysis, MalwareBazaar, and CISCO Talos.\n- Check whether other hosts in the environment have loaded the same DLL path or hash \u2014 a single host is likely targeted or hands-on, widespread hits may indicate a worm or supply chain issue.\n- Correlate with process creation events around the same timestamp to identify what dropped the DLL (downloaders, document macros, installers, etc.).\n- Inspect the directory containing the DLL for other recently created files, scripts, or executables that may be part of the same drop.\n\n### False positive analysis\n\n- Legitimate third-party software occasionally ships DLLs with names that collide with System32 libraries (e.g. security vendors, game engines, virtualization software, and enterprise tooling). Validate the publisher via `dll.code_signature.subject_name` and cross-reference against known software installed on the host.\n- Installer and update workflows may briefly stage DLLs in temp paths before moving them to their final location \u2014 check whether the loading process is a known installer (`msiexec.exe`, `setup.exe`, vendor updaters) and whether the DLL path disappears after a short window.\n- DismHost.exe staging certain DLLs under `C:\\Windows\\Temp\\` during servicing operations is a known benign pattern already excluded in the query.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence via Desktop File - c4818812-d44f-47be-aaef-4cfb2f9cc799\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Potential DLL Side-Loading via Trusted Microsoft Programs - 1160dcdb-0a0a-4a79-91d8-9b84af7e0240\n\n### Response and remediation\n\n- Initiate the incident response process based on triage outcome. If the DLL is confirmed malicious, treat the host as compromised.\n- Isolate the affected host and preserve a memory dump and disk image before remediation to retain forensic evidence.\n- Delete the malicious DLL and any associated files identified during investigation.\n- If DLL Search Order Hijacking is confirmed, identify the vulnerable application and remediate by patching, applying a safe DLL search mode (`HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode`), or restricting write permissions on directories in the application's search path.\n- If a legitimate binary was backdoored and resigned, treat all binaries delivered via the same channel as suspect and investigate the supply chain.\n- Block identified file hashes and signer certificates as appropriate at the endpoint and perimeter.\n- Hunt for lateral movement or persistence mechanisms established after the DLL was loaded \u2014 check scheduled tasks, services, registry run keys, and WMI subscriptions created around the same timeframe.\n- Determine the initial access vector and remediate to prevent reinfection.\n", + "query": "library where host.os.type == \"windows\" and event.action == \"load\" and \n(dll.Ext.relative_file_creation_time <= 3600 or dll.Ext.relative_file_name_modify_time <= 3600) and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\", \"London Jamocha Community CIC\", \"Palo Alto Networks (Netherlands) B.V.\", \"Sophos Ltd\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"d3d9.dll\" and dll.code_signature.subject_name == \"Open Source Developer Alban CLIQUET\" and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\", \"UpdateAgent.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"icsvc.dll\" and dll.code_signature.subject_name in (\"Dell Inc\", \"Dell Technologies Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : \"offreg.dll\" and dll.code_signature.subject_name in (\"Malwarebytes Inc.\", \"Malwarebytes Inc\") and dll.code_signature.trusted == true) or\n (dll.name : (\"AppMgr.dll\", \"icuuc.dll\") and dll.code_signature.subject_name in (\"Autodesk, Inc\", \"Autodesk, Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : (\"SsShim.dll\", \"Msi.dll\", \"wdscore.dll\") and process.name : \"DismHost.exe\" and dll.path : \"C:\\\\Windows\\\\Temp\\\\*\") or\n (dll.code_signature.trusted == true and \n dll.code_signature.subject_name in (\n \"ALIBABA CLOUD COMPUTING LTD\", \n \"Epic Systems Corporation\", \n \"Google LLC\",\n \"Agilysys, Inc.\", \n \"CD PROJEKT S.A.\", \n \"Check Point Software Technologies Ltd.\", \n \"Dedalus Italia S.P.A.\", \n \"AOMEI International Network Limited\", \n \"CHENGDU AOMEI TECHNOLOGY CO., LTD.\", \n \"GN Hearing A/S\", \n \"Paessler GmbH\", \n \"Symantec Corporation\")) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\LINE\\\\bin\\\\current\\\\dbghelp.dll\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\FrontEnd\\\\SAPgui\\\\dbghelp.dll\", \n \"?:\\\\Program Files (x86)\\\\Common Files\\\\Crystal Decision\\\\2.0\\\\bin\\\\atl.dll\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "dll.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Resource Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + }, + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.002", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1553/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd00769d-b18d-450a-a844-7a9f9c71995e_2.json b/packages/security_detection_engine/kibana/security_rule/fd00769d-b18d-450a-a844-7a9f9c71995e_2.json index 813778bacf4..5a940dfd86c 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd00769d-b18d-450a-a844-7a9f9c71995e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fd00769d-b18d-450a-a844-7a9f9c71995e_2.json @@ -18,7 +18,7 @@ "related_integrations": [ { "package": "kubernetes", - "version": "^1.4.1" + "version": "^1.7.