From 364907b9505e80f55499e1479289d11ae7448c61 Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Tue, 7 Jul 2026 07:42:08 +0000 Subject: [PATCH 1/2] [Security Rules] Update security rules package to v8.19.27-beta.1 --- .../security_detection_engine/changelog.yml | 5 + ...030f681-0142-4231-b728-49bb9fc12066_1.json | 108 ++ ...0546494-5bb0-49d6-9220-5f3b4c12f26a_5.json | 160 --- ...0546494-5bb0-49d6-9220-5f3b4c12f26a_6.json | 155 -- ...0546494-5bb0-49d6-9220-5f3b4c12f26a_7.json | 155 -- ...1c1e353-9d86-4344-abdf-523ab80c6f08_1.json | 144 ++ ...42b35f3-afa6-4441-92b2-ef41976b48a3_1.json | 112 ++ ...471a12b-c740-4a72-91f0-12bf95014d3c_1.json | 1279 +++++++++++++++++ ...7cd35a6-c267-4394-a782-6a9428aea9d3_1.json | 123 ++ ...c04d82f-6def-4659-aa62-ed6355a51f39_1.json | 98 ++ ...f5d410c-a594-4cdb-8b48-f36a61838d67_1.json | 131 ++ ...ffc3d78-44ce-4a55-b2be-98219e0eed05_1.json | 125 ++ ...13227-0301-4a8c-b150-4db924484475_109.json | 119 -- ...abb91-dcf4-48aa-b81a-5ad036b67c68_105.json | 139 -- ...cb236-0956-4f42-a706-814bcaa0cf5a_109.json | 118 -- ...56f8c1d-bc54-46c0-a870-04e6a75526a1_1.json | 114 ++ ...6708afb-4904-4d3c-af78-63640a075cb0_1.json | 124 ++ ...014ebd8-b847-4cc0-a827-d0d61ec88680_1.json | 84 ++ ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json | 122 -- ...302fb59-5201-46ec-b433-6044adb37b0b_1.json | 98 ++ ...9f03c-f53f-40fa-834b-40c5983fc41f_214.json | 110 -- ...b01043-4f04-4d2f-882a-5a1d2e95751b_13.json | 146 ++ ...83f6c2a-9811-4239-9a40-52b066c67f99_1.json | 125 ++ ...a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1.json | 132 ++ ...23416-763a-4531-bb35-f33b9232ecdb_108.json | 121 -- ...de489-94b0-4500-a76f-b8a157cf9269_112.json | 150 -- ...f0dd8-092d-4a83-88c1-5151a804f31b_323.json | 169 +++ ...9fc81-99d3-47ea-8cd6-d48d561fca20_317.json | 132 ++ ...49c61-7adc-42c1-b788-732eda2f5abf_109.json | 101 -- ...aff6ab1-18bd-427e-9d4c-c5732110c261_3.json | 137 -- ...24afb-d68c-4d0e-bfee-474dac1fa56e_105.json | 90 -- ...24afb-d68c-4d0e-bfee-474dac1fa56e_106.json | 90 -- ...24afb-d68c-4d0e-bfee-474dac1fa56e_107.json | 90 -- ...6ec12-2b1c-47b5-8f35-e9de65551d3b_112.json | 115 -- ...886ce11-fca5-433f-bbb9-e33e410ef9ae_1.json | 103 ++ ...9002bbe-7aea-4146-91eb-b2b683bf5ed5_1.json | 80 ++ ...e5f2e-2480-11ed-bea8-f661ea17fbce_109.json | 110 -- ...ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1.json | 129 ++ ...df2e3ae-3553-4194-b22e-3e5a6f71466e_1.json | 130 ++ ...76a86-ee86-4967-97ae-1a05f55816f0_117.json | 140 -- ...76a86-ee86-4967-97ae-1a05f55816f0_118.json | 145 -- ...76a86-ee86-4967-97ae-1a05f55816f0_119.json | 160 --- ...76a86-ee86-4967-97ae-1a05f55816f0_120.json | 160 --- ...301ac83-7a43-4c92-95e7-c372afea807d_1.json | 97 ++ ...5260656-76d6-427b-bd02-7acdde131b64_1.json | 79 + ...6fa718c-a0de-4492-97ff-bbc444b015b8_1.json | 97 ++ ...0cb81-df44-46aa-a5d7-337798f53eb8_109.json | 116 -- ...90fc62d-7386-4c75-92b0-af4517018da1_7.json | 126 ++ ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109.json | 96 -- ...bdad1d5-5001-4a13-ae99-fa8619500f1a_8.json | 175 +++ ...dc3519c-1f56-42fc-9a70-7e6b705c2781_1.json | 145 ++ ...61522-2545-11ed-ac47-f661ea17fbce_109.json | 78 - ...84af6-f553-4a6c-af13-300047455491_106.json | 83 -- ...2ba8542-1246-4647-9b84-98aa1bc0760a_2.json | 127 ++ ...47ae821-a80d-4f07-bb12-d40dd433f6b4_1.json | 113 ++ ...5f28c4d-cfc8-4847-9cca-f2fb1e319151_2.json | 167 --- ...94a6c-c7ba-4e82-b476-26a26877adf6_209.json | 100 -- ...99fdfb9-8430-4dcb-b5a9-da67dae64808_1.json | 1266 ++++++++++++++++ ...a2cc4-d260-11ed-8829-f661ea17fbcc_118.json | 143 ++ ...35062-b7fc-4af9-acea-5b1ead65c5a5_208.json | 88 -- ...a404b-75aa-4ffd-8be5-3334a5a544dd_208.json | 82 -- ...e1aeb-5225-4067-b8cc-f4a1de8a8546_316.json | 228 +++ ...c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1.json | 88 ++ ...a8e60-2df0-11ed-b814-f661ea17fbce_109.json | 100 -- ...ed84571-58ac-46da-a0ab-9c213ef2927b_1.json | 149 ++ ...ca3ad-a348-43b2-b544-c93a78a0ef92_105.json | 97 -- ...f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4.json | 155 ++ ...1139742-4d3a-49f3-a6dd-e0fb9834f959_1.json | 112 ++ ...670bf41-cb64-4d65-a0d6-78af17cf8f30_1.json | 100 ++ ...6817045-ea22-4038-9959-c3437bc4c064_1.json | 178 +++ ...7f8141e-4275-4d49-9e76-d215b4614a0b_1.json | 154 ++ ...82a39ad-a404-45e3-b5d4-bc11d2b09818_1.json | 135 ++ ...7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11.json | 173 --- ...7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12.json | 143 -- ...7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13.json | 143 -- ...dde8-4204-45c0-9e0c-c85ca3902488_112.json} | 42 +- ...04023d7-8307-48bc-ad49-c454dfc2fae3_1.json | 119 ++ ...63c3e-4154-4fc6-9f86-b411e0987bbf_208.json | 88 -- ...4556bc7-e057-4759-9e49-fa79ee366101_1.json | 83 ++ ...0add4-3392-11ed-bd01-f661ea17fbce_108.json | 94 -- ...679c838-ec24-4e3a-bf0b-68a9878828c3_1.json | 119 ++ ...6dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1.json | 109 ++ ...6b2391-413f-4a94-acb4-7911f3803346_11.json | 188 --- ...6b2391-413f-4a94-acb4-7911f3803346_12.json | 158 -- ...6b2391-413f-4a94-acb4-7911f3803346_13.json | 158 -- ...80b70a0-c820-11ed-8799-f661ea17fbcc_7.json | 100 -- ...96e2e09-087e-4e99-a3cc-a9225d24ba3d_1.json | 120 ++ ...bed06f5-0c32-488a-9353-d565fc9d1573_1.json | 136 ++ ...e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1.json | 114 ++ ...95334-2499-11ed-9e1a-f661ea17fbce_110.json | 109 -- ...2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1.json | 158 ++ ...7b984e4-16ff-405b-80be-31a94a03e929_1.json | 108 ++ ...7bfa3-088e-4f13-b29e-3986e0e756b8_318.json | 153 ++ ...8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1.json | 108 ++ ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json | 93 -- ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_108.json | 82 -- ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_112.json | 126 ++ ...c8bb9-2486-49a8-8779-45fb5f9a93ee_209.json | 92 -- ...f2807-2b3e-47d7-b282-f84acbbe14be_208.json | 88 -- ...5f94e78-fb4d-4f4b-879e-e51ea667d09c_1.json | 66 + ...946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7.json | 84 ++ ...e70614d-4295-473c-a953-582aef41c865_5.json | 110 -- ...0136397-f82a-45e5-9b9f-a3651d77e21a_8.json | 152 ++ ...040c962-1c60-4259-8ea3-601a40d4ab9f_1.json | 87 ++ ...1326e45-6d3c-4a2d-9882-606a0c310299_1.json | 105 ++ ...3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4.json | 105 ++ ...6b40f4c-c6a9-434e-adb8-989b0d06d005_6.json | 168 +++ ...b2bd8-d701-420c-ba43-f11a155b681a_109.json | 118 -- ...8cc8192-f4f5-4ed3-8368-544ca738d506_1.json | 122 ++ ...a3bcacc-9285-4452-a742-5dae77538f61_5.json | 98 -- ...4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json | 93 -- ...49724-c577-4fd6-8f9b-d1b8ec519ec0_208.json | 95 -- ...62693-aab9-4f66-a21a-3d79ecdd603d_109.json | 120 -- ...62693-aab9-4f66-a21a-3d79ecdd603d_113.json | 146 ++ ...ab1ec1-feeb-48b9-89e7-c12e189448aa_15.json | 119 ++ ...994a184-ab93-4cff-8fb6-31a4b4dd18b1_1.json | 135 ++ ...5420ced-bc42-4783-a8df-99320567e090_2.json | 169 +++ ...5105c-ba6d-481f-82bb-9b633e7b4827_208.json | 93 -- ...5d219fd-8362-4b67-a0b8-e3dd4331acdd_1.json | 131 ++ ...5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5.json | 109 ++ ...882e934-2aaa-11f0-8272-f661ea17fbcc_7.json | 146 ++ ...d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json | 106 -- ...b8abab8-dea4-4903-a0ad-dfcb09224488_1.json | 114 ++ ...bf493d1-20be-41a0-a010-c1b6a6f90e28_1.json | 151 ++ ...f35b103-7fca-4af4-879d-a7e73c918659_1.json | 132 ++ ...ca20-4d6c-43f9-aec1-20b6de3b0aeb_116.json} | 55 +- ...2108687-553d-45ac-b8f0-d0efeac5d45f_1.json | 108 ++ ...e2be4-6eca-4349-bdd9-381573730c22_213.json | 121 -- ...f3054-d40b-49ac-aa9b-a786c74c58b8_107.json | 96 -- ...f3054-d40b-49ac-aa9b-a786c74c58b8_108.json | 96 -- ...f3054-d40b-49ac-aa9b-a786c74c58b8_109.json | 108 -- ...4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1.json | 141 ++ ...6fee40d-8a5e-4cc8-9f73-8688419c6d68_1.json | 119 ++ ...8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3.json | 111 ++ ...1d790-9f74-4e76-97dd-b4b0f7bf6435_108.json | 143 -- ...b935960-d132-4bb5-853d-62f86cccc250_1.json | 105 ++ ...de4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1.json | 108 ++ .../security_detection_engine/manifest.yml | 2 +- 138 files changed, 11815 insertions(+), 6828 deletions(-) create mode 100644 packages/security_detection_engine/kibana/security_rule/0030f681-0142-4231-b728-49bb9fc12066_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/01c1e353-9d86-4344-abdf-523ab80c6f08_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/042b35f3-afa6-4441-92b2-ef41976b48a3_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0471a12b-c740-4a72-91f0-12bf95014d3c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07cd35a6-c267-4394-a782-6a9428aea9d3_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c04d82f-6def-4659-aa62-ed6355a51f39_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f5d410c-a594-4cdb-8b48-f36a61838d67_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0ffc3d78-44ce-4a55-b2be-98219e0eed05_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/156f8c1d-bc54-46c0-a870-04e6a75526a1_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16708afb-4904-4d3c-af78-63640a075cb0_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2014ebd8-b847-4cc0-a827-d0d61ec88680_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2302fb59-5201-46ec-b433-6044adb37b0b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_214.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_13.json create mode 100644 packages/security_detection_engine/kibana/security_rule/283f6c2a-9811-4239-9a40-52b066c67f99_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_323.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_317.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4886ce11-fca5-433f-bbb9-e33e410ef9ae_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/49002bbe-7aea-4146-91eb-b2b683bf5ed5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4df2e3ae-3553-4194-b22e-3e5a6f71466e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_117.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_118.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_119.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5301ac83-7a43-4c92-95e7-c372afea807d_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55260656-76d6-427b-bd02-7acdde131b64_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56fa718c-a0de-4492-97ff-bbc444b015b8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5dc3519c-1f56-42fc-9a70-7e6b705c2781_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/62ba8542-1246-4647-9b84-98aa1bc0760a_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/647ae821-a80d-4f07-bb12-d40dd433f6b4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/699fdfb9-8430-4dcb-b5a9-da67dae64808_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_118.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_316.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ed84571-58ac-46da-a0ab-9c213ef2927b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81139742-4d3a-49f3-a6dd-e0fb9834f959_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8670bf41-cb64-4d65-a0d6-78af17cf8f30_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/86817045-ea22-4038-9959-c3437bc4c064_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/87f8141e-4275-4d49-9e76-d215b4614a0b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/882a39ad-a404-45e3-b5d4-bc11d2b09818_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13.json rename packages/security_detection_engine/kibana/security_rule/{8c1bdde8-4204-45c0-9e0c-c85ca3902488_108.json => 8c1bdde8-4204-45c0-9e0c-c85ca3902488_112.json} (81%) create mode 100644 packages/security_detection_engine/kibana/security_rule/904023d7-8307-48bc-ad49-c454dfc2fae3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94556bc7-e057-4759-9e49-fa79ee366101_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9679c838-ec24-4e3a-bf0b-68a9878828c3_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/996e2e09-087e-4e99-a3cc-a9225d24ba3d_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9bed06f5-0c32-488a-9353-d565fc9d1573_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7b984e4-16ff-405b-80be-31a94a03e929_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_318.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b5f94e78-fb4d-4f4b-879e-e51ea667d09c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c040c962-1c60-4259-8ea3-601a40d4ab9f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c1326e45-6d3c-4a2d-9882-606a0c310299_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8cc8192-f4f5-4ed3-8368-544ca738d506_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_113.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_15.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d994a184-ab93-4cff-8fb6-31a4b4dd18b1_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e5420ced-bc42-4783-a8df-99320567e090_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e5d219fd-8362-4b67-a0b8-e3dd4331acdd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb8abab8-dea4-4903-a0ad-dfcb09224488_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebf493d1-20be-41a0-a010-c1b6a6f90e28_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef35b103-7fca-4af4-879d-a7e73c918659_1.json rename packages/security_detection_engine/kibana/security_rule/{f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_112.json => f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_116.json} (64%) create mode 100644 packages/security_detection_engine/kibana/security_rule/f2108687-553d-45ac-b8f0-d0efeac5d45f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f6fee40d-8a5e-4cc8-9f73-8688419c6d68_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb935960-d132-4bb5-853d-62f86cccc250_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 07523efd0e8..5eafbe9cc01 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.19.27-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pulls/0000 - version: 8.19.26 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/0030f681-0142-4231-b728-49bb9fc12066_1.json b/packages/security_detection_engine/kibana/security_rule/0030f681-0142-4231-b728-49bb9fc12066_1.json new file mode 100644 index 00000000000..c106b37cce1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0030f681-0142-4231-b728-49bb9fc12066_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE pod create, update, or patch events that enable host network namespace sharing. HostNetwork grants access to the node network stack and can bypass namespace network policies. System identities and controller-owned workloads are excluded.", + "false_positives": [ + "Monitoring agents and CNI components may require hostNetwork. Exclude known platform identities after review." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Pod Created With HostNetwork", + "note": "## Triage and analysis\n\n### Investigating GKE Pod Created With HostNetwork\n\nHostNetwork pods can observe or interact with node-local services. Validate the actor and workload purpose.\n\n### Investigation steps\n\n- Review `user.email`, pod name, namespace, and container images in `gcp.audit.request`.\n- Hunt for secret access or exec from the same identity after the change.\n\n### False positives\n\n- Platform DaemonSets often use hostNetwork; controller ownerReferences exclusion reduces noise.", + "query": "data_stream.dataset:gcp.audit and\nevent.action:(\"io.k8s.core.v1.pods.create\" or \"io.k8s.core.v1.pods.update\" or \"io.k8s.core.v1.pods.patch\") and\ngcp.audit.request.spec.hostNetwork:true and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\") and\nnot user.email:system\\:*\n", + "references": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.hostNetwork", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0030f681-0142-4231-b728-49bb9fc12066", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "0030f681-0142-4231-b728-49bb9fc12066_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_5.json b/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_5.json deleted file mode 100644 index 67c81f4fd39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_5.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Uncommon Destination Port Connection by Web Server", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Uncommon Destination Port Connection by Web Server\n\nWeb servers, crucial for hosting applications, typically communicate over standard ports like 80 and 443. Adversaries may exploit web server processes to establish unauthorized connections to unusual ports, potentially indicating web shell activity or data exfiltration. This detection rule identifies such anomalies by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges, thus highlighting potential threats.\n\n### Possible investigation steps\n\n- Review the process name and user associated with the alert to determine if the connection attempt was made by a legitimate web server process or user, as specified in the query fields (e.g., process.name or user.name).\n- Examine the destination IP address to assess whether it is known or suspicious, and check if it falls outside the excluded local IP ranges.\n- Investigate the destination port to understand why the connection was attempted on a non-standard port, and determine if this port is associated with any known services or threats.\n- Check historical logs for any previous connection attempts from the same process or user to the same or similar destination IPs and ports to identify patterns or repeated behavior.\n- Analyze any related network traffic or logs to identify additional context or anomalies that may indicate unauthorized activity or data exfiltration.\n- Correlate the alert with other security events or alerts to determine if it is part of a larger attack pattern or campaign.\n\n### False positive analysis\n\n- Routine administrative tasks or maintenance scripts may trigger alerts if they involve web server processes connecting to non-standard ports. To manage this, identify and document these tasks, then create exceptions for the specific processes and ports involved.\n- Internal monitoring or management tools that use non-standard ports for legitimate purposes can cause false positives. Review the tools in use and exclude their known IP addresses and ports from the rule.\n- Development or testing environments often use non-standard ports for web server processes. Ensure these environments are well-documented and consider excluding their IP ranges or specific ports from the rule.\n- Load balancers or reverse proxies might redirect traffic to non-standard ports as part of their normal operation. Verify the configuration of these devices and exclude their IP addresses and ports if necessary.\n- Custom applications running on web servers may require communication over non-standard ports. Work with application owners to understand these requirements and adjust the rule to exclude these specific cases.\n\n### Response and remediation\n\n- Immediately isolate the affected web server from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the web server's logs and processes to identify any unauthorized changes or suspicious activities, focusing on the processes and user accounts mentioned in the detection rule.\n- Terminate any suspicious processes identified during the investigation that are not part of the standard operation of the web server.\n- Change passwords and review permissions for the user accounts associated with the web server processes to ensure they have not been compromised.\n- Restore the web server from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.\n- Implement network segmentation to limit the web server's access to critical systems and data, reducing the potential impact of future incidents.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected, ensuring comprehensive threat containment and remediation.\n", - "query": "network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and (\n process.name like (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-fpm*\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.name == \"java\" and process.working_directory like \"/u0?/*\")\n) and\nnetwork.direction == \"egress\" and destination.ip != null and\nnot destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and\nnot cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1\",\"FE80::/10\", \"FF00::/8\", \"10.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\",\n\"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\",\n\"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"224.0.0.0/4\", \"240.0.0.0/4\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00546494-5bb0-49d6-9220-5f3b4c12f26a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1571", - "name": "Non-Standard Port", - "reference": "https://attack.mitre.org/techniques/T1571/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "00546494-5bb0-49d6-9220-5f3b4c12f26a_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_6.json b/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_6.json deleted file mode 100644 index a6e47ce40e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_6.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Uncommon Destination Port Connection by Web Server", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Uncommon Destination Port Connection by Web Server\n\nWeb servers, crucial for hosting applications, typically communicate over standard ports like 80 and 443. Adversaries may exploit web server processes to establish unauthorized connections to unusual ports, potentially indicating web shell activity or data exfiltration. This detection rule identifies such anomalies by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges, thus highlighting potential threats.\n\n### Possible investigation steps\n\n- Review the process name and user associated with the alert to determine if the connection attempt was made by a legitimate web server process or user, as specified in the query fields (e.g., process.name or user.name).\n- Examine the destination IP address to assess whether it is known or suspicious, and check if it falls outside the excluded local IP ranges.\n- Investigate the destination port to understand why the connection was attempted on a non-standard port, and determine if this port is associated with any known services or threats.\n- Check historical logs for any previous connection attempts from the same process or user to the same or similar destination IPs and ports to identify patterns or repeated behavior.\n- Analyze any related network traffic or logs to identify additional context or anomalies that may indicate unauthorized activity or data exfiltration.\n- Correlate the alert with other security events or alerts to determine if it is part of a larger attack pattern or campaign.\n\n### False positive analysis\n\n- Routine administrative tasks or maintenance scripts may trigger alerts if they involve web server processes connecting to non-standard ports. To manage this, identify and document these tasks, then create exceptions for the specific processes and ports involved.\n- Internal monitoring or management tools that use non-standard ports for legitimate purposes can cause false positives. Review the tools in use and exclude their known IP addresses and ports from the rule.\n- Development or testing environments often use non-standard ports for web server processes. Ensure these environments are well-documented and consider excluding their IP ranges or specific ports from the rule.\n- Load balancers or reverse proxies might redirect traffic to non-standard ports as part of their normal operation. Verify the configuration of these devices and exclude their IP addresses and ports if necessary.\n- Custom applications running on web servers may require communication over non-standard ports. Work with application owners to understand these requirements and adjust the rule to exclude these specific cases.\n\n### Response and remediation\n\n- Immediately isolate the affected web server from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the web server's logs and processes to identify any unauthorized changes or suspicious activities, focusing on the processes and user accounts mentioned in the detection rule.\n- Terminate any suspicious processes identified during the investigation that are not part of the standard operation of the web server.\n- Change passwords and review permissions for the user accounts associated with the web server processes to ensure they have not been compromised.\n- Restore the web server from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.\n- Implement network segmentation to limit the web server's access to critical systems and data, reducing the potential impact of future incidents.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected, ensuring comprehensive threat containment and remediation.\n", - "query": "network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and (\n process.name like (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-fpm*\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\")\n) and\nnetwork.direction == \"egress\" and destination.ip != null and\nnot destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and\nnot cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1\",\"FE80::/10\", \"FF00::/8\", \"10.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\",\n\"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\",\n\"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"224.0.0.0/4\", \"240.0.0.0/4\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00546494-5bb0-49d6-9220-5f3b4c12f26a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1571", - "name": "Non-Standard Port", - "reference": "https://attack.mitre.org/techniques/T1571/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 6 - }, - "id": "00546494-5bb0-49d6-9220-5f3b4c12f26a_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_7.json b/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_7.json deleted file mode 100644 index edcc7b19b2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00546494-5bb0-49d6-9220-5f3b4c12f26a_7.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Deprecated - Uncommon Destination Port Connection by Web Server", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Uncommon Destination Port Connection by Web Server\n\nWeb servers, crucial for hosting applications, typically communicate over standard ports like 80 and 443. Adversaries may exploit web server processes to establish unauthorized connections to unusual ports, potentially indicating web shell activity or data exfiltration. This detection rule identifies such anomalies by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges, thus highlighting potential threats.\n\n### Possible investigation steps\n\n- Review the process name and user associated with the alert to determine if the connection attempt was made by a legitimate web server process or user, as specified in the query fields (e.g., process.name or user.name).\n- Examine the destination IP address to assess whether it is known or suspicious, and check if it falls outside the excluded local IP ranges.\n- Investigate the destination port to understand why the connection was attempted on a non-standard port, and determine if this port is associated with any known services or threats.\n- Check historical logs for any previous connection attempts from the same process or user to the same or similar destination IPs and ports to identify patterns or repeated behavior.\n- Analyze any related network traffic or logs to identify additional context or anomalies that may indicate unauthorized activity or data exfiltration.\n- Correlate the alert with other security events or alerts to determine if it is part of a larger attack pattern or campaign.\n\n### False positive analysis\n\n- Routine administrative tasks or maintenance scripts may trigger alerts if they involve web server processes connecting to non-standard ports. To manage this, identify and document these tasks, then create exceptions for the specific processes and ports involved.\n- Internal monitoring or management tools that use non-standard ports for legitimate purposes can cause false positives. Review the tools in use and exclude their known IP addresses and ports from the rule.\n- Development or testing environments often use non-standard ports for web server processes. Ensure these environments are well-documented and consider excluding their IP ranges or specific ports from the rule.\n- Load balancers or reverse proxies might redirect traffic to non-standard ports as part of their normal operation. Verify the configuration of these devices and exclude their IP addresses and ports if necessary.\n- Custom applications running on web servers may require communication over non-standard ports. Work with application owners to understand these requirements and adjust the rule to exclude these specific cases.\n\n### Response and remediation\n\n- Immediately isolate the affected web server from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the web server's logs and processes to identify any unauthorized changes or suspicious activities, focusing on the processes and user accounts mentioned in the detection rule.