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/fd9d2933-f0f9-4aac-810c-a31f6a4a7890_1.json b/packages/security_detection_engine/kibana/security_rule/fd9d2933-f0f9-4aac-810c-a31f6a4a7890_1.json new file mode 100644 index 00000000000..3a76f96297d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd9d2933-f0f9-4aac-810c-a31f6a4a7890_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Azure AD Graph (graph.windows.net) requests where the combination of calling OAuth client (\"azure.aadgraphactivitylogs.properties.app_id\") and signed-in user (\"user.id\") has not been observed in the tenant in a historical window. A user appearing against AAD Graph under an OAuth client that has not previously authenticated that user is a sign of a FOCI swap, a phished refresh token being redeemed for a new client, or an adversary running tooling under a client identity the user does not normally use.", + "false_positives": [ + "First-time use of a legitimate first-party or sanctioned client by the user (newly installed app, first sign-in to a workload, fresh PowerShell module install). Validate by `azure.aadgraphactivitylogs.properties.app_id` and the user's history.", + "Authorized red team or audit activity. Add exceptions on the calling user after review." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.aadgraphactivitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "user.id", + "source.ip", + "source.as.organization.name", + "user_agent.original", + "azure.aadgraphactivitylogs.properties.app_id", + "azure.aadgraphactivitylogs.properties.api_version", + "url.path", + "azure.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure AD Graph Access with Unusual Client and User", + "new_terms_fields": [ + "azure.aadgraphactivitylogs.properties.app_id", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Azure AD Graph Access with Unusual Client and User\n\nA (client, user) pair appearing on AAD Graph for the first time in 14 days is a high-signal indicator. Legacy\nAAD Graph traffic is dominated by a small set of recognised first-party callers per user; new combinations\nsuggest one of:\n\n- A FOCI refresh-token swap landed under a new client identity.\n- The user newly consented to (or was phished into consenting to) an OAuth application.\n- An adversary is using stolen tokens / credentials under a client identity the user does not normally use.\n\n### Possible investigation steps\n\n- Identify the calling client and confirm whether the app is sanctioned.\n - `azure.aadgraphactivitylogs.properties.app_id`. Pivot to Azure portal \u2192 Enterprise Applications to check whether it is first-party, sanctioned third-party, or unfamiliar.\n- Identify the user and check the surrounding auth context.\n - `user.id`, then pivot to sign-in logs (`logs-azure.signinlogs-*`) for the same user around the same time. Look for unusual sign-in geography, MFA bypass, or risky session signals.\n- Review source posture.\n - `user_agent.original`, `source.ip`, `source.as.organization.name`. Residential / VPS / anonymising-network egress raises priority.\n- Review what was queried.\n - `url.path`. Bulk recon or User-collection access via internal API versions raises triage priority.\n- Check tenant-wide blast radius for the client.\n - Is the same client ID hitting AAD Graph for many other users? That pattern points to large-scale consent abuse rather than a single account compromise.\n- Confirm the activity is not attributable to authorized testing (red team engagement, penetration test, internal tooling validation) before treating as malicious.\n\n### Response and remediation\n\n- Revoke refresh tokens and active sessions for the calling user.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- If the client is not a sanctioned application, revoke its OAuth consent.\n - `GET /v1.0/oauth2PermissionGrants?$filter=clientId eq '{servicePrincipalId}'`, then `DELETE /v1.0/oauth2PermissionGrants/{grantId}`.\n- Check for device registrations created by the user during or around the burst window and remove rogue devices.\n - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.\n - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.\n- If the calling application has no legitimate AAD Graph dependency, block further use by that app.\n - `PATCH /beta/applications/{id}` with body `{\"authenticationBehaviors\": {\"blockAzureADGraphAccess\": true}}`.\n - This property lives on the Graph beta endpoint, not v1.0.\n", + "query": "data_stream.dataset:\"azure.aadgraphactivitylogs\" and\n azure.aadgraphactivitylogs.properties.actor_type : \"User\" and\n azure.aadgraphactivitylogs.properties.app_id: (* and not (\n \"74658136-14ec-4630-ad9b-26e160ff0fc6\" or\n \"bb8f18b0-9c38-48c9-a847-e1ef3af0602d\" or\n \"00000006-0000-0ff1-ce00-000000000000\" or\n \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\")\n ) and user.id:*\n", + "references": [ + "https://github.com/secureworks/family-of-client-ids-research", + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview", + "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/" + ], + "related_integrations": [], + "required_fields": [ + { + "ecs": false, + "name": "azure.aadgraphactivitylogs.properties.actor_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.aadgraphactivitylogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd9d2933-f0f9-4aac-810c-a31f6a4a7890", + "setup": "#### Azure AD Graph Activity Logs\nRequires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure\nintegration. Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "fd9d2933-f0f9-4aac-810c-a31f6a4a7890_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_108.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_108.json index dd8dcd8fea5..37a4bb0fb21 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_108.json +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_108.json @@ -26,13 +26,13 @@ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, { "package": "panw", "version": "^5.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 8858e10b042..5fb336402e3 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.19.25 +version: 8.19.26-beta.1