\n- Terminate any suspicious processes identified during the investigation that are not part of the standard operation of the web server.\n- Change passwords and review permissions for the user accounts associated with the web server processes to ensure they have not been compromised.\n- Restore the web server from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.\n- Implement network segmentation to limit the web server's access to critical systems and data, reducing the potential impact of future incidents.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected, ensuring comprehensive threat containment and remediation.\n", - "query": "network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and (\n process.name like (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-fpm*\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\")\n) and\nnetwork.direction == \"egress\" and destination.ip != null and\nnot destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and\nnot cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1\",\"FE80::/10\", \"FF00::/8\", \"10.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\",\n\"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\",\n\"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"224.0.0.0/4\", \"240.0.0.0/4\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00546494-5bb0-49d6-9220-5f3b4c12f26a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1571", - "name": "Non-Standard Port", - "reference": "https://attack.mitre.org/techniques/T1571/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 7 - }, - "id": "00546494-5bb0-49d6-9220-5f3b4c12f26a_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/01c1e353-9d86-4344-abdf-523ab80c6f08_1.json b/packages/security_detection_engine/kibana/security_rule/01c1e353-9d86-4344-abdf-523ab80c6f08_1.json new file mode 100644 index 00000000000..22d08c7da5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/01c1e353-9d86-4344-abdf-523ab80c6f08_1.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects network connections originating from a binary located in a potentially suspicious location, followed by a file creation event. This behavior is consistent with C2 agents such as Poseidon and Athena, connecting to a C2 framework such as Mythic. The agent polls the C2 for commands through a web request, after which the command gets executed.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network*", + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection Followed by File Creation", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Network Connection Followed by File Creation\n\nThis rule spots a Linux process running from an unusual writable directory that makes an outbound connection and then creates a file within seconds, a pattern that often marks an active implant receiving tasks and staging follow-on activity. Attackers launch a loader from /dev/shm or /tmp, poll a remote web-based command server, and immediately drop a script or renamed payload for execution or persistence.\n\n### Possible investigation steps\n\n- Review the process ancestry and launch context for the binary in the writable directory to determine whether it originated from a user session, script, scheduled task, package operation, or remote execution mechanism.\n- Inspect the external destination's reputation, ownership, protocol details, and whether other hosts contacted it at similar times to distinguish approved software behavior from likely command-and-control traffic.\n- Examine the created file's location, type, hash, contents, permissions, and any immediate chmod, rename, or execution activity to assess whether it is a staged payload, script, or persistence artifact.\n- Build a concise timeline around the alert to identify preceding download, decode, or unpack actions and any follow-on child processes, credential access attempts, or lateral movement from the same host.\n- Search the environment for the same executable hash, destination, or dropped artifact on other systems and contain the host if you observe repeated beaconing, additional suspicious file creation, or evidence of execution.\n\n### False positive analysis\n\n- A legitimate software installer, updater, or bootstrap script launched from /tmp or /var/tmp can contact an external repository and immediately create unpacked files; verify the parent process, initiating user, shell history, and whether the destination IP and dropped files align with an approved installation or update at that time.\n- An administrator or automation job may execute a temporary script from /dev/shm or /run/user to fetch remote content and write logs, configuration, or cache files; confirm the activity matches a scheduled task or provisioning change and inspect the created file paths and script contents for expected benign output.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network except for approved management access, kill the suspicious process running from the writable directory, quarantine the binary and any files it created, and block the contacted external IP or domain at the firewall, proxy, and DNS layers.\n- Remove attacker footholds by deleting malicious systemd services, cron jobs, shell profile modifications, SSH authorized_keys entries, and any copied or renamed payloads the implant placed under writable paths or startup locations, after preserving forensic copies.\n- Reset potentially exposed access by rotating passwords, SSH keys, API tokens, and service credentials used on the host, especially if the process ran as root, touched authentication files, or dropped scripts and configuration files that may contain secrets.\n- Restore the system to a known-good state by reimaging or rebuilding the host from a trusted baseline when the binary or dropped files executed, then validate package integrity, startup items, and critical application data before reconnecting it to production.\n- Escalate immediately to incident response if the same executable hash, outbound destination, or dropped artifact appears on additional hosts, or if you identify privilege escalation, credential theft, persistence in multiple locations, or attempted lateral movement.\n- Harden the environment by blocking execution from /tmp, /dev/shm, and other writable directories where feasible, tightening egress rules to approved destinations, enforcing application allowlisting, and improving monitoring for new outbound beacons followed by file creation.\n", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n process.executable like (\n \"/boot/*\", \"/dev/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\", \"/var/run/user/*\", \"/run/user/*\"\n ) and\n not (\n destination.ip == null or\n destination.ip == \"0.0.0.0\" or \n cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\",\n \"192.0.0.0/24\", \"192.0.0.0/29\",\"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\",\n \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"FC00::/7\"\n )\n )]\n [file where host.os.type == \"linux\" and event.type == \"creation\" and process.executable like (\n \"/boot/*\", \"/dev/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\", \"/boot/*\", \"/var/run/user/*\", \"/run/user/*\"\n ) and\n not (\n file.name like \"tmp*\" or file.extension in (\"sqlite-journal\", \"db-journal\", \"lockfile\", \"tmp\") or\n file.path like (\n \"/loki/wal/*\", \"/dev/shm/.org.chromium.Chromium.*\", \"/opt/rapid7/nexpose/*\",\n \"/usr/local/ltechagent*\", \"/var/lib/cloudendure/agent_keystore_temp\", \"/var/cache/yum/*\",\n \"/run/aws-node/ipam.json.tmp*\", \"/run/systemd/journal/streams/.*\"\n ) or\n (process.executable == \"/tmp/terraform\" and file.path like \"/tmp/terraform-provider*\") or \n process.name in (\"podman\", \"minikube\", \"logrotate\", \"java\", \"aws-k8s-agent\", \"grafana\", \"postman\") or\n process.executable : (\n \"/etc/cron.daily/logrotate\", \"/etc/update-motd.d/50-motd-news\", \"/etc/cron.hourly/0yum-hourly.cron\",\n \"/etc/cron.hourly/BitdefenderRedline\", \"/tmp/token_handler\", \"/tmp/.sentry-cli*.exe\", \n \"/etc/cron.daily/0yum-daily.cron\", \"/etc/init.d/fortiedr\"\n )\n )]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "01c1e353-9d86-4344-abdf-523ab80c6f08", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "01c1e353-9d86-4344-abdf-523ab80c6f08_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/042b35f3-afa6-4441-92b2-ef41976b48a3_1.json b/packages/security_detection_engine/kibana/security_rule/042b35f3-afa6-4441-92b2-ef41976b48a3_1.json new file mode 100644 index 00000000000..186fe141199 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/042b35f3-afa6-4441-92b2-ef41976b48a3_1.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies deletion of an AWS Backup recovery point via DeleteRecoveryPoint. A recovery point is a stored backup of a protected resource (EBS, RDS, DynamoDB, EFS, S3, and others). Deleting recovery points removes the ability to restore the associated data and is a core anti-recovery technique used in ransomware and data-destruction attacks to ensure victims cannot recover without paying or rebuilding. Routine lifecycle expirations are performed by the AWS Backup service itself; deletion by a non-service principal is rare and should be reviewed.", + "false_positives": [ + "Backup, platform, or infrastructure-as-code teams may delete recovery points during retention cleanup, migration, or decommissioning. Verify the principal in \"aws.cloudtrail.user_identity.arn\", the affected recovery point and vault in \"aws.cloudtrail.request_parameters\", and whether the deletion aligns with an approved change. Known administration roles can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Backup Recovery Point Deleted", + "note": "## Triage and analysis\n\n### Investigating AWS Backup Recovery Point Deleted\n\nAWS Backup recovery points are the restorable copies of protected resources. \"DeleteRecoveryPoint\" permanently removes a recovery point from its vault, eliminating the ability to restore that backup. Adversaries delete recovery points to inhibit recovery after data destruction or encryption, maximizing the impact of ransomware or sabotage. Because scheduled expirations are carried out by the AWS Backup service itself (excluded by this rule), a deletion by a user or role principal is uncommon and high-signal, especially when several recovery points are removed in a short window.\n\n### Possible investigation steps\n\n- Identify the actor in \"aws.cloudtrail.user_identity.arn\" and \"aws.cloudtrail.user_identity.type\", and review \"source.ip\", \"source.as.organization.name\", and \"user_agent.original\" for an unexpected origin.\n- Identify the affected recovery point and vault from \"aws.cloudtrail.request_parameters\", and determine which resource and data it protected.\n- Determine whether multiple recovery points or vaults were affected in the same window, indicating a broader anti-recovery effort.\n- Correlate with adjacent destructive or evasion activity by the same principal, such as DeleteBackupVault, Vault Lock removal, KMS key deletion, or resource deletions.\n\n### False positive analysis\n\n- Retention cleanup, migration, or decommissioning may delete recovery points. Confirm the deletion is expected and exclude known administration roles on \"aws.cloudtrail.user_identity.arn\" after validation.\n\n### Response and remediation\n\n- If the deletion is unauthorized, treat it as a potential precursor to or part of a destructive attack: preserve remaining backups, enable Vault Lock where possible, and engage incident response.\n- Rotate or restrict credentials for the principal if compromise is suspected, and restrict \"backup:DeleteRecoveryPoint\" to a small set of trusted administrators via IAM and SCPs.\n\n### Additional information\n\n- [DeleteRecoveryPoint API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html)\n- [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"backup.amazonaws.com\"\n and event.action: \"DeleteRecoveryPoint\"\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n", + "references": [ + "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html", + "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "042b35f3-afa6-4441-92b2-ef41976b48a3", + "setup": "This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Backup", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "042b35f3-afa6-4441-92b2-ef41976b48a3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0471a12b-c740-4a72-91f0-12bf95014d3c_1.json b/packages/security_detection_engine/kibana/security_rule/0471a12b-c740-4a72-91f0-12bf95014d3c_1.json new file mode 100644 index 00000000000..3916f0bda64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0471a12b-c740-4a72-91f0-12bf95014d3c_1.json @@ -0,0 +1,1279 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Amazon SageMaker notebook lifecycle configuration whose OnStart or OnCreate script, after base64 decoding, contains patterns associated with malicious activity such as reverse shells, EC2 instance metadata (IMDS) credential access, or download-and-execute commands. A lifecycle configuration runs as root on the notebook instance, so a script with these patterns is a strong indicator of an attempt to backdoor the notebook, steal the execution role's credentials, or establish persistent code execution. This rule decodes the script in the request and matches high-signal indicators; it is a higher-fidelity companion to the rule that alerts on any lifecycle configuration change.", + "false_positives": [ + "Legitimate setup scripts may reference metadata endpoints or download tooling. Review the decoded script in \"Esql_priv.aws_cloudtrail_lifecycle_script\", verify the principal in \"aws.cloudtrail.user_identity.arn\", and confirm the activity is approved. Note this rule only matches unobfuscated patterns; a clean result does not guarantee a benign script." + ], + "from": "now-60m", + "interval": "10m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "source.ip", + "cloud.account.id", + "event.action", + "Esql_priv.aws_cloudtrail_lifecycle_script", + "aws.cloudtrail.request_parameters" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content", + "note": "## Triage and analysis\n\n### Investigating AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content\n\nA SageMaker notebook lifecycle configuration is a shell script that runs as root on the notebook instance at create or start. This rule base64-decodes the OnStart/OnCreate script from the request (surfaced as \"Esql_priv.aws_cloudtrail_lifecycle_script\") and flags high-signal indicators across several categories: reverse shells (\"/dev/tcp/\", \"/dev/udp/\", \"bash -i\", \"nc -e\", \"ncat\", \"socat\", \"mkfifo\", \"import socket\", \"pty.spawn\", \"perl\"/\"ruby\"/\"php\" socket idioms), IMDS credential access (\"169.254.169.254\", \"/latest/meta-data/\", \"/latest/api/token\"), download-and-execute and decode-and-execute (\"| sh\", \"| bash\", \"base64 -d\"), cryptominers (\"xmrig\", \"minerd\", \"stratum+\"), and persistence (\"authorized_keys\", \"crontab\", \"/etc/cron\"). A match is a strong indicator of an implant attempt.\n\n### Possible investigation steps\n\n- Review the decoded \"Esql_priv.aws_cloudtrail_lifecycle_script\" field and the full \"aws.cloudtrail.request_parameters\" to understand what the script does.\n- Identify the actor in \"aws.cloudtrail.user_identity.arn\" and review \"source.ip\" and \"user_agent.original\" for an unexpected origin.\n- Determine which notebook instances reference this configuration and whether they have started since the change.\n- Correlate with adjacent activity by the same principal, such as notebook creation, presigned URL generation, or use of the execution role's credentials outside SageMaker.\n\n### False positive analysis\n\n- Setup scripts can legitimately reference metadata endpoints or download tooling. Confirm the script is expected and exclude known automation roles after validation. This rule only matches unobfuscated indicators, so it can miss obfuscated scripts (use the broad lifecycle-configuration-change rule for full coverage) and can match benign scripts that contain these strings.\n\n### Response and remediation\n\n- If unauthorized, remove the lifecycle configuration, stop affected notebook instances, and rotate the notebook execution role's credentials.\n- Review actions taken by the execution role since the change, and restrict \"sagemaker:CreateNotebookInstanceLifecycleConfig\" and \"sagemaker:UpdateNotebookInstanceLifecycleConfig\" to trusted administrators.\n", + "query": "FROM logs-aws.cloudtrail-* METADATA _id, _version, _index\n| WHERE event.provider == \"sagemaker.amazonaws.com\"\n AND event.action IN (\"CreateNotebookInstanceLifecycleConfig\", \"UpdateNotebookInstanceLifecycleConfig\")\n AND event.outcome == \"success\"\n AND aws.cloudtrail.user_identity.type != \"AWSService\"\n| GROK aws.cloudtrail.request_parameters \"[Cc]ontent=(?[A-Za-z0-9+/=]+)\"\n| EVAL Esql_priv.aws_cloudtrail_lifecycle_script = FROM_BASE64(script_b64)\n| WHERE TO_LOWER(Esql_priv.aws_cloudtrail_lifecycle_script) RLIKE \"\"\".*(/dev/tcp/|/dev/udp/|bash -i|sh -i|nc -e|ncat |socat |mkfifo|169\\.254\\.169\\.254|/latest/meta-data/|/latest/api/token|\\| ?sh|\\| ?bash|base64 -d|import socket|pty\\.spawn|perl -e|ruby -rsocket|php -r|xmrig|minerd|stratum\\+|authorized_keys|/etc/cron|crontab ).*\"\"\"\n| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*, Esql_priv.aws_cloudtrail_lifecycle_script\n", + "references": [ + "https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-lifecycle-config.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "@timestamp", + "type": "date" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": false, + "name": "_version", + "type": "long" + }, + { + "ecs": false, + "name": "aws.cloudtrail.additional_eventdata", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.api_version", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.login_to", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mobile_version", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.error_message", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_category", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_version", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.additional_eventdata", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.digest", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.insight_details", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.attribute", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.includeDeprecated", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.instanceId", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.key", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.omitted", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.protocol", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.reason", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.serialNumber", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.withDecryption", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements.documentDescription", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements.documentDescription.documentType", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.service_event_details", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.management_event", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.read_only", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.recipient_account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.response_elements", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.service_event_details", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.session_credential_from_console", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.shared_event_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.access_key_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.invoked_by", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.creation_date", + "type": "date" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.mfa_authenticated", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.principal_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.vpc_endpoint_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.bucket.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.bucket.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.metadata", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.s3.object.key", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.availability_zone", + "type": "keyword" + }, + { + "ecs": false, + "name": "cloud.image.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.availability_zone", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.availability_zone", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.created", + "type": "date" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.duration", + "type": "long" + }, + { + "ecs": true, + "name": "event.end", + "type": "date" + }, + { + "ecs": true, + "name": "event.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.ingested", + "type": "date" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.original", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.reason", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.reference", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.risk_score", + "type": "float" + }, + { + "ecs": true, + "name": "event.risk_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "event.sequence", + "type": "long" + }, + { + "ecs": true, + "name": "event.severity", + "type": "long" + }, + { + "ecs": true, + "name": "event.start", + "type": "date" + }, + { + "ecs": true, + "name": "event.timezone", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.url", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.as.organization.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.bytes", + "type": "long" + }, + { + "ecs": true, + "name": "source.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.city_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.continent_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.continent_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.country_iso_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.country_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.location", + "type": "geo_point" + }, + { + "ecs": true, + "name": "source.geo.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.postal_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.region_iso_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.region_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.timezone", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.mac", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.nat.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.nat.port", + "type": "long" + }, + { + "ecs": true, + "name": "source.packets", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "source.registered_domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.subdomain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.top_level_domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.user.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.user.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.user.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.user.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.changes.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.changes.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.changes.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.changes.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.effective.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.effective.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.effective.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.effective.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.entity.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.risk.calculated_level", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.risk.calculated_score", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.calculated_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.static_level", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.risk.static_score", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.static_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "user.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.email", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.entity.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.target.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.target.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.device.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.original.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.family", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.full", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.os.full.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.kernel", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.os.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.platform", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.version", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.version", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0471a12b-c740-4a72-91f0-12bf95014d3c", + "setup": "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS SageMaker", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "0471a12b-c740-4a72-91f0-12bf95014d3c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07cd35a6-c267-4394-a782-6a9428aea9d3_1.json b/packages/security_detection_engine/kibana/security_rule/07cd35a6-c267-4394-a782-6a9428aea9d3_1.json new file mode 100644 index 00000000000..7a9979e73e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07cd35a6-c267-4394-a782-6a9428aea9d3_1.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the first time within the prior 14 days that a principal directly invokes an AWS Lambda function in an account, excluding invocations made on behalf of AWS services (normal event-source triggers). Adversaries who compromise credentials or move laterally may directly invoke functions to execute code, retrieve data returned by a function, or abuse an over-permissioned execution role. Direct, ad hoc invocation by a principal that does not normally call Lambda deviates from the usual event-driven invocation pattern and is worth reviewing. This rule relies on AWS Lambda data event logging, which is not enabled by default.", + "false_positives": [ + "Developers, operators, and CI/CD or automation identities legitimately invoke functions directly for testing, operations, and deployments. New automation roles or first-time operators will generate this alert. Verify the principal in `aws.cloudtrail.user_identity.arn`, the function, and the source before treating it as malicious, and exclude known operational identities after validation." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.organization.name", + "source.geo.country_name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Function Invoked by an Unusual Principal", + "new_terms_fields": [ + "cloud.account.id", + "user.name" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function Invoked by an Unusual Principal\n\nMost Lambda invocations are driven by event sources (S3, EventBridge, SQS, API Gateway, etc.), which CloudTrail records with `aws.cloudtrail.user_identity.invoked_by` set to the calling service. A principal invoking a function **directly** (via the SDK, CLI, or console) is comparatively rare and, when it comes from an identity that does not normally do so, can indicate lateral movement, credential abuse, or data retrieval from a function. This rule uses a new terms approach to surface the first time a given principal directly invokes a function in an account within the prior 14 days.\n\n### Possible investigation steps\n\n- Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id` to identify the actor, and `source.ip` / `user_agent.original` to determine how the call was made.\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and map it to its application, owner, and sensitivity.\n- Determine whether the principal is expected to invoke functions directly and whether the activity aligns with an approved operation, test, or deployment.\n- Correlate with recent activity by the same principal or access key, such as credential issuance, role assumption, or other data-plane access, and check whether the credential was recently seen from an unusual source.\n\n### False positive analysis\n\n- Direct invocation is a normal operational and testing activity. Confirm whether the principal is a known operator or automation identity and exclude it on `aws.cloudtrail.user_identity.arn` after validation.\n\n### Response and remediation\n\n- If the invocation is unauthorized, review what the function returns and accesses, and assess data exposure.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:InvokeFunction` to the identities and services that require it.\n\n### Additional information\n\n- [Invoke API](https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html)\n- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.action: Invoke*\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.invoked_by: *\n and aws.cloudtrail.user_identity.arn: *\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html", + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.invoked_by", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07cd35a6-c267-4394-a782-6a9428aea9d3", + "setup": "## Setup\n\nThis rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration\n(`aws.cloudtrail` data stream). Lambda invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable\ndata event logging for Lambda functions in the trail (optionally scoped to sensitive functions to manage volume).\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "07cd35a6-c267-4394-a782-6a9428aea9d3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c04d82f-6def-4659-aa62-ed6355a51f39_1.json b/packages/security_detection_engine/kibana/security_rule/0c04d82f-6def-4659-aa62-ed6355a51f39_1.json new file mode 100644 index 00000000000..766ca466d27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c04d82f-6def-4659-aa62-ed6355a51f39_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.", + "false_positives": [ + "Approved scripts, CI jobs, or penetration tests may use generic HTTP clients. Validate tickets and identity scope before treating as compromise." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Secret get or list with Suspicious User Agent", + "note": "## Triage and analysis\n\n### Investigating GKE Secret get or list with Suspicious User Agent\n\nReview `user.email`, `user_agent.original`, targeted secret resource, and `source.ip`.\n\n### Investigation steps\n\n- Confirm whether the identity should access secrets with this client fingerprint.\n- Pivot on source IP for other API bursts, exec, or RBAC changes.\n\n### False positives\n\n- Internal automation using generic libraries; exclude stable service accounts after review.", + "query": "data_stream.dataset:gcp.audit and service.name:\"k8s.io\" and event.outcome:success and\nevent.action:(\"io.k8s.core.v1.secrets.list\" or \"io.k8s.core.v1.secrets.get\") and user_agent.original:(\n curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or\n *kali-arm64* or Bun* or axios* or undici*\n)\n", + "references": [ + "https://attack.mitre.org/techniques/T1552/007/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0c04d82f-6def-4659-aa62-ed6355a51f39", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "0c04d82f-6def-4659-aa62-ed6355a51f39_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f5d410c-a594-4cdb-8b48-f36a61838d67_1.json b/packages/security_detection_engine/kibana/security_rule/0f5d410c-a594-4cdb-8b48-f36a61838d67_1.json new file mode 100644 index 00000000000..aff3dd7331a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f5d410c-a594-4cdb-8b48-f36a61838d67_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification or removal of an IAM permissions boundary on an IAM user or role. A permissions boundary caps the maximum permissions an identity can have, regardless of its attached identity policies. An adversary who can delete a boundary (\"DeleteUserPermissionsBoundary\", \"DeleteRolePermissionsBoundary\") or replace it with a more permissive one (\"PutUserPermissionsBoundary\", \"PutRolePermissionsBoundary\") can lift that cap and unlock permissions the identity's policies already grant, enabling privilege escalation. Boundary changes are infrequent and usually performed by a small set of administrators or infrastructure-as-code pipelines, so changes by unexpected principals warrant review.", + "false_positives": [ + "Permissions boundaries are managed by identity/platform teams and infrastructure-as-code pipelines as part of normal governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted user or role, and the boundary policy against approved change records. Known administration roles and deployment automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Permissions Boundary Modified or Removed", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Permissions Boundary Modified or Removed\n\nAn IAM permissions boundary is the maximum set of permissions an identity can ever have \u2014 even if its identity policies grant more, the effective permissions are the intersection of the two. Removing a boundary (`DeleteUserPermissionsBoundary` / `DeleteRolePermissionsBoundary`) or replacing it with a broader one (`PutUserPermissionsBoundary` / `PutRolePermissionsBoundary`) lifts that cap, so any permissions already present in the identity's attached policies immediately take effect. This is a recognized privilege-escalation path: an adversary who can edit a boundary can unlock latent permissions without attaching any new policy.\n\n#### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made (console, CLI, SDK, automation).\n- Inspect `aws.cloudtrail.request_parameters` for the targeted `userName`/`roleName` and, for `Put*` operations, the `permissionsBoundary` policy ARN that was applied.\n- Determine the identity's attached identity policies to assess what permissions are now unlocked by the boundary change (the effective blast radius).\n- Confirm whether the change aligns with an approved governance change, onboarding, or deployment.\n- Correlate with recent activity by the same principal, such as policy attachment, access key creation, or role assumption that may indicate an escalation chain.\n\n### False positive analysis\n\n- Identity/platform teams and infrastructure-as-code routinely set and update boundaries. Confirm the change is approved and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation.\n\n### Response and remediation\n\n- If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the identity could access while the boundary was relaxed or absent.\n- Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators.\n\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"iam.amazonaws.com\"\n and event.action: (\n \"PutUserPermissionsBoundary\" or\n \"PutRolePermissionsBoundary\" or\n \"DeleteUserPermissionsBoundary\" or\n \"DeleteRolePermissionsBoundary\"\n )\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n and not user_agent.original: (*terraform* or *pulumi* or *ansible*)\n and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)\n and not source.as.organization.name: (Amazon* or AMAZON* or Google*)\n and not source.address: (\"cloudformation.amazonaws.com\" or \"servicecatalog.amazonaws.com\")\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html", + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0f5d410c-a594-4cdb-8b48-f36a61838d67", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "0f5d410c-a594-4cdb-8b48-f36a61838d67_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ffc3d78-44ce-4a55-b2be-98219e0eed05_1.json b/packages/security_detection_engine/kibana/security_rule/0ffc3d78-44ce-4a55-b2be-98219e0eed05_1.json new file mode 100644 index 00000000000..a3c554d5b81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ffc3d78-44ce-4a55-b2be-98219e0eed05_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate inbound Windows file sharing (SMB or CIFS) traffic originating from the Internet. SMB should never be directly reachable from the Internet, as it is a primary target for exploitation by threat actors seeking initial access. Inbound SMB from a public IP is a direct precondition for attacks such as EternalBlue (MS17-010) and related SMB remote code execution vulnerabilities.", + "from": "now-9m", + "history_window_start": "now-5d", + "index": [ + "logs-corelight.*", + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMB (Windows File Sharing) Activity from the Internet", + "new_terms_fields": [ + "source.ip" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMB (Windows File Sharing) Activity from the Internet\n\nInbound SMB from a public IP is one of the highest-signal perimeter events observable at a network boundary. SMB (ports 139/445) should never be reachable from the Internet. When it is, it is almost always either a deliberate exposure (misconfiguration) or active exploitation, both of which warrant investigation. Classic attacks in this category include EternalBlue (MS17-010), WannaCry, NotPetya, and subsequent SMB RCE chains.\n\nThis rule uses `new_terms` to suppress repeat scans from the same source, surfacing only the first time each external IP reaches an internal host on SMB ports.\n\n### Possible investigation steps\n\n- Identify the destination IP. Determine whether this host has a legitimate reason to expose SMB to the Internet (nearly always: no). Check whether the port was reachable externally due to a misconfigured NAT rule or security group.\n- Review firewall allow/deny context alongside the alert. If the session was blocked, the immediate risk is lower, but the exposure is still worth addressing.\n- Check the source IP against threat intelligence. Mass-Internet SMB scanning is common and source IPs are frequently tracked in public feeds.\n- Correlate with endpoint telemetry on the destination host: look for process creation events, new services, or lateral movement activity that might indicate exploitation succeeded.\n- Review patch status of the destination host for MS17-010 and subsequent SMB vulnerabilities.\n- Check whether this external IP has been seen targeting other internal hosts or ports in the same timeframe, which would indicate a broader scan or intrusion campaign.\n\n### False positive analysis\n\n- Hosts with public IPs that explicitly expose SMB (rare, but occurs in some lab or legacy setups): this is the intended detection; the exposure is itself the finding. Add a per-host exception only after confirming the exposure is authorized and risk-accepted.\n- Site-to-site VPN or MPLS setups where a remote office segment routes through a public IP and appears as an external source: confirm with network architecture and add the IP range to the exclusion list if legitimate.\n\n### Response and remediation\n\n- If the destination host is reachable from the Internet on port 139 or 445, immediately close the exposure at the firewall or security group level. This is the single most impactful remediation step.\n- Isolate the destination host if any signs of compromise exist (unexpected processes, new scheduled tasks, lateral movement alerts).\n- Patch the host for MS17-010 and related SMB vulnerabilities if not already current.\n- Audit NAT and firewall rules to ensure no other hosts have inadvertent Internet-facing SMB exposure.\n- Review the pfSense / network perimeter ruleset to confirm that inbound TCP 139/445 is explicitly denied at the border.\n\nThis rule requires network flow or firewall log data that captures inbound TCP connections with 5-tuple information (source IP, destination IP, destination port). Compatible data sources include:\n\n- **Elastic Network Traffic** integration (Packetbeat)\n- **Corelight** integration (network and SMB telemetry)\n- **PAN-OS** integration (Palo Alto Networks firewall logs)\n- **pfSense** integration (syslog-based firewall flow logs; requires pfSense syslog forwarding enabled)\n- **Zeek** integration (SMB-specific log types: `smb_cmd`, `smb_files`, `smb_mapping`)\n\nFor pfSense, ensure the firewall logging rules are configured to log connection events and that the Elastic pfSense integration is forwarding logs to the `logs-pfsense.log-*` data stream.", + "query": "(data_stream.dataset:(network_traffic.flow or zeek.smb_cmd or zeek.smb_files or zeek.smb_mapping or pfsense.log) or event.category:(network or network_traffic))\n and network.transport:tcp and destination.port:(139 or 445)\n and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and not source.ip:(\n 10.0.0.0/8\n or 100.64.0.0/10\n or 127.0.0.0/8\n or 169.254.0.0/16\n or 172.16.0.0/12\n or 192.0.0.0/24\n or 192.0.0.0/29\n or 192.0.0.10/32\n or 192.0.0.170/32\n or 192.0.0.171/32\n or 192.0.0.8/32\n or 192.0.0.9/32\n or 192.0.2.0/24\n or 192.168.0.0/16\n or 192.175.48.0/24\n or 192.31.196.0/24\n or 192.52.193.0/24\n or 192.88.99.0/24\n or 198.18.0.0/15\n or 198.51.100.0/24\n or 203.0.113.0/24\n or 224.0.0.0/4\n or 240.0.0.0/4\n or \"::1\"\n or \"FE80::/10\"\n or \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0144" + ], + "related_integrations": [ + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "0ffc3d78-44ce-4a55-b2be-98219e0eed05", + "setup": "This rule requires network flow or firewall log data that captures inbound TCP connections with 5-tuple information (source IP, destination IP, destination port). Compatible data sources include:\n\nElastic Network Traffic integration (Packetbeat)Corelight integration (network and SMB telemetry)PAN-OS integration (Palo Alto Networks firewall logs)pfSense integration (syslog-based firewall flow logs; requires pfSense syslog forwarding enabled)Zeek integration (SMB-specific log types: `smb_cmd`, `smb_files`, `smb_mapping`)\nFor pfSense, ensure the firewall logging rules are configured to log connection events and that the Elastic pfSense integration is forwarding logs to the `logs-pfsense.log-*` data stream.", + "severity": "high", + "tags": [ + "Tactic: Initial Access", + "Domain: Network", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + }, + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "0ffc3d78-44ce-4a55-b2be-98219e0eed05_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_109.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_109.json deleted file mode 100644 index 4868c0a7639..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_109.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", - "false_positives": [ - "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." - ], - "index": [ - "packetbeat-*", - "filebeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Abnormally Large DNS Response", - "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "((event.category:(network or network_traffic) and destination.port:53) \n or network.protocol:\"dns\" \n or data_stream.dataset:(network_traffic.dns or zeek.dns))\n and destination.bytes > 60000\n and event.type:(\"allowed\" or \"end\" or \"protocol\" or \"start\")\n", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "data_stream.dataset", - "type": "constant_keyword" - }, - { - "ecs": true, - "name": "destination.bytes", - "type": "long" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "11013227-0301-4a8c-b150-4db924484475", - "severity": "medium", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Impact", - "Resources: Investigation Guide", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1499", - "name": "Endpoint Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1499/", - "subtechnique": [ - { - "id": "T1499.004", - "name": "Application or System Exploitation", - "reference": "https://attack.mitre.org/techniques/T1499/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "11013227-0301-4a8c-b150-4db924484475_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_105.json b/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_105.json deleted file mode 100644 index 5fd222b3a2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/135abb91-dcf4-48aa-b81a-5ad036b67c68_105.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an attacker attempting to backdoor the authentication process through malicious PAM modules.", - "from": "now-9m", - "index": [ - "endgame-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Pluggable Authentication Module (PAM) Version Discovery", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Pluggable Authentication Module (PAM) Version Discovery\n\nPluggable Authentication Modules (PAM) provide a flexible mechanism for authenticating users on Linux systems. Adversaries may exploit PAM by discovering its version to identify vulnerabilities or backdoor the authentication process with malicious modules. The detection rule identifies suspicious processes querying PAM-related packages, indicating potential reconnaissance or tampering attempts, thus alerting security teams to possible threats.\n\n### Possible investigation steps\n\n- Review the process details to confirm the presence of suspicious activity, focusing on processes with names \"dpkg\", \"dpkg-query\", or \"rpm\" and their arguments \"libpam-modules\" or \"pam\".\n- Check the user account associated with the process to determine if it is a legitimate user or potentially compromised.\n- Investigate the parent process to understand the origin of the command execution and assess if it aligns with normal user behavior.\n- Analyze recent login attempts and authentication logs to identify any unusual patterns or failed attempts that may indicate unauthorized access attempts.\n- Correlate this activity with other alerts or logs from the same host to identify if there are additional indicators of compromise or related suspicious activities.\n\n### False positive analysis\n\n- Routine system updates or package management activities may trigger the rule when legitimate processes like dpkg or rpm query PAM-related packages. To manage this, consider creating exceptions for known maintenance windows or trusted administrative scripts.\n- Automated configuration management tools, such as Ansible or Puppet, might execute commands that match the rule's criteria. Identify these tools and exclude their processes from triggering alerts by specifying their execution context.\n- Security compliance checks or vulnerability assessments often involve querying system packages, including PAM. If these are regularly scheduled and verified, whitelist the associated processes to prevent unnecessary alerts.\n- Developers or system administrators testing PAM configurations might inadvertently trigger the rule. Establish a protocol for notifying the security team of such activities in advance, allowing for temporary exceptions during testing periods.\n- Custom scripts used for system monitoring or auditing may include commands that match the rule. Review these scripts and, if deemed safe, add them to an exclusion list to reduce false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any suspicious processes identified by the detection rule, specifically those involving 'dpkg', 'dpkg-query', or 'rpm' with arguments related to PAM.\n- Conduct a thorough review of PAM configuration files and modules on the affected system to identify and remove any unauthorized or malicious modifications.\n- Restore any compromised PAM modules from a known good backup to ensure the integrity of the authentication process.\n- Monitor for any additional suspicious activity on the affected system and related systems, focusing on unusual authentication attempts or process executions.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future.", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and process.parent.name != null and\n (\n (process.name in (\"dpkg\", \"dpkg-query\") and process.args == \"libpam-modules\") or\n (process.name == \"rpm\" and process.args == \"pam\")\n ) and\nnot process.parent.name in (\"dcservice\", \"inspectorssmplugin\")\n", - "references": [ - "https://www.group-ib.com/blog/pluggable-authentication-module/", - "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "crowdstrike", - "version": "^2.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "135abb91-dcf4-48aa-b81a-5ad036b67c68", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "135abb91-dcf4-48aa-b81a-5ad036b67c68_105", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_109.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_109.json deleted file mode 100644 index e218066943a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_109.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) from the Internet", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RPC (Remote Procedure Call) from the Internet\n\nRPC enables remote management and resource sharing, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic by monitoring TCP port 135 and filtering out internal IP addresses, flagging potential threats from external sources.\n\n### Possible investigation steps\n\n- Review the source IP address of the alert to determine if it is from a known malicious actor or if it has been flagged in previous incidents.\n- Check the destination IP address to confirm it belongs to a critical internal system that should not be exposed to the Internet.\n- Analyze network traffic logs to identify any unusual patterns or volumes of traffic associated with the source IP, focusing on TCP port 135.\n- Investigate any related alerts or logs from the same source IP or destination IP to identify potential patterns or repeated attempts.\n- Assess the potential impact on the affected system by determining if any unauthorized access or changes have occurred.\n- Consult threat intelligence sources to gather additional context on the source IP or any related indicators of compromise.\n\n### False positive analysis\n\n- Internal testing or development environments may generate RPC traffic that appears to originate from external sources. To manage this, add the IP addresses of these environments to the exception list in the detection rule.\n- Legitimate remote management activities by trusted third-party vendors could trigger the rule. Verify the IP addresses of these vendors and include them in the exception list if they are known and authorized.\n- Misconfigured network devices or proxies might route internal RPC traffic through external IP addresses. Review network configurations to ensure proper routing and add any necessary exceptions for known devices.\n- Cloud-based services or applications that use RPC for legitimate purposes might be flagged. Identify these services and adjust the rule to exclude their IP ranges if they are verified as non-threatening.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.\n- Conduct a thorough examination of the system logs and network traffic to identify any unauthorized access or data exfiltration attempts.\n- Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.\n- Change all administrative and user credentials on the affected system and any other systems that may have been accessed using the same credentials.\n- Implement network segmentation to limit the exposure of critical systems and services, ensuring that RPC services are not accessible from the Internet.\n- Monitor the network for any signs of re-infection or further suspicious activity, focusing on traffic patterns similar to those identified in the initial alert.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if additional systems are compromised.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not (event.type: denied or event.action: flow_dropped or event.outcome: failure) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Tactic: Initial Access", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - }, - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/156f8c1d-bc54-46c0-a870-04e6a75526a1_1.json b/packages/security_detection_engine/kibana/security_rule/156f8c1d-bc54-46c0-a870-04e6a75526a1_1.json new file mode 100644 index 00000000000..71eb06b967c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/156f8c1d-bc54-46c0-a870-04e6a75526a1_1.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a potential privilege escalation sequence via a suspicious UID change sequence. This rule checks for non-root execution of a process executable in a user or world-writable directory followed by a UID change event to 0 (root). This sequence is indicative of a potential local privilege escalation exploit.", + "from": "now-6m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via a Suspicious UID Change", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privilege Escalation via a Suspicious UID Change\n\nThis rule catches a Linux process launched by a non-root user from a user- or world-writable location that soon changes to run as root, a strong sign of local privilege escalation. Attackers often stage an exploit or wrapper in /tmp or /dev/shm, execute it as an ordinary user, and use a vulnerable setuid binary or kernel flaw to flip the process to UID 0 and gain full system control.\n\n### Possible investigation steps\n\n- Reconstruct the full process ancestry and execution context around the UID transition to determine whether it originated from a user shell, script interpreter, scheduled task, container runtime, or another trusted administrative workflow.\n- Inspect the executed file and nearby artifacts in the writable location for creation and modification times, ownership, permissions, package ownership, hashes, and evidence that the binary or script was recently dropped, replaced, or unpacked.\n- Determine how root was obtained by identifying any vulnerable or misconfigured setuid or file-capability helper, writable library or search path abuse, environment variable manipulation, or host exposure to known local privilege escalation vulnerabilities.\n- Review the same user\u2019s and host\u2019s surrounding activity for staging behavior such as downloads, compilation, archive extraction, permission changes, and repeated exploit attempts that can distinguish malicious escalation from benign testing or software installation.\n- Assess post-escalation behavior by looking for root shells, changes to authentication or sudo configuration, persistence creation, security control tampering, sensitive file access, and new outbound network connections to scope impact and prioritize containment.\n\n### False positive analysis\n\n- Developers or administrators may intentionally execute a custom setuid test binary or troubleshooting script from `/home`, `/tmp`, or `/dev/shm` during maintenance, so verify the file owner, creation time, and parent shell session match an authorized user and approved change window.\n- A legitimate install, upgrade, or recovery workflow may unpack files into `/tmp`, `/var/tmp`, or `/run/user` and invoke a helper that transitions to UID 0, so confirm the executable and its parent process are expected for the host and coincide with documented software maintenance activity.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network while keeping a controlled management channel, then stop the suspicious root process and any child shell or payload launched from writable paths such as `/tmp`, `/dev/shm`, `/var/tmp`, or a user home directory.\n- Remove attacker persistence by deleting the dropped binary or script and reversing malicious changes such as new cron entries, systemd services or timers, modified shell startup files, unauthorized `authorized_keys` entries, unexpected setuid binaries, and altered `/etc/sudoers` or `/etc/passwd`.\n- Preserve and review the malicious file and recent privileged changes across `/etc/shadow`, `/etc/sudoers`, `/root/.ssh/`, loaded kernel modules, and package contents, and escalate immediately to the incident response team if you find a new privileged account, outbound command-and-control traffic, or signs of access to other hosts.\n- Restore the system to a known-good state by reimaging or replacing the host from a trusted baseline, reinstalling only verified software, and applying fixes for the vulnerable kernel, setuid helper, or misconfigured file capability that allowed the UID change.\n- Reset credentials and secrets exposed on the host, including the affected user account, local service accounts, SSH keys, API tokens, and any cached credentials, then review adjacent systems for the same dropped files, persistence artifacts, or root-level changes.\n- Harden the environment by removing unnecessary setuid programs and file capabilities, mounting writable directories with `nosuid` and `noexec` where feasible, tightening sudo access, and maintaining detections for execution from world-writable paths followed by a transition to UID 0.\n", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n user.id != \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n (\n process.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/home/*/*\", \"/run/user/*\", \"/var/run/user/*\") or\n process.parent.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/home/*/*\", \"/run/user/*\", \"/var/run/user/*\")\n )]\n [process where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"uid_change\" and\n user.id == \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n not process.executable in (\"/usr/bin/sudo\", \"/bin/sudo\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "156f8c1d-bc54-46c0-a870-04e6a75526a1", + "severity": "high", + "tags": [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "156f8c1d-bc54-46c0-a870-04e6a75526a1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16708afb-4904-4d3c-af78-63640a075cb0_1.json b/packages/security_detection_engine/kibana/security_rule/16708afb-4904-4d3c-af78-63640a075cb0_1.json new file mode 100644 index 00000000000..313512401a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16708afb-4904-4d3c-af78-63640a075cb0_1.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing unrestricted cluster access and enabling rapid privilege escalation or persistence.", + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Cluster-Admin Role Binding Created or Modified", + "note": "## Triage and analysis\n\n### Investigating GKE Cluster-Admin Role Binding Created or Modified\n\nIdentify who created or changed the binding and which subject received cluster-admin.\n\n### Investigation steps\n\n- Review `user.email`, `source.ip`, and `gcp.audit.request` for the bound subject.\n- Hunt for secret reads, privileged pod creation, or webhook changes from the same actor or new subject.\n\n### False positives\n\n- Bootstrap, recovery, or GitOps workflows may recreate cluster-admin bindings during approved changes.", + "query": "data_stream.dataset:gcp.audit and service.name:\"k8s.io\" and event.outcome:success and\nevent.action:(\n \"io.k8s.authorization.rbac.v1.clusterrolebindings.create\" or\n \"io.k8s.authorization.rbac.v1.clusterrolebindings.patch\" or\n \"io.k8s.authorization.rbac.v1.clusterrolebindings.update\"\n) and gcp.audit.request.kind:\"ClusterRoleBinding\" and\ngcp.audit.resource_name:\"rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin\"\n", + "references": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.resource_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "service.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16708afb-4904-4d3c-af78-63640a075cb0", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.006", + "name": "Additional Container Cluster Roles", + "reference": "https://attack.mitre.org/techniques/T1098/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.006", + "name": "Additional Container Cluster Roles", + "reference": "https://attack.mitre.org/techniques/T1098/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "16708afb-4904-4d3c-af78-63640a075cb0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2014ebd8-b847-4cc0-a827-d0d61ec88680_1.json b/packages/security_detection_engine/kibana/security_rule/2014ebd8-b847-4cc0-a827-d0d61ec88680_1.json new file mode 100644 index 00000000000..74890a5809f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2014ebd8-b847-4cc0-a827-d0d61ec88680_1.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies ICMP Redirect messages (type 5 for IPv4, type 137 for IPv6) sourced from an internal IPv4 or IPv6 address. Legitimate redirects are normally sent only by on-path routers. A workstation or server emitting redirects can indicate route manipulation for adversary-in-the-middle activity.", + "from": "now-9m", + "index": [ + "logs-network_traffic.icmp-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "ICMP Redirect Message from Internal Host", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating ICMP Redirect Message from Internal Host\n\nICMP Redirect instructs a host to send traffic for a destination through a different next hop. On most enterprise\nsegments, only infrastructure routers should emit redirects; a user workstation or server doing so is a strong\nadversary-in-the-middle indicator.\n\n### Possible investigation steps\n\n- Identify the redirect source in `source.ip` and locate the asset on the VLAN. Confirm whether it is an authorized\n router or gateway.\n- Review the redirect target and affected destination in ICMP fields and adjacent flow records to see which routes or\n resolvers were being manipulated.\n- Check whether affected clients show DNS, gateway, or VPN routing changes around the alert time.\n- Correlate with DHCP, ARP, or LLMNR/NBT-NS alerts on the same segment for combined MITM activity.\n\n### False positive analysis\n\n- Some legacy network appliances, hypervisor gateways, or misconfigured Linux hosts with IP forwarding enabled may\n emit redirects. Maintain exceptions for known router and gateway IPs after validation.\n- Lab networks that intentionally test route injection should be scoped out by source subnet.\n\n### Response and remediation\n\n- Isolate the emitting host if it is not an authorized router.\n- Disable ICMP redirect acceptance on affected clients where policy allows, and block redirect-generating hosts at the\n access layer.\n- Review segment routing, default gateways, and DHCP options for unauthorized changes.", + "query": "data_stream.dataset:network_traffic.icmp\n and (network_traffic.icmp.request.type:(5 or 137) or icmp.request.type:(5 or 137))\n and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FC00::/7\" or \"FE80::/10\")\n", + "references": [ + "https://www.rfc-editor.org/rfc/rfc792", + "https://www.rfc-editor.org/rfc/rfc4443", + "https://zimperium.com/blog/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": false, + "name": "icmp.request.type", + "type": "integer" + }, + { + "ecs": false, + "name": "network_traffic.icmp.request.type", + "type": "integer" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "2014ebd8-b847-4cc0-a827-d0d61ec88680", + "setup": "## Setup\n\nThis rule requires ICMP transaction telemetry from the Elastic network_traffic integration (`network_traffic.icmp`\ndata stream). Flow-only exporters that do not record ICMP type/code will not satisfy this rule.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Tactic: Credential Access", + "Use Case: Threat Detection", + "Use Case: Network Security Monitoring", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2014ebd8-b847-4cc0-a827-d0d61ec88680_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json deleted file mode 100644 index 6077f00f1aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", - "false_positives": [ - "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." - ], - "from": "now-130m", - "history_window_start": "now-15d", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "new_terms_fields": [ - "google_workspace.token.client.id" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating First Time Seen Google Workspace OAuth Login from Third-Party Application\n\nOAuth is a protocol that allows third-party applications to access user data without exposing credentials, enhancing security in Google Workspace. However, adversaries can exploit OAuth by using compromised credentials to gain unauthorized access, mimicking legitimate users. The detection rule identifies unusual OAuth logins by monitoring authorization events linked to new third-party applications, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the event details to identify the specific third-party application involved by examining the google_workspace.token.client.id field.\n- Check the google_workspace.token.scope.data field to understand the scope of permissions granted to the third-party application and assess if they align with expected usage.\n- Investigate the user account associated with the OAuth authorization event to determine if there are any signs of compromise or unusual activity.\n- Correlate the timestamp of the OAuth login event with other security logs to identify any concurrent suspicious activities or anomalies.\n- Verify if the third-party application is known and authorized within the organization by consulting with relevant stakeholders or reviewing application whitelists.\n- Assess the risk and impact of the OAuth login by considering the privileges of the user account and the sensitivity of the accessed resources.\n\n### False positive analysis\n\n- New legitimate third-party applications: Users may frequently integrate new third-party applications for productivity or collaboration. To manage this, maintain a whitelist of known and trusted applications and exclude them from triggering alerts.\n- Regular updates to existing applications: Some applications may update their OAuth client IDs during version upgrades. Monitor application update logs and adjust the detection rule to exclude these known updates.\n- Internal development and testing: Organizations developing their own applications may trigger this rule during testing phases. Coordinate with development teams to identify and exclude these internal applications from alerts.\n- Frequent use of service accounts: Service accounts used for automation or integration purposes might appear as new logins. Document and exclude these service accounts from the detection rule to prevent false positives.\n\n### Response and remediation\n\n- Immediately revoke the OAuth token associated with the suspicious third-party application to prevent further unauthorized access.\n- Conduct a thorough review of the affected user's account activity to identify any unauthorized actions or data access that may have occurred.\n- Reset the credentials of the affected user and any other users who may have been compromised, ensuring that strong, unique passwords are used.\n- Notify the affected user and relevant stakeholders about the incident, providing guidance on recognizing phishing attempts and securing their accounts.\n- Implement additional monitoring for the affected user and similar OAuth authorization events to detect any further suspicious activity.\n- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or data exfiltration.\n- Review and update OAuth application permissions and policies to ensure that only trusted applications have access to sensitive data and services.\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", - "references": [ - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", - "https://developers.google.com/apps-script/guides/bound", - "https://developers.google.com/identity/protocols/oauth2" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.token.client.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.token.scope.data", - "type": "flattened" - } - ], - "risk_score": 47, - "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 9 - }, - "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2302fb59-5201-46ec-b433-6044adb37b0b_1.json b/packages/security_detection_engine/kibana/security_rule/2302fb59-5201-46ec-b433-6044adb37b0b_1.json new file mode 100644 index 00000000000..b2bf3a6fda7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2302fb59-5201-46ec-b433-6044adb37b0b_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE service account or node identities invoking self-subject access or rules review APIs. Non-human identities rarely enumerate their own permissions outside known controllers; this can indicate stolen tokens probing effective RBAC.", + "false_positives": [ + "Some controllers and admin impersonation workflows legitimately submit self-subject reviews. Excluded identities include common Argo and Datadog service accounts." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Suspicious Self-Subject Review via Service Account", + "note": "## Triage and analysis\n\n### Investigating GKE Suspicious Self-Subject Review via Service Account\n\nReview the calling service account or node identity and subsequent API activity.\n\n### Investigation steps\n\n- Confirm `user.email` and `event.action` (selfsubjectaccessreviews or selfsubjectrulesreviews).\n- Correlate with denied requests, secret access, or RBAC changes from the same identity.\n\n### False positives\n\n- Known observability or workflow controllers; extend exclusions if needed.", + "query": "data_stream.dataset:gcp.audit and service.name:k8s.io and event.action:(io.k8s.authorization.v1.selfsubjectaccessreviews.create or io.k8s.authorization.v1.selfsubjectrulesreviews.create) and user.email:((system\\:node\\:* or system\\:serviceaccount\\:*) and not (\"system:serviceaccount:default:argo-argo-workflows-server\" or \"system:serviceaccount:default:argo-argo-workflows-workflow-controller\" or system\\:serviceaccount\\:*\\:datadog-kube-state-metrics))\n", + "references": [ + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2302fb59-5201-46ec-b433-6044adb37b0b", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.003", + "name": "Cloud Groups", + "reference": "https://attack.mitre.org/techniques/T1069/003/" + } + ] + }, + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2302fb59-5201-46ec-b433-6044adb37b0b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_214.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_214.json deleted file mode 100644 index 2e033d0ac6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_214.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "endgame-*", - "logs-auditd_manager.auditd-*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kernel Module Load via insmod", - "note": "## Triage and analysis\n\n### Investigating Kernel module load via insmod\n\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded via insmod.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\" and\nnot process.parent.executable like (\n \"/opt/ds_agent/*\", \"/usr/sbin/veeamsnap-loader\", \"/opt/TrendMicro/vls_agent/*\", \"/opt/intel/oneapi/*\",\n \"/opt/commvault/Base/linux_drv\", \"/bin/falcoctl\"\n)\n", - "references": [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "auditd_manager", - "version": "^1.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 214 - }, - "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_214", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_13.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_13.json new file mode 100644 index 00000000000..65355be3632 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_13.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "user.id", + "process.entity_id", + "process.pid", + "process.executable", + "process.command_line", + "process.Ext.token.integrity_level_name", + "process.Ext.token.elevation_level", + "process.parent.pid", + "process.parent.Ext.real.pid", + "process.parent.executable", + "process.hash.sha256", + "process.code_signature.trusted", + "process.code_signature.subject_name" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "note": "## Triage and analysis\n\n### Investigating Privileges Elevation via Parent Process PID Spoofing\n\n#### Possible investigation steps\n\n- Does the alert show a SYSTEM child with a spoofed parent relationship?\n - Focus: `user.id`, token integrity, `process.parent.pid`, `process.parent.Ext.real.pid`, and `process.parent.executable`.\n - Implication: escalate when a SYSTEM child has a nonzero real-creator PID that differs from the reported parent, especially when that parent gives trusted system, service, or desktop cover; treat a recognized broker or authorized test as only a candidate benign path until creator and child intent are checked.\n - Why: PPID spoofing can make process-tree views show the selected parent instead of the process that requested creation.\n- Which process actually requested the spoofed launch?\n - Focus: recovered creator for `process.parent.Ext.real.pid`: `process.entity_id`, `process.executable`, `process.command_line`, signer, and trust state.\n - Implication: escalate when the creator is unsigned, user-writable, a shell or script launcher, or unrelated to the reported parent; lower suspicion only for a stable signed vendor, update, accessibility, audit, or test component tied to the same workflow.\n - Why: the Windows parent-process attribute can select a parent handle, so the recovered creator is the actor path the visible parent may hide.\n - Hint: search the same `host.id` around `@timestamp` for `process.pid` = `process.parent.Ext.real.pid`; keep PID windows tight because PIDs are reused. !{investigate{\"description\":\"\",\"label\":\"Real creator process event\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.pid\",\"queryType\":\"phrase\",\"value\":\"{{process.parent.Ext.real.pid}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-15m\",\"relativeTo\":\"now\"}}\n- Does the SYSTEM child identity and command line fit the recovered creator workflow?\n - Focus: `process.executable`, `process.command_line`, `process.pe.original_file_name`, signer, and trust state.\n - Implication: escalate when the child is a shell, script host, renamed binary, user-writable executable, unsigned or untrusted, or has commands that do not belong to the recovered creator; trusted signing reduces identity concern but does not clear PPID spoofing without launch-context fit.\n- Did the spoofed SYSTEM child launch follow-on activity?\n - Focus: child process events from `process.entity_id`, reviewing `process.executable`, `process.command_line`, and `user.id`. !{investigate{\"description\":\"\",\"label\":\"Descendant process events for the spoofed child\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when it spawns shells, scripting, credential, service, or lateral-movement tooling under SYSTEM; no descendants lowers immediate impact but does not clear a suspicious creator or child identity.\n - Hint: if `process.entity_id` is unavailable, fall back to `host.id`, `process.pid`, and a tight alert-time window.\n- If escalation is likely, what is the immediate scope?\n - Focus: prior process alerts for `host.id` and `user.id` with matching child executable or hash, reported parent, and real-creator PID.\n - !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the host\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the user\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Implication: expand containment and scoping when the same child or creator appears on other hosts or unrelated users; keep scope local when the tuple is isolated and no descendant activity contradicts it. Do not use recurrence alone to close.\n - Range: use a lookback that fits endpoint retention.\n\nDisposition: escalate when PPID spoofing to SYSTEM has an unrecognized creator, suspicious child, misleading parent, SYSTEM follow-on activity, or cross-host scope. Close only when alert and recovered telemetry tie the event to one exact recognized broker or authorized test and no descendant evidence contradicts it; preserve evidence and escalate when recovery is incomplete or evidence conflicts.\n\n### False positive analysis\n\n- Signed broker cases require the exact telemetry tuple: child path, signer, and command; reported parent path; recovered creator path, signer, and command; and host/user cohort. Authorized PPID-spoofing tests require exact host, time, tester, test binary, parent PID, real creator PID, and child command line. Without that tie to one product or test, treat as suspicious because the rule already filters common Windows Error Reporting, update, accessibility, remote-support, and Netwrix patterns.\n- Build exceptions only from the minimum confirmed tuple: `process.hash.sha256` or `process.code_signature.thumbprint_sha256`, `process.executable`, `process.parent.executable`, recovered creator identity, `host.id` or managed host group, and the test or product command pattern. Avoid exceptions on `process.name`, `process.parent.name`, or signer alone.\n\n### Response and remediation\n\n- If confirmed benign: document the exact child, reported parent, real creator, signer, command line, host, and user evidence that proved the workflow; reverse any temporary containment and create only a narrow exception for the same tuple.\n- If suspicious but unconfirmed: preserve the alert, process event, recovered creator and descendant process records, process entity IDs and PIDs, command lines, hashes, signers, and current process state before containment. Use reversible containment such as host isolation or temporary policy controls based on host criticality; avoid killing the child or creator until evidence is preserved.\n- If confirmed malicious: isolate the affected host when identity, lineage, or descendant evidence shows unauthorized SYSTEM execution. Before termination, record `process.entity_id`, `process.parent.Ext.real.pid`, `process.command_line`, and `process.hash.sha256`; then terminate malicious child or descendant processes and remove only the binaries, scripts, services, or persistence found during follow-on investigation.\n- Reset or rotate credentials only for accounts, services, or remote-access paths whose misuse is confirmed by additional evidence. Do not treat SYSTEM context alone as proof that a named user credential was compromised.\n- Post-incident hardening: restrict administrative paths that can obtain parent-process creation privileges, review who can run PPID-spoofing test tools, and document the confirmed tuple or malicious artifact set so future analysts can separate repeated product behavior from repeated abuse.", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and process.parent.executable != null and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"?:\\\\Windows\\\\System32\\\\VoiceAccess.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and\n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\") and\n not (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Netwrix Corporation\" and\n process.name : (\"adcrcpy.exe\", \"addumpcaller.exe\") and process.parent.name : (\n \"Netwrix.ADA.EventCollector.exe\",\n \"Netwrix.ADA.Analyzer.exe\"\n )\n )\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 13 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_13", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/283f6c2a-9811-4239-9a40-52b066c67f99_1.json b/packages/security_detection_engine/kibana/security_rule/283f6c2a-9811-4239-9a40-52b066c67f99_1.json new file mode 100644 index 00000000000..bc1edd9c0ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/283f6c2a-9811-4239-9a40-52b066c67f99_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion by an unexpected principal warrants review.", + "false_positives": [ + "Identity and platform teams or infrastructure-as-code may delete or replace the account password policy during governance changes. Verify the principal in `aws.cloudtrail.user_identity.arn` against approved change records, and confirm whether a replacement policy was applied shortly after. Known administration roles and automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Account Password Policy Deleted", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Account Password Policy Deleted\n\nThe account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to no enforced password requirements \u2014 which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare.\n\n### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`.\n- Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was left with no policy.\n- Confirm whether the change aligns with an approved governance change.\n- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls.\n\n### False positive analysis\n\n- Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation.\n- Note: AWS GuardDuty also surfaces account password policy changes via `Stealth:IAMUser/PasswordPolicyChange`; correlate if GuardDuty is enabled.\n\n### Response and remediation\n\n- If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators.\n\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"iam.amazonaws.com\"\n and event.action: \"DeleteAccountPasswordPolicy\"\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n and not user_agent.original: (*terraform* or *pulumi* or *ansible*)\n and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)\n and not source.address: (\"cloudformation.amazonaws.com\" or \"servicecatalog.amazonaws.com\")\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "283f6c2a-9811-4239-9a40-52b066c67f99", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "283f6c2a-9811-4239-9a40-52b066c67f99_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1.json b/packages/security_detection_engine/kibana/security_rule/2a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1.json new file mode 100644 index 00000000000..19952a75084 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects CVE-2026-20253 exploit artifacts against the Splunk Enterprise PostgreSQL sidecar recovery endpoints via complementary signals. Where endpoint or Network Packet Capture request-body logging is available, the rule matches PostgreSQL connection-string injection keywords, suspicious `backupFile` destinations, and known filesystem artifacts used to pivot from backup/restore primitives to file write or RCE. It also detects vulnerable recovery endpoint probing and empty-password Basic auth credentials observed in public exploit tooling.", + "false_positives": [ + "Authorized red-team or penetration testing tooling exercising the CVE-2026-20253 exploit chain. Legitimate Splunk user activity should not produce PostgreSQL connection-string keywords, suspicious filesystem targets, empty Basic auth credentials, or unauthenticated 400 responses on the recovery endpoints." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.network*", + "logs-network_traffic.http*", + "logs-zeek.http*", + "logs-suricata.eve*", + "logs-azure.application_gateway*", + "logs-gcp.loadbalancing_logs*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts\n\nThis rule fires on distinct signals from the CVE-2026-20253 exploit chain and closely related recovery endpoint abuse:\n\n**Body injection** (endpoint/WAF/proxy sources): A POST to the recovery endpoints with a body\ncontaining PostgreSQL connection-string keywords (`hostaddr=`, `host=`, `port=`, `passfile=`,\n`dbname=`, `user=`, `password=`, `sslmode=`, or `service=`), `backupFile` path traversal, suspicious\nabsolute destinations (`/tmp/`, `/var/tmp/`, `/dev/shm/`, `/opt/splunk/etc/apps/`, cron paths, or SSH\nauthorized keys), or known filesystem artifacts (`.pgpass`, `/opt/splunk/etc/apps/`). The `database`\nJSON field is passed directly to `pg_dump` or `pg_restore` as a connection string, so\nattacker-supplied keywords override the hardcoded local configuration. The `backupFile` parameter\ncontrols the dump file path, enabling arbitrary file placement.\n\n**Auth credential artifact** (Zeek sources): A POST to the recovery endpoints with an empty password\nin the HTTP Basic auth header (`url.password : \"\"`). The exploit passes the Basic auth username\ndirectly to `pg_dump` or `pg_restore` as a PostgreSQL username \u2014 any value works, so this branch does\nnot filter on specific usernames.\n\n**Vulnerable endpoint probing**: A POST to `/v1/postgres/recovery/backup` or\n`/v1/postgres/recovery/restore` returning HTTP 400. Public probes use this response distinction because\nvulnerable handlers parse the request and return 400, while patched or protected paths return 401.\n\n### Possible investigation steps\n\n- Check `http.response.status_code`. A `400` indicates the request reached the vulnerable sidecar\n handler; a `401` indicates access was blocked or the host is patched. A `400` on the backup or\n restore path is consistent with probing, and a `400` with injection content in the body is a\n high-confidence indicator of active exploitation.\n- Identify which injection artifact triggered the rule:\n - `hostaddr=` or `host=` in `database` \u2192 server-side database pivot; check for outbound connections\n from the Splunk host to port 5432 or the attacker-supplied `port=` value.\n - `port=`, `user=`, `password=`, `sslmode=`, or `service=` in `database` \u2192 generic libpq connection\n string smuggling; review the full body for remote database or credential manipulation.\n - `passfile=/opt/splunk/var/packages/data/postgres/.pgpass` \u2192 local PostgreSQL credential reuse;\n this exact string is the public restore-chain artifact from watchTowr.\n - `backupFile` with `../` traversal or suspicious absolute paths (`/tmp/`, `/var/tmp/`, `/dev/shm/`,\n `/opt/splunk/etc/apps/`, cron paths, or SSH authorized keys) \u2192 arbitrary file placement; check for\n new or modified files at those paths.\n - `dbname=template1` with `passfile=` \u2192 the published two-stage restore payload.\n- Correlate with host telemetry: new files under `/opt/splunk/etc/apps/`, `/opt/splunk/var/packages/`,\n or `/tmp/` created around the request time.\n- Check for outbound PostgreSQL connections from the Splunk host following any `hostaddr=` or `host=`\n injection (see companion rule \"Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence\").\n- Verify whether the target Splunk host is running an affected version (10.0.0-10.0.6 or\n 10.2.0-10.2.3). Splunk Enterprise 10.4 and Splunk Cloud are not affected.\n\n### False positive analysis\n\n- No legitimate Splunk user workflow sends PostgreSQL connection-string keywords or filesystem paths\n to these recovery endpoints. This rule has very low false positive potential when the path filter\n is in scope.\n\n### Response and remediation\n\n- Any confirmed body injection on the recovery endpoints should be treated as active exploitation.\n Isolate the Splunk host immediately and preserve forensic state.\n- Check for files placed by `backupFile` traversal and SQL objects loaded by the restore step.\n- Patch Splunk Enterprise to an unaffected version. There is no vendor-provided workaround for\n CVE-2026-20253.\n", + "query": "http.request.method:POST and\nurl.path:(\"*splunkd/__raw/v1/postgres/recovery/*\" or \"/v1/postgres/recovery/*\") and\n(\n http.request.body.content:(\n \"*\\\"backupFile\\\"*../*\" or\n \"*\\\"backupFile\\\"*/dev/shm/*\" or\n \"*\\\"backupFile\\\"*/etc/cron*\" or\n \"*\\\"backupFile\\\"*/home/*/.ssh/*\" or\n \"*\\\"backupFile\\\"*/opt/splunk/bin/scripts/*\" or\n \"*\\\"backupFile\\\"*/opt/splunk/etc/apps/*\" or\n \"*\\\"backupFile\\\"*/root/*\" or\n \"*\\\"backupFile\\\"*/tmp/*\" or\n \"*\\\"backupFile\\\"*/var/tmp/*\" or\n \"*\\\"backupFile\\\"*authorized_keys*\" or\n \"*\\\"database\\\"*dbname=*\" or\n \"*\\\"database\\\"*host=*\" or\n \"*\\\"database\\\"*hostaddr=*\" or\n \"*\\\"database\\\"*passfile=*\" or\n \"*\\\"database\\\"*password=*\" or\n \"*\\\"database\\\"*port=*\" or\n \"*\\\"database\\\"*service=*\" or\n \"*\\\"database\\\"*sslmode=*\" or\n \"*\\\"database\\\"*user=*\" or\n \"*/opt/splunk/etc/apps/*\" or\n \"*/opt/splunk/var/packages/data/postgres/.pgpass*\"\n ) or\n data_stream.dataset:zeek.http and url.password:\"\" or\n data_stream.dataset:(azure.application_gateway or gcp.loadbalancing_logs or network_traffic.http or suricata.eve or zeek.http) and\n url.path:(\n \"*splunkd/__raw/v1/postgres/recovery/backup\" or\n \"*splunkd/__raw/v1/postgres/recovery/restore\" or\n /v1/postgres/recovery/backup or\n /v1/postgres/recovery/restore\n ) and\n http.response.status_code:400\n)\n", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2026-20253", + "https://advisory.splunk.com/advisories/SVD-2026-0603", + "https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/", + "https://attack.mitre.org/techniques/T1190/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "integration": "application_gateway", + "package": "azure", + "version": "^1.5.0" + }, + { + "package": "gcp", + "version": "^2.6.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "suricata", + "version": "^2.0.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + }, + { + "ecs": true, + "name": "url.password", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 73, + "rule_id": "2a7823db-0bc2-48f6-aa2f-e6aef233c6dc", + "setup": "## Setup\n\nThis rule covers two detection paths with different telemetry requirements:\n\n**Body injection branch** (`http.request.body.content`): Populated by:\n- Elastic Defend (`logs-endpoint.events.network*`) on the Splunk host, capturing HTTP network\n events at the endpoint level\n- Network Packet Capture (`logs-network_traffic.http*`) with HTTP body capture enabled for the\n Splunk recovery paths\n\nAvoid enabling broad request-body logging without masking or filtering \u2014 bodies can contain\ncredentials and PII. Scope capture to specific URL paths (e.g., `*/splunkd/*`) where possible.\n\n**Auth artifact branch** (`url.password`, `url.username`): Populated by:\n- Zeek (`logs-zeek.http*`) - parses HTTP Basic auth headers natively, no additional configuration\n\n**Vulnerable endpoint probing branch** (`http.response.status_code`): Populated by Network Packet\nCapture, Zeek, Suricata, Azure Application Gateway, and GCP Load Balancing where HTTP response\nmetadata is visible to the sensor.\n\nSplunk Web listens on TCP port 8000 by default (`web.conf` `httpport`), which is included in the\ndefault Network Packet Capture/Packetbeat HTTP port list. Add any custom Splunk Web `httpport` value\nto the HTTP protocol configuration. Splunk's management service defaults to TCP port 8089\n(`mgmtHostPort`) and commonly uses TLS; add 8089 only if management/API traffic is directly exposed or\nvisible to the sensor after decryption. If the PostgreSQL sidecar is directly exposed or monitored\nlocally on TCP port 5435, add port 5435 as an HTTP port as well. Zeek and Suricata can identify\nplaintext HTTP on non-standard ports through protocol detection when their HTTP analyzers are enabled.\nFor TLS deployments, the sensor must observe decrypted HTTP, sit downstream of TLS termination, or use\nproxy or load balancer logs that expose the HTTP path, method, and status code. Body-content detection\nstill requires request-body capture for the Splunk recovery paths.\n\nUse the companion rule \"Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence\" for detections that work without\nrequest-body capture or auth header logging.\n", + "severity": "high", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Use Case: Network Security Monitoring", + "Tactic: Initial Access", + "Data Source: Azure", + "Data Source: Elastic Defend", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Data Source: Network Packet Capture", + "Data Source: Network Traffic", + "Data Source: Zeek", + "Data Source: Suricata", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "2a7823db-0bc2-48f6-aa2f-e6aef233c6dc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_108.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_108.json deleted file mode 100644 index 98175da51a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_108.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) to the Internet", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RPC (Remote Procedure Call) to the Internet\n\nRPC enables remote management and resource sharing across networks, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic from internal IPs to external networks, flagging potential exploitation attempts by monitoring specific ports and IP ranges.\n\n### Possible investigation steps\n\n- Review the source IP address from the alert to identify the internal system initiating the RPC traffic. Check if this IP belongs to a known or authorized device within the network.\n- Examine the destination IP address to determine if it is a known or suspicious external entity. Use threat intelligence sources to assess if the IP has been associated with malicious activity.\n- Analyze the network traffic logs for the specific event.dataset values (network_traffic.flow or zeek.dce_rpc) to gather more context about the nature and volume of the RPC traffic.\n- Investigate the destination port, specifically port 135, to confirm if the traffic is indeed RPC-related and assess if there are any legitimate reasons for this communication.\n- Check for any recent changes or anomalies in the network configuration or system settings of the source IP that might explain the unexpected RPC traffic.\n- Correlate this alert with other security events or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.\n\n### False positive analysis\n\n- Internal testing environments may generate RPC traffic to external IPs for legitimate purposes. Identify and document these environments, then create exceptions in the detection rule to prevent unnecessary alerts.\n- Cloud-based services or applications that require RPC communication for integration or management might trigger false positives. Review these services and whitelist their IP addresses if they are verified as non-threatening.\n- VPN or remote access solutions that use RPC for secure connections can be mistaken for suspicious activity. Ensure that the IP ranges of these solutions are excluded from the rule to avoid false alerts.\n- Automated backup or synchronization tools that use RPC to communicate with external servers could be flagged. Verify these tools and add their destination IPs to an exception list if they are part of routine operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough analysis of the affected system to identify any unauthorized changes or installed backdoors, focusing on processes and services related to RPC.\n- Revoke any compromised credentials and enforce a password reset for all accounts that may have been accessed or used during the incident.\n- Apply necessary patches and updates to the affected system and any other systems with similar vulnerabilities to mitigate the risk of exploitation.\n- Monitor network traffic for any signs of lateral movement or additional suspicious activity, particularly focusing on RPC-related traffic.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced logging and monitoring for RPC traffic to detect and respond to similar threats more effectively in the future.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "high", - "tags": [ - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.003", - "name": "Distributed Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1021/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 108 - }, - "id": "32923416-763a-4531-bb35-f33b9232ecdb_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_112.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_112.json deleted file mode 100644 index aeab9634d14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_112.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", - "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*", - "logs-fortinet_fortigate.log-*", - "logs-sonicwall_firewall.log-*", - "logs-suricata.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Accepted Default Telnet Port Connection", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Accepted Default Telnet Port Connection\n\nTelnet, a protocol for remote command-line access, is often used in legacy systems. Its lack of encryption makes it vulnerable, allowing attackers to intercept credentials or use it as a backdoor. The detection rule identifies unencrypted Telnet traffic on port 23, flagging connections that bypass typical security measures, thus highlighting potential unauthorized access attempts.\n\n### Possible investigation steps\n\n- Review the network traffic logs to identify the source IP address associated with the Telnet connection on port 23. Determine if the source IP is internal or external to the organization.\n- Check the destination IP address to ascertain if it belongs to a critical system or a legacy device that might still use Telnet for management purposes.\n- Investigate the timeline of the connection event to see if there are any patterns or repeated attempts, which could indicate a persistent threat or automated attack.\n- Analyze any associated user accounts or credentials used during the Telnet session to verify if they are legitimate and authorized for remote access.\n- Correlate the Telnet connection event with other security alerts or logs to identify any related suspicious activities, such as failed login attempts or unusual data transfers.\n- Assess the network segment where the Telnet traffic was detected to determine if it is appropriately segmented and secured against unauthorized access.\n- Consider implementing network security measures, such as disabling Telnet on devices or replacing it with secure alternatives like SSH, to prevent future unauthorized access attempts.\n\n### False positive analysis\n\n- Legacy systems or devices that require Telnet for management may trigger alerts. To manage this, create exceptions for specific IP addresses or subnets known to host these systems.\n- Internal network monitoring tools that use Telnet for legitimate purposes might be flagged. Identify these tools and exclude their traffic from the rule to prevent unnecessary alerts.\n- Lab environments or test networks where Telnet is used for educational or testing purposes can cause false positives. Implement network segmentation and apply exceptions to these environments to reduce noise.\n- Automated scripts or maintenance tasks that utilize Telnet for routine operations may be mistakenly identified. Document these tasks and whitelist their associated traffic patterns to avoid false alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active Telnet sessions on the affected system to disrupt potential attacker activities.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data manipulation that may have occurred.\n- Change all credentials that may have been exposed through Telnet traffic, prioritizing those with administrative privileges.\n- Implement network segmentation to restrict Telnet access to only necessary internal systems, ensuring it is not exposed to the internet.\n- Deploy encryption protocols such as SSH to replace Telnet for remote command-line access, enhancing security for remote management.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for additional security measures.", - "query": "(event.dataset:(fortinet_fortigate.log or network_traffic.flow\n or sonicwall_firewall.log or suricata.eve or panw.panos)\n or event.category:(network or network_traffic))\n and event.type:(connection and not end) and not event.action:(\n flow_dropped or flow_denied or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n and destination.port:23\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - }, - { - "package": "fortinet_fortigate", - "version": "^1.0.0" - }, - { - "package": "sonicwall_firewall", - "version": "^1.0.0" - }, - { - "package": "suricata", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Lateral Movement", - "Tactic: Initial Access", - "Data Source: PAN-OS", - "Data Source: Fortinet", - "Data Source: SonicWall", - "Data Source: Suricata", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - }, - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", - "timeline_title": "Comprehensive Network Timeline", - "timestamp_override": "event.ingested", - "type": "query", - "version": 112 - }, - "id": "34fde489-94b0-4500-a76f-b8a157cf9269_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_323.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_323.json new file mode 100644 index 00000000000..7332bca526f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_323.json @@ -0,0 +1,169 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and process.parent.executable like (\"?:\\\\*\", \"\\\\Device\\\\*\") and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\", \"dwm.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:(\"svchost.exe\", \"Workplace Container Helper.exe\")) or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:(\"services.exe\", \"Workplace Starter.exe\")) or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\", \"KUsrInit.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\", \"ngentask.exe\", \"SearchProtocolHost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\", \"wpbbin.exe\", \"PvsVmBoot.exe\", \"SophosNA.exe\", \"omnissa-ic-nga.exe\", \"icarus_rvrt.exe\", \"poqexec.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\") and\n not (process.name:\"rundll32.exe\" and process.command_line : \"*WerConCpl.dll*LaunchErcApp*\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\", \"conhost.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender XDR", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.009", + "name": "Break Process Trees", + "reference": "https://attack.mitre.org/techniques/T1036/009/" + } + ] + }, + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 323 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_323", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_317.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_317.json new file mode 100644 index 00000000000..27043982514 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_317.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "logs-crowdstrike.fdr*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via NsLookup", + "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", + "references": [ + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender XDR", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 317 + }, + "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_317", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_109.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_109.json deleted file mode 100644 index fc0c1bbc658..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_109.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) to the Internet", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating VNC (Virtual Network Computing) to the Internet\n\nVNC is a tool that allows remote control of computers, often used by administrators for maintenance. However, when exposed to the internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC to establish backdoors or gain initial access. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out internal IP addresses, flagging potential threats when VNC is accessed from external networks.\n\n### Possible investigation steps\n\n- Review the source IP address to determine if it belongs to a known internal asset or user, and verify if the access was authorized.\n- Check the destination IP address to confirm if it is an external address and investigate its reputation or any known associations with malicious activity.\n- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or volumes of VNC traffic.\n- Correlate the VNC traffic event with other security events or logs to identify any related suspicious activities or anomalies.\n- Investigate the user account associated with the VNC session to ensure it has not been compromised or misused.\n- Assess the system or application logs on the destination machine for any signs of unauthorized access or changes during the time of the VNC connection.\n\n### False positive analysis\n\n- Internal maintenance activities may trigger the rule if VNC is used for legitimate remote administration. To manage this, create exceptions for known internal IP addresses that frequently use VNC for maintenance.\n- Automated scripts or tools that use VNC for legitimate purposes might be flagged. Identify these tools and whitelist their IP addresses to prevent unnecessary alerts.\n- Testing environments that simulate external access to VNC for security assessments can cause false positives. Exclude IP ranges associated with these environments to avoid confusion.\n- Cloud-based services that use VNC for remote management might be misidentified as threats. Verify these services and add their IP addresses to an exception list if they are trusted.\n- Temporary remote access setups for troubleshooting or support can be mistaken for unauthorized access. Document these instances and apply temporary exceptions to reduce false alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active VNC sessions that are identified as originating from external networks to cut off potential attacker access.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data transfer that may have occurred during the VNC exposure.\n- Change all passwords and credentials associated with the affected system and any other systems that may have been accessed using the same credentials.\n- Apply necessary patches and updates to the VNC software and any other vulnerable applications on the affected system to mitigate known vulnerabilities.\n- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the internet.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be compromised.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "medium", - "tags": [ - "Tactic: Command and Control", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_3.json b/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_3.json deleted file mode 100644 index 28540705214..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3aff6ab1-18bd-427e-9d4c-c5732110c261_3.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the modification and reading of kernel features through built-in commands. Attackers may collect information, disable or weaken Linux kernel protections. For example, an attacker may modify ASLR protection by disabling kernel.randomize_va_space, allow ptrace by setting kernel.yama.ptrace_scope to 0, or disable the NMI watchdog by setting kernel.nmi_watchdog to 0. These changes may be used to impair defenses and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*", - "logs-crowdstrike.fdr*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Kernel Feature Activity", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Kernel Feature Activity\n\nKernel features in Linux systems are critical for maintaining security and stability. They control various system behaviors, such as memory randomization and process tracing. Adversaries may exploit these features to weaken defenses, for instance, by disabling address space layout randomization (ASLR) or enabling unrestricted process tracing. The detection rule identifies suspicious activities by monitoring command executions that modify or read kernel settings, focusing on unusual patterns or contexts that suggest malicious intent.\n\n### Possible investigation steps\n\n- Review the process command line to identify which specific kernel feature was accessed or modified, focusing on entries like kernel.randomize_va_space or kernel.yama.ptrace_scope.\n- Examine the parent process executable and name to determine the context in which the suspicious command was executed, checking for unusual or unauthorized parent processes.\n- Investigate the user account associated with the process execution to assess whether the activity aligns with expected behavior for that user.\n- Check for any recent changes in the /etc/sysctl.conf or /etc/sysctl.d/ directories that might indicate unauthorized modifications to kernel settings.\n- Analyze the system's process execution history to identify any patterns or sequences of commands that suggest a broader attack or compromise.\n- Correlate the alert with other security events or logs to determine if this activity is part of a larger attack campaign or isolated incident.\n\n### False positive analysis\n\n- System administrators or automated scripts may frequently modify kernel settings for legitimate purposes such as performance tuning or system maintenance. To handle these, identify and whitelist known administrative scripts or processes that regularly perform these actions.\n- Security tools or monitoring solutions might execute commands that read kernel settings as part of their normal operation. Review and exclude these tools from triggering alerts by adding them to an exception list based on their process names or command patterns.\n- Developers and testers might disable certain kernel features temporarily during debugging or testing phases. Coordinate with development teams to document these activities and exclude them from detection by specifying the relevant process names or command lines.\n- Some system management tools may use commands like sysctl to apply configuration changes across multiple systems. If these tools are verified as non-threatening, exclude their specific command patterns or parent processes from triggering the rule.\n- Regular system updates or configuration management processes might involve reading or modifying kernel settings. Identify these processes and add them to an exception list to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.\n- Review and revert any unauthorized changes to kernel settings, such as ASLR, ptrace scope, or NMI watchdog, to their secure defaults using sysctl or by editing configuration files.\n- Conduct a thorough examination of the system for signs of compromise, including checking for unauthorized access, unusual processes, or modifications to critical files.\n- Restore the system from a known good backup if the integrity of the system is compromised and cannot be reliably remediated.\n- Implement additional monitoring and logging for kernel feature modifications to detect similar activities in the future, ensuring alerts are configured for immediate response.\n- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and correlation with other potential threats across the network.\n- Review and update security policies and configurations to prevent unauthorized kernel modifications, including enforcing stricter access controls and auditing procedures.\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\") and\nprocess.command_line : (\n \"*/etc/sysctl.conf*\", \"*/etc/sysctl.d/*\", \"*/proc/sys/kernel/nmi_watchdog*\",\n \"*/proc/sys/vm/nr_hugepages*\", \"*/proc/sys/kernel/yama/ptrace_scope*\",\n \"*/proc/sys/kernel/randomize_va_space*\", \"*/proc/sys/vm/drop_caches*\",\n \"*/proc/sys/kernel/sysrq*\", \"*grsecurity*\", \"*exec-shield*\",\n \"*kernel.randomize_va_space*\", \"*kernel.yama.ptrace_scope*\",\n \"*kernel.nmi_watchdog*\", \"*vm.nr_hugepages*\", \"*vm.drop_caches*\",\n \"*kernel.sysrq*\"\n) and\n?process.parent.executable != null and \n(\n (process.name == \"tee\" and process.args like \"-*a*\") or // also detects --append\n (process.name == \"cat\" and not process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")) or\n (process.name == \"grep\" and process.args_count == 3 and not process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")) or\n (process.name == \"sysctl\" and process.args like (\"*-w*\", \"*--write*\", \"*=*\")) or\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and process.args == \"-c\" and process.args : \"*echo *\")\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "crowdstrike", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3aff6ab1-18bd-427e-9d4c-c5732110c261", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.006", - "name": "Indicator Blocking", - "reference": "https://attack.mitre.org/techniques/T1562/006/" - } - ] - }, - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "3aff6ab1-18bd-427e-9d4c-c5732110c261_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_105.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_105.json deleted file mode 100644 index 7856deeb246..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_105.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "EggShell Backdoor Execution", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating EggShell Backdoor Execution\n\nEggShell is a post-exploitation tool used on macOS and Linux systems, allowing adversaries to execute commands and scripts remotely. It leverages command and scripting interpreters to gain control over compromised systems. Attackers exploit this by executing malicious payloads, maintaining persistence, and exfiltrating data. The detection rule identifies suspicious process activities, specifically targeting the execution patterns and arguments associated with EggShell, to alert analysts of potential backdoor usage.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the process name 'espl' and check if the process arguments start with 'eyJkZWJ1ZyI6', which indicates potential EggShell activity.\n- Investigate the parent process of 'espl' to understand how it was initiated and identify any associated suspicious activities or processes.\n- Examine the user account under which the 'espl' process was executed to determine if it aligns with expected behavior or if it indicates a compromised account.\n- Check for any network connections or data exfiltration attempts associated with the 'espl' process to assess if data has been sent to an external source.\n- Review system logs and other security alerts around the time of the 'espl' process execution to identify any correlated events or anomalies.\n- Assess the persistence mechanisms on the affected system to determine if the EggShell backdoor has established any means to survive reboots or user logouts.\n\n### False positive analysis\n\n- Legitimate administrative scripts or tools that use similar command patterns to EggShell may trigger false positives. Review the process arguments and context to determine if the activity is expected and authorized.\n- Development or testing environments where EggShell or similar tools are used for legitimate purposes can cause alerts. Implement exceptions for these environments by excluding specific user accounts or process paths.\n- Automated scripts or monitoring tools that mimic EggShell's execution patterns might be flagged. Identify these scripts and create exceptions based on their unique identifiers or execution context.\n- Regularly update the detection rule to refine the criteria based on observed false positives, ensuring that legitimate activities are not continuously flagged.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command execution and data exfiltration.\n- Terminate any suspicious processes associated with the EggShell backdoor, specifically those matching the process name 'espl' and arguments starting with 'eyJkZWJ1ZyI6'.\n- Conduct a thorough examination of the system to identify any additional malicious payloads or persistence mechanisms that may have been deployed by the attacker.\n- Remove any unauthorized user accounts or access credentials that may have been created or compromised during the exploitation.\n- Restore the system from a known good backup to ensure all traces of the backdoor and any associated malware are eradicated.\n- Update and patch all software and systems to close any vulnerabilities that may have been exploited by the attacker.\n- Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.", - "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", - "references": [ - "https://github.com/neoneggplant/EggShell" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_105", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_106.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_106.json deleted file mode 100644 index 32a29cd7a02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_106.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "EggShell Backdoor Execution", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating EggShell Backdoor Execution\n\nEggShell is a post-exploitation tool used on macOS and Linux systems, allowing adversaries to execute commands and scripts remotely. It leverages command and scripting interpreters to gain control over compromised systems. Attackers exploit this by executing malicious payloads, maintaining persistence, and exfiltrating data. The detection rule identifies suspicious process activities, specifically targeting the execution patterns and arguments associated with EggShell, to alert analysts of potential backdoor usage.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the process name 'espl' and check if the process arguments start with 'eyJkZWJ1ZyI6', which indicates potential EggShell activity.\n- Investigate the parent process of 'espl' to understand how it was initiated and identify any associated suspicious activities or processes.\n- Examine the user account under which the 'espl' process was executed to determine if it aligns with expected behavior or if it indicates a compromised account.\n- Check for any network connections or data exfiltration attempts associated with the 'espl' process to assess if data has been sent to an external source.\n- Review system logs and other security alerts around the time of the 'espl' process execution to identify any correlated events or anomalies.\n- Assess the persistence mechanisms on the affected system to determine if the EggShell backdoor has established any means to survive reboots or user logouts.\n\n### False positive analysis\n\n- Legitimate administrative scripts or tools that use similar command patterns to EggShell may trigger false positives. Review the process arguments and context to determine if the activity is expected and authorized.\n- Development or testing environments where EggShell or similar tools are used for legitimate purposes can cause alerts. Implement exceptions for these environments by excluding specific user accounts or process paths.\n- Automated scripts or monitoring tools that mimic EggShell's execution patterns might be flagged. Identify these scripts and create exceptions based on their unique identifiers or execution context.\n- Regularly update the detection rule to refine the criteria based on observed false positives, ensuring that legitimate activities are not continuously flagged.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command execution and data exfiltration.\n- Terminate any suspicious processes associated with the EggShell backdoor, specifically those matching the process name 'espl' and arguments starting with 'eyJkZWJ1ZyI6'.\n- Conduct a thorough examination of the system to identify any additional malicious payloads or persistence mechanisms that may have been deployed by the attacker.\n- Remove any unauthorized user accounts or access credentials that may have been created or compromised during the exploitation.\n- Restore the system from a known good backup to ensure all traces of the backdoor and any associated malware are eradicated.\n- Update and patch all software and systems to close any vulnerabilities that may have been exploited by the attacker.\n- Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.", - "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", - "references": [ - "https://github.com/neoneggplant/EggShell" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_106", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_107.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_107.json deleted file mode 100644 index d6d3828c3e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_107.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Deprecated - EggShell Backdoor Execution", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - EggShell Backdoor Execution\n\nEggShell is a post-exploitation tool used on macOS and Linux systems, allowing adversaries to execute commands and scripts remotely. It leverages command and scripting interpreters to gain control over compromised systems. Attackers exploit this by executing malicious payloads, maintaining persistence, and exfiltrating data. The detection rule identifies suspicious process activities, specifically targeting the execution patterns and arguments associated with EggShell, to alert analysts of potential backdoor usage.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the process name 'espl' and check if the process arguments start with 'eyJkZWJ1ZyI6', which indicates potential EggShell activity.\n- Investigate the parent process of 'espl' to understand how it was initiated and identify any associated suspicious activities or processes.\n- Examine the user account under which the 'espl' process was executed to determine if it aligns with expected behavior or if it indicates a compromised account.\n- Check for any network connections or data exfiltration attempts associated with the 'espl' process to assess if data has been sent to an external source.\n- Review system logs and other security alerts around the time of the 'espl' process execution to identify any correlated events or anomalies.\n- Assess the persistence mechanisms on the affected system to determine if the EggShell backdoor has established any means to survive reboots or user logouts.\n\n### False positive analysis\n\n- Legitimate administrative scripts or tools that use similar command patterns to EggShell may trigger false positives. Review the process arguments and context to determine if the activity is expected and authorized.\n- Development or testing environments where EggShell or similar tools are used for legitimate purposes can cause alerts. Implement exceptions for these environments by excluding specific user accounts or process paths.\n- Automated scripts or monitoring tools that mimic EggShell's execution patterns might be flagged. Identify these scripts and create exceptions based on their unique identifiers or execution context.\n- Regularly update the detection rule to refine the criteria based on observed false positives, ensuring that legitimate activities are not continuously flagged.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command execution and data exfiltration.\n- Terminate any suspicious processes associated with the EggShell backdoor, specifically those matching the process name 'espl' and arguments starting with 'eyJkZWJ1ZyI6'.\n- Conduct a thorough examination of the system to identify any additional malicious payloads or persistence mechanisms that may have been deployed by the attacker.\n- Remove any unauthorized user accounts or access credentials that may have been created or compromised during the exploitation.\n- Restore the system from a known good backup to ensure all traces of the backdoor and any associated malware are eradicated.\n- Update and patch all software and systems to close any vulnerabilities that may have been exploited by the attacker.\n- Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.", - "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", - "references": [ - "https://github.com/neoneggplant/EggShell" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_107", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_112.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_112.json deleted file mode 100644 index 8880fa8a483..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_112.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "endgame-*", - "logs-auditd_manager.auditd-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating Linux User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\n process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n ) and\n (\n process.name in (\"usermod\", \"adduser\") or\n (process.name == \"gpasswd\" and process.args in (\"-a\", \"--add\", \"-M\", \"--members\"))\n )\n", - "references": [ - "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "auditd_manager", - "version": "^1.0.0" - }, - { - "package": "crowdstrike", - "version": "^2.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 112 - }, - "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4886ce11-fca5-433f-bbb9-e33e410ef9ae_1.json b/packages/security_detection_engine/kibana/security_rule/4886ce11-fca5-433f-bbb9-e33e410ef9ae_1.json new file mode 100644 index 00000000000..ae09791adb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4886ce11-fca5-433f-bbb9-e33e410ef9ae_1.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.", + "false_positives": [ + "GitOps and platform controllers (cert-manager, Gatekeeper, Kyverno, service mesh) legitimately manage webhooks. Validate change tickets and controller identities before tuning." + ], + "from": "now-9m", + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Admission Webhook Created or Modified", + "note": "## Triage and analysis\n\n### Investigating GKE Admission Webhook Created or Modified\n\nReview webhook name, actor, and clientConfig destination in `gcp.audit.request`.\n\n### Investigation steps\n\n- Confirm `user.email`, `event.action`, and webhook resource name.\n- Inspect webhook URL or in-cluster service target for external endpoints.\n- Hunt for pod mutations or blocked security deployments after the change.\n\n### False positives\n\n- Approved controller upgrades during change windows.", + "query": "data_stream.dataset:gcp.audit and event.outcome:success and event.action:(\n \"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create\" or\n \"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update\" or\n \"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch\" or\n \"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create\" or\n \"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update\" or\n \"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch\"\n) and not user.email:(\n \"system:kube-controller-manager\" or \"system:kube-scheduler\" or system\\:serviceaccount\\:kube-system\\:* or\n system\\:serviceaccount\\:gke-managed-system\\:* or system\\:serviceaccount\\:cert-manager\\:* or\n system\\:serviceaccount\\:gatekeeper-system\\:* or system\\:serviceaccount\\:kyverno\\:* or \"system:addon-manager\" or\n *-operator or *-cainjector or *-webhook or *argocd* or \"system:gke-common-webhooks\"\n)\n", + "references": [ + "https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4886ce11-fca5-433f-bbb9-e33e410ef9ae", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "4886ce11-fca5-433f-bbb9-e33e410ef9ae_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/49002bbe-7aea-4146-91eb-b2b683bf5ed5_1.json b/packages/security_detection_engine/kibana/security_rule/49002bbe-7aea-4146-91eb-b2b683bf5ed5_1.json new file mode 100644 index 00000000000..6dfbba86031 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/49002bbe-7aea-4146-91eb-b2b683bf5ed5_1.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS Lambda function invoked by a principal whose AWS account differs from the account that owns the function (a cross-account invocation). The caller's account is parsed from the invoking principal's ARN and compared to the function account. Adversaries who have been granted invoke permission on a function from an external account, or who operate from a separate attacker-controlled account, can use cross-account invocation to execute functions or retrieve the data they return. This is the data-plane counterpart to detecting the cross-account grant itself, and relies on AWS Lambda data event logging, which is not enabled by default.", + "false_positives": [ + "Multi-account architectures and partner integrations legitimately invoke functions across account boundaries. Verify the caller account, the principal in `aws.cloudtrail.user_identity.arn`, and the function against approved cross-account access, and exclude known trusted accounts or identities after validation." + ], + "from": "now-61m", + "interval": "60m", + "investigation_fields": { + "field_names": [ + "aws.cloudtrail.user_identity.arn", + "Esql.caller_account", + "Esql.function_account", + "Esql.function_arns", + "Esql.invocation_count", + "Esql.source_ips" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS Lambda Function Invoked Cross-Account", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function Invoked Cross-Account\n\nA Lambda function invoked by a principal from a different AWS account indicates cross-account invocation - the data-plane realization of a cross-account resource-policy grant. CloudTrail data events record the invoking principal's ARN (which contains the caller's account) and the function's owning account. When these differ, an external account executed the function. This can be a legitimate multi-account integration or an adversary using granted or attacker-controlled cross-account access.\n\n#### Possible investigation steps\n\n- Review `Esql.caller_account` (the invoking principal's account) versus `Esql.function_account` (the invoked function's owning account) and confirm whether the caller account is a known, trusted account.\n- Identify the principal in `aws.cloudtrail.user_identity.arn` and pivot to the raw CloudTrail events (for the same principal/time window) to identify the invoked function(s) in `aws.cloudtrail.request_parameters`.\n- Determine whether a corresponding `AddPermission` cross-account grant exists for the function and whether it was expected (correlate with the cross-account resource-policy rule).\n- Review `Esql.source_ips` and recent activity from the caller account for other cross-account actions.\n\n### False positive analysis\n\n- Cross-account invocation is common in multi-account architectures and partner integrations. Confirm the caller account is approved and exclude known trusted accounts or identities after validation.\n\n### Response and remediation\n\n- If the cross-account access is unauthorized, remove the function's cross-account resource-policy statement (`RemovePermission`) and review what the function accessed or returned.\n- Constrain `lambda:InvokeFunction` grants to approved accounts and review the function's execution-role permissions.\n\n### Additional information\n\n- [Lambda resource-based policies](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html)\n- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)\n", + "query": "from logs-aws.cloudtrail-*\n\n| where\n event.provider == \"lambda.amazonaws.com\"\n and event.action like \"Invoke*\"\n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.arn IS NOT NULL\n and aws.cloudtrail.user_identity.invoked_by IS NULL\n and aws.cloudtrail.request_parameters IS NOT NULL\n\n| grok aws.cloudtrail.user_identity.arn \"\"\":(?[0-9]{12}):\"\"\"\n| grok aws.cloudtrail.request_parameters \"\"\"functionName=arn:aws:lambda:[a-z0-9-]*:(?[0-9]{12}):\"\"\"\n\n| where Esql.caller_account IS NOT NULL and Esql.function_account IS NOT NULL and Esql.caller_account != Esql.function_account\n\n| stats\n Esql.invocation_count = count(*),\n Esql.source_ips = values(source.ip),\n Esql.function_arns = values(aws.cloudtrail.resources.arn)\n by\n aws.cloudtrail.user_identity.arn,\n Esql.caller_account,\n Esql.function_account\n\n| keep\n aws.cloudtrail.user_identity.arn,\n Esql.caller_account,\n Esql.function_account,\n Esql.function_arns,\n Esql.invocation_count,\n Esql.source_ips\n\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "49002bbe-7aea-4146-91eb-b2b683bf5ed5", + "setup": "## Setup\n\nThis rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration. Lambda\ninvocation (`Invoke`) is a data-plane event and is NOT logged by default; enable data event logging for Lambda functions\nin the trail (optionally scoped to sensitive functions to manage volume).\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "49002bbe-7aea-4146-91eb-b2b683bf5ed5_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json deleted file mode 100644 index 8190583eeb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", - "false_positives": [ - "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Removed from Blocklist in Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.old_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1.json b/packages/security_detection_engine/kibana/security_rule/4ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1.json new file mode 100644 index 00000000000..ef6036666f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies deletion of an AWS Backup vault or removal of its Vault Lock configuration via DeleteBackupVault or DeleteBackupVaultLockConfiguration. A backup vault stores recovery points, and Vault Lock enforces WORM (write-once, read-many) immutability that prevents recovery points from being deleted before their retention expires. Removing the lock defeats the primary control designed to stop ransomware from destroying backups, and deleting the vault removes the backup container entirely. Both actions are strong anti-recovery signals and are rare in normal operations.", + "false_positives": [ + "Platform or infrastructure-as-code teams may delete empty or deprecated vaults during decommissioning, or adjust Vault Lock during a planned governance change (note that compliance-mode locks cannot be removed). Verify the principal in \"aws.cloudtrail.user_identity.arn\" and confirm the change aligns with an approved request. Known administration roles can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Backup Vault Deleted or Vault Lock Removed", + "note": "## Triage and analysis\n\n### Investigating AWS Backup Vault Deleted or Vault Lock Removed\n\nA backup vault is the container for AWS Backup recovery points, and Vault Lock applies immutability so recovery points cannot be deleted or shortened before retention expires. \"DeleteBackupVaultLockConfiguration\" removes that immutability (for governance-mode locks), and \"DeleteBackupVault\" deletes the vault itself. Adversaries remove the lock to enable subsequent deletion of otherwise-immutable recovery points, or delete the vault to destroy backups outright. These are high-impact, rare operations and should be deliberate and tightly controlled.\n\n### Possible investigation steps\n\n- Identify the actor in \"aws.cloudtrail.user_identity.arn\" and \"aws.cloudtrail.user_identity.type\", and review \"source.ip\", \"source.as.organization.name\", and \"user_agent.original\" for an unexpected origin.\n- Determine the affected vault from \"aws.cloudtrail.request_parameters\" and whether it held recovery points.\n- For lock removal, check whether DeleteRecoveryPoint or DeleteBackupVault followed shortly after, indicating a staged anti-recovery sequence.\n- Correlate with other destructive or evasion activity by the same principal (KMS key deletion, resource deletions, logging changes).\n\n### False positive analysis\n\n- Decommissioning of empty vaults or planned governance changes may match. Confirm the change is expected and exclude known administration roles on \"aws.cloudtrail.user_identity.arn\" after validation.\n\n### Response and remediation\n\n- If unauthorized, treat as a likely precursor to backup destruction: preserve remaining recovery points, re-apply Vault Lock (in compliance mode where appropriate), and engage incident response.\n- Rotate or restrict credentials for the principal if compromise is suspected, and restrict \"backup:DeleteBackupVault\" and \"backup:DeleteBackupVaultLockConfiguration\" to break-glass roles via IAM and SCPs.\n\n### Additional information\n\n- [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)\n- [DeleteBackupVault API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html)\n- [DeleteBackupVaultLockConfiguration API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultLockConfiguration.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"backup.amazonaws.com\"\n and event.action: (\"DeleteBackupVault\" or \"DeleteBackupVaultLockConfiguration\")\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n", + "references": [ + "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html", + "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html", + "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultLockConfiguration.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ddac6c1-e4be-4e2b-95b5-0654cb8d423c", + "setup": "This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Backup", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "4ddac6c1-e4be-4e2b-95b5-0654cb8d423c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4df2e3ae-3553-4194-b22e-3e5a6f71466e_1.json b/packages/security_detection_engine/kibana/security_rule/4df2e3ae-3553-4194-b22e-3e5a6f71466e_1.json new file mode 100644 index 00000000000..05c5dc921b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4df2e3ae-3553-4194-b22e-3e5a6f71466e_1.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a human GKE caller lists secrets cluster-wide or in default or kube-system from a source autonomous system that is not attributed to common cloud provider organizations. This can indicate remote secret enumeration using stolen credentials from an unusual network.", + "false_positives": [ + "Engineers listing secrets from home ISP or corporate VPN AS names may match until baselined. GeoIP organization labels vary by vendor; tune exclusions after validation." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Secrets List from Unusual Source AS Organization", + "new_terms_fields": [ + "user.email", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating GKE Secrets List from Unusual Source AS Organization\n\nNew-terms rule on `user.email` and `source.as.number` for cluster-wide or sensitive namespace secret list operations.\n\n### Investigation steps\n\n- Confirm `gcp.audit.resource_name` and whether listing was authorized.\n- Review `source.ip`, `source.as.organization.name`, and follow-on secret get or exec activity.\n\n### False positives\n\n- First-time legitimate admin access from a new office or VPN provider.", + "query": "data_stream.dataset:gcp.audit and service.name:\"k8s.io\" and event.action:io.k8s.core.v1.secrets.list and gcp.audit.resource_name:(core/v1/namespaces/default/secrets or core/v1/namespaces/kube-system/secrets or core/v1/secrets) and user.email:*@* and source.as.organization.name:(* and not (\"Google LLC\" or \"Microsoft Corporation\")) and source.as.number:*\n", + "references": [ + "https://attack.mitre.org/techniques/T1552/007/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.resource_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4df2e3ae-3553-4194-b22e-3e5a6f71466e", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "4df2e3ae-3553-4194-b22e-3e5a6f71466e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_117.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_117.json deleted file mode 100644 index 0220f1785f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_117.json +++ /dev/null @@ -1,140 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Linux Restricted Shell Breakout via Linux Binary(s)\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or\n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and\n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and\n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n\n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not\n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", - "references": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 117 - }, - "id": "52376a86-ee86-4967-97ae-1a05f55816f0_117", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_118.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_118.json deleted file mode 100644 index c91462f28a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_118.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Linux Restricted Shell Breakout via Linux Binary(s)\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.executable != null and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\" and not process.parent.executable == \"/usr/bin/log4j-cve-2021-44228-hotpatch\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and\n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and\n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n\n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not\n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\" and\n not process.parent.executable == \"/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", - "references": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 118 - }, - "id": "52376a86-ee86-4967-97ae-1a05f55816f0_118", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_119.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_119.json deleted file mode 100644 index 0af46668798..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_119.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Linux Restricted Shell Breakout via Linux Binary(s)\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.executable != null and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\" and not process.parent.executable == \"/usr/bin/log4j-cve-2021-44228-hotpatch\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and\n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and\n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n\n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not\n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\" and\n not process.parent.executable == \"/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", - "references": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 119 - }, - "id": "52376a86-ee86-4967-97ae-1a05f55816f0_119", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json deleted file mode 100644 index f0b5643e4eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_120.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Deprecated - Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Deprecated - Linux Restricted Shell Breakout via Linux Binary(s)\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.executable != null and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\" and not process.parent.executable == \"/usr/bin/log4j-cve-2021-44228-hotpatch\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and\n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and\n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n\n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not\n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\" and\n not process.parent.executable == \"/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", - "references": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 120 - }, - "id": "52376a86-ee86-4967-97ae-1a05f55816f0_120", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5301ac83-7a43-4c92-95e7-c372afea807d_1.json b/packages/security_detection_engine/kibana/security_rule/5301ac83-7a43-4c92-95e7-c372afea807d_1.json new file mode 100644 index 00000000000..b36d6f396e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5301ac83-7a43-4c92-95e7-c372afea807d_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account's credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.", + "false_positives": [ + "Legitimate users may appear in multiple countries within the window when using VPNs or proxies with exit nodes in different countries, when traveling near borders, or when mobile networks geolocate to different countries. Verify the source IPs and ASNs in \"Esql.source_ip_values\", confirm whether the locations are consistent with the user's expected activity, and exclude known VPN egress patterns after validation. Shared IAM users (an anti-pattern) used by multiple people will also match." + ], + "from": "now-65m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS IAM User Console Login from Multiple Geolocations", + "note": "## Triage and analysis\n\n### Investigating AWS IAM User Console Login from Multiple Geolocations\n\nThis rule aggregates successful \"ConsoleLogin\" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim's live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.\n\n### Possible investigation steps\n\n- Review \"Esql.source_geo_country_iso_code_values\" and \"Esql.source_ip_values\" to identify the locations and networks, and determine which (if any) is the user's expected origin.\n- Compare \"Esql.timestamp_min\" and \"Esql.timestamp_max\" to assess how implausible the travel is.\n- Identify the user in \"aws.cloudtrail.user_identity.arn\" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).\n- Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.\n\n### False positive analysis\n\n- VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.\n\n### Response and remediation\n\n- If unauthorized, revoke the user's console sessions, reset the password and MFA, and rotate access keys.\n- Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.\n\n### Additional information\n\n- [AWS sign-in CloudTrail events](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)\n", + "query": "FROM logs-aws.cloudtrail-*\n| WHERE event.provider == \"signin.amazonaws.com\"\n AND event.action == \"ConsoleLogin\"\n AND event.outcome == \"success\"\n AND aws.cloudtrail.user_identity.type == \"IAMUser\"\n AND source.geo.country_iso_code IS NOT NULL\n| STATS\n Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),\n Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code),\n Esql.timestamp_min = MIN(@timestamp),\n Esql.timestamp_max = MAX(@timestamp)\n BY aws.cloudtrail.user_identity.arn, cloud.account.id\n| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2\n| KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max\n", + "references": [ + "https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5301ac83-7a43-4c92-95e7-c372afea807d", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Sign-In", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "5301ac83-7a43-4c92-95e7-c372afea807d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55260656-76d6-427b-bd02-7acdde131b64_1.json b/packages/security_detection_engine/kibana/security_rule/55260656-76d6-427b-bd02-7acdde131b64_1.json new file mode 100644 index 00000000000..962f4d8f226 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55260656-76d6-427b-bd02-7acdde131b64_1.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a single principal directly invoking AWS Lambda functions at a high volume within a one-hour window. Adversaries may drive excessive invocations to abuse functions for resource hijacking or cryptomining, to inflate costs in a denial-of-wallet attack, or to enumerate function behavior. This is a volumetric heuristic: the threshold is environment-dependent and high-throughput applications can exceed it, so tune it to the deployment. This rule relies on AWS Lambda data event logging, which is not enabled by default.", + "false_positives": [ + "Legitimate high-throughput applications, batch jobs, load tests, and automation can invoke functions at high volume and will exceed any fixed threshold. Validate the principal in `aws.cloudtrail.user_identity.arn` and the workload context, and tune the threshold to the environment." + ], + "from": "now-61m", + "interval": "60m", + "investigation_fields": { + "field_names": [ + "aws.cloudtrail.user_identity.arn", + "cloud.account.id", + "Esql.invocation_count", + "Esql.source_ips" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS Lambda Function High-Frequency Invocation by a Single Principal", + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function High-Frequency Invocation by a Single Principal\n\nA principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this rule is purely volumetric and should be treated as corroborating signal.\n\n### Possible investigation steps\n\n- Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical baseline.\n- Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user.\n- Review `source.ip` / `user_agent.original` and recent credential activity for signs of compromise.\n- Correlate with billing/concurrency metrics and with other Lambda or IAM activity by the same principal.\n\n### False positive analysis\n\n- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and exclude known high-volume identities after validation.\n\n### Response and remediation\n\n- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the principal's credentials, and review function code and execution-role permissions.\n- Apply per-function reserved concurrency and account-level guardrails to bound cost and blast radius.\n\n### Additional information\n\n- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)\n- [Lambda function scaling and concurrency](https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html)\n", + "query": "from logs-aws.cloudtrail-*\n\n// Lambda invocation data events (data-plane; requires data event logging enabled)\n| where\n event.provider == \"lambda.amazonaws.com\"\n and event.action like \"Invoke*\"\n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.arn IS NOT NULL\n\n| stats\n Esql.invocation_count = count(*),\n Esql.source_ips = values(source.ip)\n by\n aws.cloudtrail.user_identity.arn\n\n// Threshold is environment-dependent \u2014 tune to the deployment\n| where Esql.invocation_count >= 1000\n\n| keep\n aws.cloudtrail.user_identity.arn,\n Esql.invocation_count,\n Esql.source_ips\n\n| sort Esql.invocation_count desc\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html", + "https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "55260656-76d6-427b-bd02-7acdde131b64", + "setup": "## Setup\n\nThis rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration. Lambda\ninvocation (`Invoke`) is a data-plane event and is NOT logged by default; enable data event logging for Lambda functions\nin the trail (optionally scoped to sensitive functions to manage volume). Tune the invocation-count threshold in the\nquery to the environment before enabling.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1496", + "name": "Resource Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "55260656-76d6-427b-bd02-7acdde131b64_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fa718c-a0de-4492-97ff-bbc444b015b8_1.json b/packages/security_detection_engine/kibana/security_rule/56fa718c-a0de-4492-97ff-bbc444b015b8_1.json new file mode 100644 index 00000000000..0349e67f1bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56fa718c-a0de-4492-97ff-bbc444b015b8_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies a successful write to an Azure virtual machine resource (\"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE\"). This operation is the parent action behind VM userData injection, where an adversary with VM contributor rights writes a base64 startup payload into the VM \"userData\" field that executes on the next reboot (a control-plane persistence technique requiring no guest access). The Azure activity log does not record the \"userData\" value or which property changed, so this behavior is indistinguishable from any other VM write at detection time. This is a building block rule and does not generate alerts on its own; it captures the VM write population so it can be correlated with other signals and baselined over time to tune a higher-fidelity userData-injection detection. To investigate a candidate, retrieve the live \"userData\" from the VM with an Azure Resource Manager GET using \"$expand=userData\".", + "false_positives": [ + "The vast majority of VM writes are benign: provisioning, resizing, tagging, extension/identity changes, autoscale, and configuration management by users, service principals, and managed identities. This rule is informational only and is intended for correlation and baselining, not standalone alerting." + ], + "from": "now-9m", + "index": [ + "logs-azure.activitylogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Virtual Machine Configuration Modified", + "query": "data_stream.dataset:azure.activitylogs and\n event.action:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE\" and\n event.outcome:(success or Success)\n", + "references": [ + "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors", + "https://learn.microsoft.com/en-us/azure/virtual-machines/user-data" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "56fa718c-a0de-4492-97ff-bbc444b015b8", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Asset Visibility", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1651", + "name": "Cloud Administration Command", + "reference": "https://attack.mitre.org/techniques/T1651/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "56fa718c-a0de-4492-97ff-bbc444b015b8_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_109.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_109.json deleted file mode 100644 index 8707f9d4b0e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_109.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) from the Internet", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating VNC (Virtual Network Computing) from the Internet\n\nVNC allows remote control of systems, facilitating maintenance and resource sharing. However, when exposed to the Internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC for initial access or as a backdoor. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out trusted IP ranges, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the source IP address of the alert to determine if it is from an untrusted or suspicious location, as the rule filters out known trusted IP ranges.\n- Check the destination IP address to confirm it belongs to an internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and verify if the system is authorized to receive VNC traffic.\n- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or repeated access attempts that could indicate malicious activity.\n- Investigate the context of the event by correlating it with other security alerts or logs to determine if there are signs of a broader attack or compromise.\n- Assess the risk and impact of the potential threat by evaluating the criticality of the affected system and any sensitive data it may contain.\n\n### False positive analysis\n\n- Internal testing or maintenance activities may trigger the rule if VNC is used for legitimate purposes within a controlled environment. To manage this, create exceptions for known internal IP addresses that frequently use VNC for authorized tasks.\n- Automated systems or scripts that utilize VNC for routine operations might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent unnecessary alerts.\n- Remote workers using VPNs that route traffic through public IPs could be mistakenly identified as threats. Ensure that VPN IP ranges are included in the trusted IP list to avoid false positives.\n- Misconfigured network devices that inadvertently expose VNC ports to the Internet can cause alerts. Regularly audit network configurations to ensure VNC ports are not exposed and adjust the rule to exclude known safe configurations.\n- Third-party service providers accessing systems via VNC for support purposes might be flagged. Establish a list of trusted IPs for these providers and update the rule to exclude them from detection.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any active VNC sessions originating from untrusted IP addresses to cut off potential attacker access.\n- Conduct a thorough review of system logs and network traffic to identify any unauthorized changes or data access that may have occurred during the VNC session.\n- Reset credentials for any accounts that were accessed or could have been compromised during the unauthorized VNC session.\n- Apply security patches and updates to the VNC software and any other potentially vulnerable applications on the affected system.\n- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the Internet.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "high", - "tags": [ - "Tactic: Command and Control", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_7.json b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_7.json new file mode 100644 index 00000000000..5c37ce6fa91 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_7.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Process Modifying GenAI Configuration File", + "new_terms_fields": [ + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Unusual Process Modifying GenAI Configuration File\n\nConfiguration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities.\n\n### Possible investigation steps\n\n- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).\n- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.\n- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.\n- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.\n- Examine the process command line and parent process tree to identify how the modifying process was invoked.\n- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.\n- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.\n\n### False positive analysis\n\n- Novel but legitimate configuration changes will trigger this rule when the process hasn't been seen modifying these files within the configured history window. Review the modified file content to determine legitimacy.\n- GenAI tool updates may modify config files in new ways; correlate with recent software updates.\n- IDE extensions integrating with GenAI tools may modify configs as part of initial setup.\n- Developer tools (git, go, npm) checking out or downloading projects containing `.gemini/` or `.claude/` directories may trigger alerts. These are project-level configs, not user configs - verify by checking if the path is within a project directory.\n\n### Response and remediation\n\n- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.\n- If malicious MCP servers were added, block the associated domains at the network level.\n- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.\n", + "query": "event.category : \"file\" and event.action : (\"modification\" or \"overwrite\") and\nfile.path : (\n */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or\n */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or\n */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or\n */.ollama/config* or */AppData/Local/Ollama/* or\n */.codex/* or */AppData/Roaming/Codex/* or\n */.gemini/* or */AppData/Roaming/gemini-cli/* or\n */.grok/* or */AppData/Roaming/Grok/* or\n */.windsurf/* or */AppData/Roaming/Windsurf/* or\n */.vscode/extensions/*mcp* or\n */.openclaw/* or */AppData/Roaming/OpenClaw/* or\n */.moltbot/* or */AppData/Roaming/Moltbot/* or\n */.config/openclaw/*\n) and not (\n file.extension : (lck or lock or log or png or marker or shm or wal or sqlite or sqlite-shm or sqlite-wal or jsonl or journal or xcuserstate) or\n file.name : (\n .DS_Store or .last-cleanup or mcp-needs-auth-cache.json or policy-limits.json or\n .claude.json.backup* or\n *.tmp*\n ) or\n file.path : (\n */.claude/cache/* or\n */.claude/statsig/* or\n */.claude/sessions/* or\n */.claude/shell-snapshots/* or\n */.claude/plugins/* or\n */.claude/worktrees/* or\n */.gemini/antigravity-browser-profile/* or\n */.gemini/tmp/* or\n */.codex/.tmp/* or\n */.codex/tmp/* or\n */.codex/log/* or\n */.codex/sessions/* or\n */.cursor/extensions/* or\n */.vscode/extensions/* or\n */.vscode-oss/extensions/* or\n */opt/homebrew/.claude/* or\n */opt/homebrew/.cursor/* or\n */opt/homebrew/.codex/* or\n */node_modules/* or\n */cargo/registry/* or\n */go/pkg/mod/*\n ) or\n (\n file.path : (*/.codex/* or */.claude/* or */.gemini/*) and\n file.extension : sqlite\n ) or\n (\n file.path : */.config/github-copilot/* and\n file.name : (apps.json or versions.json or copilot*nitrite.db)\n ) or\n process.name : build-script-build or\n (\n file.path : (*/.codex/.tmp/* or */.claude/plugins/* or */.claude/worktrees/* or */node_modules/* or */cargo/registry/* or */go/pkg/mod/*) and\n file.extension : (h or out or part or rs or toml)\n )\n)\n", + "references": [ + "https://modelcontextprotocol.io/", + "https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "590fc62d-7386-4c75-92b0-af4517018da1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + }, + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "590fc62d-7386-4c75-92b0-af4517018da1_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109.json deleted file mode 100644 index 751fd34d9dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects use of the systemsetup command to enable remote SSH Login.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote SSH Login Enabled via systemsetup Command", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote SSH Login Enabled via systemsetup Command\n\nThe `systemsetup` command in macOS is a utility that allows administrators to configure system settings, including enabling remote SSH login, which facilitates remote management and access. Adversaries may exploit this to gain unauthorized access and move laterally within a network. The detection rule identifies suspicious use of `systemsetup` to enable SSH, excluding legitimate administrative tools, by monitoring process execution patterns and arguments.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the use of the systemsetup command with the arguments \"-setremotelogin\" and \"on\" to ensure the alert is not a false positive.\n- Check the parent process of the systemsetup command to identify if it was executed by a known administrative tool or script, excluding /usr/local/jamf/bin/jamf as per the rule.\n- Investigate the user account associated with the process execution to determine if it is a legitimate administrator or a potentially compromised account.\n- Examine recent login events and SSH access logs on the host to identify any unauthorized access attempts or successful logins following the enabling of remote SSH login.\n- Correlate this event with other security alerts or logs from the same host or network segment to identify potential lateral movement or further malicious activity.\n\n### False positive analysis\n\n- Legitimate administrative tools like Jamf may trigger this rule when enabling SSH for authorized management purposes. To handle this, ensure that the process parent executable path for Jamf is correctly excluded in the detection rule.\n- Automated scripts used for system configuration and maintenance might enable SSH as part of their routine operations. Review these scripts and, if verified as safe, add their parent process paths to the exclusion list.\n- IT support activities that require temporary SSH access for troubleshooting can also cause false positives. Document these activities and consider scheduling them during known maintenance windows to reduce alerts.\n- Security software or management tools that periodically check or modify system settings could inadvertently trigger this rule. Identify these tools and exclude their specific process paths if they are confirmed to be non-threatening.\n\n### Response and remediation\n\n- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious or unauthorized SSH sessions that are currently active on the affected system.\n- Review and revoke any unauthorized SSH keys or credentials that may have been added to the system.\n- Conduct a thorough examination of the system logs to identify any additional unauthorized activities or changes made by the adversary.\n- Restore the system to a known good state from a backup taken before the unauthorized SSH access was enabled, if possible.\n- Implement network segmentation to limit SSH access to only trusted administrative systems and users.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name == \"systemsetup\" and\n process.args like~ \"-setremotelogin\" and \n process.args like~ \"on\" and\n process.parent.executable != null and\n not process.parent.executable like (\"/usr/local/jamf/bin/jamf\", \"/usr/libexec/xpcproxy\", \"/usr/bin/sudo\")\n", - "references": [ - "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", - "https://ss64.com/osx/systemsetup.html", - "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 109 - }, - "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_8.json b/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_8.json new file mode 100644 index 00000000000..247a8415799 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_8.json @@ -0,0 +1,175 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may be used to evade detection by host- or network-based security controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Base64 Decoded Payload Piped to Interpreter", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Base64 Decoded Payload Piped to Interpreter\n\nBase64 encoding is a method to encode binary data into ASCII text, often used for data obfuscation. Adversaries exploit this by encoding malicious payloads and decoding them on a target system, piping the output to interpreters like bash or python for execution. The detection rule identifies such activities by monitoring for processes that decode Base64 and subsequently execute scripts, indicating potential malicious behavior.\n\n### Possible investigation steps\n\n- Review the process command line arguments to identify the specific Base64 decoding activity, focusing on the presence of flags like `-d` or `-a` in conjunction with tools such as `base64`, `openssl`, or scripting languages like `python`, `perl`, or `ruby`.\n- Examine the parent process entity ID and command line to understand the context in which the Base64 decoding was initiated, identifying any potentially suspicious parent processes.\n- Investigate the subsequent interpreter process that was executed, such as `bash`, `python`, or `ruby`, to determine the nature of the script or command being run, looking for any signs of malicious activity.\n- Check the timing and sequence of the processes involved to confirm if the Base64 decoding and interpreter execution occurred within the specified maxspan of 3 seconds, indicating a likely automated or scripted action.\n- Analyze the host ID and any associated user accounts to determine if the activity aligns with expected behavior for that system or user, or if it suggests unauthorized access or compromise.\n- Correlate the alert with other security events or logs from the same host or user to identify any additional indicators of compromise or related suspicious activities.\n\n### False positive analysis\n\n- Legitimate administrative scripts may use Base64 encoding to handle data securely. Review the context of the script execution and consider excluding specific scripts or directories from monitoring if they are verified as safe.\n- Automated backup or data transfer processes might use Base64 encoding for data integrity. Identify these processes and create exceptions for known, trusted applications or scripts.\n- Development environments often use Base64 encoding for testing purposes. If a development tool or script is frequently triggering alerts, consider excluding the specific development environment or user accounts from this rule.\n- Security tools or monitoring solutions may use Base64 encoding as part of their normal operations. Verify the source of the alert and exclude known security tools from triggering this rule.\n- System updates or package installations might involve Base64 operations. Monitor the timing and context of these alerts and exclude specific update processes if they are consistently identified as false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further execution of potentially malicious code and lateral movement.\n- Terminate any suspicious processes identified by the detection rule, particularly those involving base64 decoding and piping to interpreters.\n- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized file modifications or network connections.\n- Restore the system from a known good backup if malicious activity is confirmed and the integrity of the system is compromised.\n- Update and patch all software and systems to mitigate vulnerabilities that could be exploited by similar techniques.\n- Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\") and (\n (process.name in (\"base64\", \"base64plain\", \"base64url\", \"base64mime\", \"base64pem\", \"base32\", \"base16\") and process.command_line like~ \"*-*d*\") or\n (process.name == \"openssl\" and process.args == \"enc\" and process.args in (\"-d\", \"-base64\", \"-a\")) or\n (process.name like \"python*\" and\n (process.args == \"base64\" and process.args in (\"-d\", \"-u\", \"-t\")) or\n (process.args == \"-c\" and process.args like \"*base64*\" and process.command_line like~ \"*b64decode*\")\n ) or\n (process.name like \"perl*\" and process.command_line like~ \"*decode_base64*\") or\n (process.name like \"ruby*\" and process.args == \"-e\" and process.command_line like~ \"*Base64.decode64*\")\n )]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\") and process.name like~ (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\"\n ) and\n not (\n ?process.parent.command_line in (\n \"bash ./run_tests.sh unit-integration\",\n \"/bin/sh /var/lib/dpkg/info/nmap-common.postinst configure\",\n \"bash -c base64 -d <<< Zm9yIHN2YyBpbiBxZW11LWt2bSBvdnMtdnN3aXRjaGQgbGlidmlydGQgdmlydGxvY2tkIHBhY2VtYWtlciBwY3NkOyBkbyBzeXN0ZW1jdGwgaXMtYWN0aXZlICRzdmM7IGRvbmU= | bash -l\"\n ) or\n process.command_line == \"/usr/bin/perl /usr/bin/shasum -a 256\" or\n ?process.working_directory like (\n \"/usr/local/zeek\", \"/opt/zeek\", \"/var/lib/docker/overlay2/*/opt/zeek\", \"/usr/local/zeek_old_install\",\n \"/var/lib/docker/overlay2/*/usr/local/zeek\", \"/proc/self/fd/*/usr/local/zeek\"\n ) or\n (?process.parent.name == \"zsh\" and ?process.parent.command_line like \"*extendedglob*\") or\n (process.name like \"python*\" and ?process.parent.name == \"python*\") or\n process.args like \"/tmp/apt-key-gpghome*\" or\n ?process.parent.executable like (\"/home/*/.aimee-code/bin/claude\", \"/home/*/.aimee-code/bin/opencode\") or\n ?process.parent.command_line like \"*/home/*/.claude/shell-snapshots/snapshot-*\"\n )]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5bdad1d5-5001-4a13-ae99-fa8619500f1a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + }, + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + }, + { + "id": "T1059.011", + "name": "Lua", + "reference": "https://attack.mitre.org/techniques/T1059/011/" + } + ] + }, + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "5bdad1d5-5001-4a13-ae99-fa8619500f1a_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5dc3519c-1f56-42fc-9a70-7e6b705c2781_1.json b/packages/security_detection_engine/kibana/security_rule/5dc3519c-1f56-42fc-9a70-7e6b705c2781_1.json new file mode 100644 index 00000000000..ab58ccaae0e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5dc3519c-1f56-42fc-9a70-7e6b705c2781_1.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a payload is downloaded by an interpreter, and piped to an interpreter. Attackers may use this technique to download and execute payloads for various malicious purposes, such as establishing persistence or exfiltrating data.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network*", + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Payload Downloaded by Interpreter and Piped to Interpreter", + "query": "sequence by host.id, process.parent.entity_id, process.working_directory with maxspan=1s\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and (\n process.name like (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"tclsh\", \"wish\", \"csh\", \"zsh\", \"ksh\", \"fish\",\n \"mksh\", \"busybox\", \"rscript\", \"r\", \"julia\", \"mono\", \"dotnet\", \"groovy\", \"kotlin\",\n \"scala\", \"erlang\", \"escript\", \"ocaml\", \"ocamlopt\", \"ld.so\", \"ld-linux-x86-64.so.2\",\n \"ld-musl-x86_64.so.1\", \"awk\", \"gawk\", \"mawk\", \"nawk\", \"node\", \"nodejs\", \"deno\",\n \"env\", \"timeout\", \"nice\", \"stdbuf\", \"setsid\", \"setarch\", \"unshare\", \"nsenter\", \"flock\",\n \"runuser\", \"sudo\", \"snap\"\n ) or\n process.name like (\"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\", \"qemu-*-static\")\n ) and \n not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n process.name like (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"tclsh\", \"wish\", \"csh\", \"zsh\", \"ksh\", \"fish\",\n \"mksh\", \"busybox\", \"rscript\", \"r\", \"julia\", \"mono\", \"dotnet\", \"groovy\", \"kotlin\",\n \"scala\", \"erlang\", \"escript\", \"ocaml\", \"ocamlopt\", \"ld.so\", \"ld-linux-x86-64.so.2\",\n \"ld-musl-x86_64.so.1\", \"awk\", \"gawk\", \"mawk\", \"nawk\", \"node\", \"nodejs\", \"deno\"\n ) or\n process.name like (\"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\")\n ) and (\n stringcontains(process.executable, process.command_line) or\n stringcontains(process.name, process.command_line)\n ) and\n process.args_count == 1]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5dc3519c-1f56-42fc-9a70-7e6b705c2781", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 1 + }, + "id": "5dc3519c-1f56-42fc-9a70-7e6b705c2781_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json deleted file mode 100644 index b65a9417ac0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", - "false_positives": [ - "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace 2SV Policy Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "5e161522-2545-11ed-ac47-f661ea17fbce_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_106.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_106.json deleted file mode 100644 index 09b5d142c1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_106.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", - "false_positives": [ - "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "logs-azure.activitylogs-*", - "filebeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Command Execution on Virtual Machine", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Azure Command Execution on Virtual Machine\n\nAzure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.\n\n### Possible investigation steps\n\n- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name \"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\".\n- Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.\n- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.\n- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.\n- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.\n- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.\n\n### False positive analysis\n\n- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.\n- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.\n- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.\n- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.\n- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.\n\n### Response and remediation\n\n- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.\n- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.\n- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.\n- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.\n- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.\n- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", - "references": [ - "https://adsecurity.org/?p=4277", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "60884af6-f553-4a6c-af13-300047455491", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1651", - "name": "Cloud Administration Command", - "reference": "https://attack.mitre.org/techniques/T1651/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "60884af6-f553-4a6c-af13-300047455491_106", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62ba8542-1246-4647-9b84-98aa1bc0760a_2.json b/packages/security_detection_engine/kibana/security_rule/62ba8542-1246-4647-9b84-98aa1bc0760a_2.json new file mode 100644 index 00000000000..4262e5ba37e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/62ba8542-1246-4647-9b84-98aa1bc0760a_2.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a launch agent or daemon property list file containing abnormal or suspicious values. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. This rule looks for plist files created in LaunchAgents/LaunchDaemons directories with paths commonly used by malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Suspicious Launch Agent or Launch Daemon", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Persistence via Suspicious Launch Agent or Launch Daemon\n\nLaunchAgents and LaunchDaemons are the standard macOS mechanisms for starting programs automatically at user login or system boot. While essential for legitimate software, these persistence mechanisms are heavily abused by malware including RustBucket (DPRK), Shlayer, and CloudMensis. This detection rule identifies plist file creation in LaunchAgent/LaunchDaemon directories when performed by suspicious processes including scripts executing from temporary directories, unsigned binaries, or scripting interpreters like Python and osascript.\n\n### Possible investigation steps\n\n- Examine the file.path to identify the specific plist file created and its location (user vs system LaunchAgent/LaunchDaemon directory).\n- Read the plist contents using plutil or defaults to identify the Program or ProgramArguments configured for execution.\n- Analyze the process.executable to understand what created the plist file and assess whether execution from that location (temp directory, hidden folder) is suspicious.\n- Check the process.name and process.code_signature fields to determine if the creating process was a scripting interpreter or unsigned binary.\n- Locate the binary or script referenced in the plist and calculate its hash for threat intelligence lookups.\n- Review the parent process chain to trace back to the initial execution vector that led to plist creation.\n- Correlate with other file and process events to identify additional malware components that may have been deployed simultaneously.\n\n### False positive analysis\n\n- Legitimate software installers may create LaunchAgents/LaunchDaemons during setup, but typically from signed installer processes rather than scripts in temp directories.\n- Development and testing environments may use scripting languages to create launch items. Verify with development teams if such activities are expected.\n- Several legitimate signing IDs are already excluded including vim, JetBrains Toolbox, and Sublime Text.\n- System utilities like cfprefsd may modify plist files during normal operations and are excluded.\n- Enterprise deployment tools may use scripts to configure launch items. Document and exclude approved deployment processes.\n\n### Response and remediation\n\n- Immediately unload the suspicious LaunchAgent or LaunchDaemon using launchctl unload with the plist path.\n- Remove the malicious plist file from the LaunchAgent or LaunchDaemon directory.\n- Locate and remove the executable or script referenced in the plist's Program or ProgramArguments keys.\n- Check for other persistence mechanisms that may have been deployed by the same threat actor.\n- Review system logs for evidence of the persistence mechanism executing and what actions it performed.\n- If the detection matches patterns of known malware families (RustBucket, Shlayer), perform comprehensive IOC searches and threat hunting.\n- Reset any credentials that may have been accessed while the malicious process was running.\n- Monitor for recreation of similar plist files to detect persistent access or ongoing compromise.\n", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and \n file.extension == \"plist\" and\n file.path like (\"/Library/LaunchAgents/*\", \"/Library/LaunchDaemons/*\", \n \"/Users/*/Library/LaunchAgents/*\", \"/System/Library/LaunchAgents/*\",\n \"/System/Library/LaunchDaemons/*\") and\n (process.executable like (\"/private/tmp/*\", \"/private/var/root/Library/*\", \"/var/tmp/*\", \n \"/tmp/*\", \"/var/folders/*\", \"/Users/Shared/*\", \"/var/root/*\",\n \"/Library/WebServer/*\", \"/Library/Graphics/*\", \"/Library/Fonts/*\") or\n process.name like~ (\"python*\", \"osascript\", \"bash\", \"zsh\", \"sh\", \"curl\", \"nscurl\", \"wget\", \"java\")) and\n not process.executable like (\"/System/*\", \"/Library/PrivilegedHelperTools/*\") and\n not (process.code_signature.signing_id in (\"com.apple.vim\", \"com.apple.cat\", \"com.apple.cfprefsd\",\n \"com.jetbrains.toolbox\", \"com.apple.pico\", \"com.apple.shove\",\n \"com.sublimetext.4\", \"com.apple.ditto\") and process.code_signature.trusted == true) and\n not (file.path like (\"/Library/LaunchDaemons/com.jumpcloud.*\",\n \"/Library/LaunchAgents/com.jumpcloud.*\",\n \"/Library/LaunchDaemons/com.wazuh.*\",\n \"/Library/LaunchDaemons/com.zscaler.service.plist\") and\n process.executable == \"/bin/bash\")\n", + "references": [ + "https://medium.com/red-teaming-with-a-blue-team-mentality/a-brief-look-at-macos-detections-and-post-infection-analysis-b0ede7ecfeb9", + "https://objective-see.org/blog", + "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.signing_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "62ba8542-1246-4647-9b84-98aa1bc0760a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.011", + "name": "Plist Modification", + "reference": "https://attack.mitre.org/techniques/T1547/011/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + }, + { + "id": "T1543.004", + "name": "Launch Daemon", + "reference": "https://attack.mitre.org/techniques/T1543/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "62ba8542-1246-4647-9b84-98aa1bc0760a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647ae821-a80d-4f07-bb12-d40dd433f6b4_1.json b/packages/security_detection_engine/kibana/security_rule/647ae821-a80d-4f07-bb12-d40dd433f6b4_1.json new file mode 100644 index 00000000000..5a5f02ba729 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/647ae821-a80d-4f07-bb12-d40dd433f6b4_1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE pod create, update, or patch events that mount sensitive hostPath volumes such as the root filesystem, kubelet paths, or container runtime sockets. This can enable container escape and credential theft. System identities and controller-owned workloads are excluded.", + "false_positives": [ + "Node agents and observability DaemonSets commonly mount host paths like /proc or /var/log. Controller ownerReferences exclusions reduce noise; add image exceptions if needed." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Pod Created with a Sensitive hostPath Volume", + "note": "## Triage and analysis\n\n### Investigating GKE Pod Created with a Sensitive hostPath Volume\n\nReview `gcp.audit.request.spec.volumes.hostPath.path` and whether the mount is required for the workload.\n\n### Investigation steps\n\n- Confirm the hostPath and container images in the audit request.\n- Review `user.email`, namespace, and follow-on secret or exec activity.\n\n### False positives\n\n- Platform DaemonSets mounting /proc or kubelet paths; validate against known agents.", + "query": "data_stream.dataset:gcp.audit and event.outcome:success and\nevent.action:(\"io.k8s.core.v1.pods.create\" or \"io.k8s.core.v1.pods.update\" or \"io.k8s.core.v1.pods.patch\") and\ngcp.audit.request.spec.volumes.hostPath.path:(\n \"/\" or \"/proc\" or \"/root\" or \"/var\" or \"/var/run\" or \"/var/run/docker.sock\" or \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or \"/var/lib/kubelet\" or \"/var/lib/kubelet/pki\" or \"/var/lib/docker/overlay2\" or \"/etc\" or\n \"/etc/kubernetes\" or \"/etc/kubernetes/manifests\" or \"/etc/kubernetes/pki\" or \"/home/admin\"\n) and not user.email:system\\:* and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\")\n", + "references": [ + "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath", + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.volumes.hostPath.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "647ae821-a80d-4f07-bb12-d40dd433f6b4", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "647ae821-a80d-4f07-bb12-d40dd433f6b4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_2.json b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_2.json deleted file mode 100644 index 7fb1c048de5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_2.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule leverages the \"new_terms\" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the \"new_terms\" rule type approach helps to identify deviations from normal behavior.", - "from": "now-9m", - "history_window_start": "now-5d", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Web Server Command Execution", - "new_terms_fields": [ - "process.command_line" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Web Server Command Execution\n\nThis rule detects shells invoked by web server processes on Linux to run one-off commands, surfacing command lines the server has never executed before. Attackers exploit vulnerable apps or dropped webshells to launch bash -c from web roots, e.g., download a payload with wget/curl into /opt or /tmp, chmod +x and execute it, or open a reverse shell (nc -e sh) to implant services or cron-like tasks and persist under the web server account.\n\n### Possible investigation steps\n\n- Reconstruct the process tree around the event to identify the shell payload and parent service, determine if it chains downloads, reverse shells, or archive extraction, and hash/snapshot any referenced files.\n- Pivot to web server access and error logs at the timestamp to identify the request path, client IP, user agent, and HTTP verb that triggered execution, noting anomalies like POST uploads, long query strings, or 500s.\n- List and diff newly created or recently modified files under common web roots and application directories around the event time, looking for webshells, chmod+x artifacts, .php/.jsp backdoors, or systemd/cron writes by the same user.\n- Correlate with network telemetry to see if the web tier opened outbound connections or listeners (nc, bash -i, curl/wget), and capture any active sockets and destinations for rapid containment.\n- Validate whether the command matches expected maintenance tasks for the application (e.g., wkhtmltopdf or image processing), and if not, isolate the process and host while scoping for the same pattern across other servers and preserving volatile evidence.\n\n### False positive analysis\n\n- A legitimate web-admin workflow (plugin/module install, content import, or cache warmup) spawns sh -c from an apache/nginx parent in /var/www to run tar/chmod/chown steps, producing a command line the host has not previously executed under www-data.\n- A recently deployed application feature performs server-side document or image processing and rotates logs by calling sh -c from a framework parent (flask/rails/php) with a working directory in /opt or /usr/share/nginx, making the specific shell invocation a new term for this server.\n\n### Response and remediation\n\n- Quarantine the affected web server by removing it from the load balancer, stopping apache/nginx/httpd, and killing the spawned shell (e.g., bash -c) while capturing /proc//cmdline and /proc//environ, lsof, and active sockets for evidence.\n- Block outbound egress from the web server account and immediately deny destinations contacted by curl/wget or reverse shells (nc, bash -i to /dev/tcp), and rotate exposed API keys or credentials referenced in the command line.\n- Eradicate persistence by deleting newly dropped or modified files under /var/www, /usr/share/nginx, /srv/http, /opt, or /home/*/public_html (webshells, .php backdoors), removing downloaded binaries from /tmp or /opt, and cleaning cron/systemd units created by www-data/nginx.\n- Recover by restoring web content and application code from known-good backups or images, verifying file ownership and permissions, and restarting the service with monitored command allowlists and file integrity checks.\n- Escalate to full incident response and forensic imaging if any reverse shell artifacts (nc -e sh, bash -i >& /dev/tcp/*), privileged writes (/etc/systemd/system/*.service, /var/spool/cron/*), or sudo execution by the web server user are observed.\n- Harden by disabling risky exec paths (PHP exec/system/shell_exec and unsafe plugins), enforcing noexec,nodev,nosuid mounts on web roots, applying SELinux/AppArmor confinement to web processes, narrowing outbound egress, and deploying WAF/mod_security rules for upload and RCE vectors.\n", - "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and (\n process.parent.name:(\n \"apache\" or \"nginx\" or \"apache2\" or \"httpd\" or \"lighttpd\" or \"caddy\" or \"mongrel_rails\" or \"haproxy\" or\n \"gunicorn\" or \"uwsgi\" or \"openresty\" or \"cherokee\" or \"h2o\" or \"resin\" or \"puma\" or \"unicorn\" or \"traefik\" or \"uvicorn\" or\n \"tornado\" or \"hypercorn\" or \"daphne\" or \"twistd\" or \"yaws\" or \"webfsd\" or \"httpd.worker\" or \"flask\" or \"rails\" or \"mongrel\" or\n php-fpm* or \"php-cgi\" or \"php-fcgi\" or \"php-cgi.cagefs\" or \"java\" or \"node\" or \"catalina.sh\" or \"hiawatha\" or \"lswsctrl\"\n ) or\n user.name:(\"apache\" or \"www-data\" or \"httpd\" or \"nginx\" or \"lighttpd\" or \"tomcat\" or \"tomcat8\" or \"tomcat9\") or\n user.id:(\"33\" or \"498\" or \"48\" or \"54321\")\n) and process.working_directory:(\n /var/www/* or\n /usr/share/nginx/* or\n /srv/www/* or\n /srv/http/* or\n */webapps/* or\n /home/*/public_html/* or\n /home/*/www/* or\n /opt/* or\n /u0*/*\n) and\nprocess.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:\"-c\" and\nnot (\n (process.parent.name:java and not process.parent.executable:/u0*/*) or\n (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or\n process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or\n process.parent.executable:/tmp/* or\n process.args:(/usr/local/bin/wkhtmltopdf* or /usr/bin/rsvg-convert*) or\n process.command_line:*/opt/sc/bin/showvulns*\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Domain: Web", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json deleted file mode 100644 index f97fe11f6c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", - "false_positives": [ - "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Assigned to a User", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", - "references": [ - "https://support.google.com/a/answer/172176?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.role.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699fdfb9-8430-4dcb-b5a9-da67dae64808_1.json b/packages/security_detection_engine/kibana/security_rule/699fdfb9-8430-4dcb-b5a9-da67dae64808_1.json new file mode 100644 index 00000000000..3b391714a14 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/699fdfb9-8430-4dcb-b5a9-da67dae64808_1.json @@ -0,0 +1,1266 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Amazon ECR repository or registry policy is modified to grant public access using a wildcard principal (Principal:\"*\") statement. This rule analyzes SetRepositoryPolicy and PutRegistryPolicy events whose policy document grants an Allow effect to a wildcard (\"*\") principal, indicating that pull (and potentially push) permissions were extended to all identities, including unauthenticated users. A public container registry can expose proprietary images and any secrets baked into their layers, and, if push is allowed, enables supply-chain implantation. Public ECR access is sometimes intentional for image distribution, so the granting principal and the permissions should be validated.", + "false_positives": [ + "Repositories used to distribute public images may legitimately contain Principal:\"*\". This rule does not by itself determine whether a Deny statement restricts the same access; review the full policy in \"aws.cloudtrail.request_parameters\" and confirm the granted actions (pull-only versus push) and whether public exposure is intended." + ], + "from": "now-15m", + "interval": "10m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS ECR Repository or Registry Policy Granted Public Access", + "note": "## Triage and analysis\n\n### Investigating AWS ECR Repository or Registry Policy Granted Public Access\n\nThis rule detects \"SetRepositoryPolicy\" or \"PutRegistryPolicy\" calls where the policy document grants an Allow effect to a wildcard (\"*\") principal, granting access to all identities. A public ECR repository allows anyone to pull its images, exposing proprietary code and any secrets embedded in image layers; if push actions are granted, an adversary can implant a malicious image that downstream ECS, EKS, or Lambda workloads then run.\n\n### Possible investigation steps\n\n- Identify the actor in \"aws.cloudtrail.user_identity.arn\" and \"aws.cloudtrail.user_identity.type\", and review \"source.ip\" and \"user_agent.original\" for an unexpected origin or tool.\n- Extract the policy from \"aws.cloudtrail.request_parameters\" and identify the granted actions; pull actions (BatchGetImage, GetDownloadUrlForLayer) expose images, while push actions (PutImage, UploadLayerPart) enable implantation.\n- Confirm whether a Deny statement restricts the same access, in which case the alert may be a false positive.\n- Determine which repository is affected and whether it contains sensitive images, and correlate with subsequent pull or push activity from external principals.\n\n### False positive analysis\n\n- Public image distribution legitimately uses Principal:\"*\". Confirm the exposure is intended, the actions are pull-only, and the granting principal is approved.\n\n### Response and remediation\n\n- If the exposure is unauthorized, restore a known-good policy or remove the public statement, and review for any external pulls or pushes since the change.\n- Rotate or restrict credentials for the principal if compromise is suspected, and restrict \"ecr:SetRepositoryPolicy\" and \"ecr:PutRegistryPolicy\" to trusted administrators.\n", + "query": "FROM logs-aws.cloudtrail-* METADATA _id, _version, _index\n| WHERE event.provider == \"ecr.amazonaws.com\"\n AND event.action IN (\"SetRepositoryPolicy\", \"PutRegistryPolicy\")\n AND event.outcome == \"success\"\n AND (aws.cloudtrail.user_identity.type IS NULL OR aws.cloudtrail.user_identity.type != \"AWSService\")\n AND aws.cloudtrail.request_parameters RLIKE \"\"\".*\\\"Effect\\\": *\\\"Allow\\\".*\"\"\"\n AND (aws.cloudtrail.request_parameters RLIKE \"\"\".*\\\"Principal\\\": *\\\"\\*\\\".*\"\"\"\n OR aws.cloudtrail.request_parameters RLIKE \"\"\".*\\\"Principal\\\": *\\{ *\\\"AWS\\\": *\\\"\\*\\\".*\"\"\")\n| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*\n", + "references": [ + "https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_SetRepositoryPolicy.html", + "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "@timestamp", + "type": "date" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": false, + "name": "_version", + "type": "long" + }, + { + "ecs": false, + "name": "aws.cloudtrail.additional_eventdata", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.api_version", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.login_to", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mobile_version", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.error_message", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_category", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.event_version", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.additional_eventdata", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.digest", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.insight_details", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.attribute", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.includeDeprecated", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.instanceId", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.key", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.omitted", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.protocol", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.reason", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.serialNumber", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.withDecryption", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements.documentDescription", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.response_elements.documentDescription.documentType", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.flattened.service_event_details", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.cloudtrail.management_event", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.read_only", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.recipient_account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.response_elements", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.service_event_details", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.session_credential_from_console", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.shared_event_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.access_key_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.invoked_by", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.creation_date", + "type": "date" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.mfa_authenticated", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.principal_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.vpc_endpoint_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.bucket.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.bucket.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.s3.metadata", + "type": "unsupported" + }, + { + "ecs": false, + "name": "aws.s3.object.key", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.availability_zone", + "type": "keyword" + }, + { + "ecs": false, + "name": "cloud.image.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.availability_zone", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.origin.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.account.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.availability_zone", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.instance.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.instance.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.machine.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.project.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.project.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.target.service.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.created", + "type": "date" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.duration", + "type": "long" + }, + { + "ecs": true, + "name": "event.end", + "type": "date" + }, + { + "ecs": true, + "name": "event.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.ingested", + "type": "date" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.original", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.reason", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.reference", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.risk_score", + "type": "float" + }, + { + "ecs": true, + "name": "event.risk_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "event.sequence", + "type": "long" + }, + { + "ecs": true, + "name": "event.severity", + "type": "long" + }, + { + "ecs": true, + "name": "event.start", + "type": "date" + }, + { + "ecs": true, + "name": "event.timezone", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.url", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.as.organization.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.bytes", + "type": "long" + }, + { + "ecs": true, + "name": "source.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.city_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.continent_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.continent_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.country_iso_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.country_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.location", + "type": "geo_point" + }, + { + "ecs": true, + "name": "source.geo.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.postal_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.region_iso_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.region_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.geo.timezone", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.mac", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.nat.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.nat.port", + "type": "long" + }, + { + "ecs": true, + "name": "source.packets", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "source.registered_domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.subdomain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.top_level_domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.user.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.user.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "source.user.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "source.user.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.changes.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.changes.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.changes.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.changes.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.changes.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.effective.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.effective.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.effective.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.effective.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.effective.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.entity.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.risk.calculated_level", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.risk.calculated_score", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.calculated_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.static_level", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.risk.static_score", + "type": "float" + }, + { + "ecs": true, + "name": "user.risk.static_score_norm", + "type": "float" + }, + { + "ecs": true, + "name": "user.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.email", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.entity.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.full_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.full_name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.target.group.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.hash", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.target.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user.target.roles", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.device.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.original.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.family", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.full", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.os.full.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.kernel", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user_agent.os.name.text", + "type": "text" + }, + { + "ecs": true, + "name": "user_agent.os.platform", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.os.version", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.version", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "699fdfb9-8430-4dcb-b5a9-da67dae64808", + "setup": "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS ECR", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "699fdfb9-8430-4dcb-b5a9-da67dae64808_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_118.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_118.json new file mode 100644 index 00000000000..ae1b44c1074 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_118.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature matches commonly abused RMM or remote access tools. New Terms type: the host.id and process.name pair has not been seen before within the configured 7-day history window.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process-*", + "endgame-*", + "winlogbeat-*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "logs-system.security*" + ], + "investigation_fields": { + "field_names": [ + "host.id", + "host.name", + "user.name", + "process.entity_id", + "process.name", + "process.executable", + "process.command_line", + "process.hash.sha256", + "process.code_signature.subject_name", + "process.code_signature.trusted", + "process.pe.original_file_name", + "process.parent.entity_id", + "process.parent.name", + "process.parent.executable", + "process.parent.command_line" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Remote Monitoring and Management Tool", + "new_terms_fields": [ + "host.id", + "process.name" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Remote Monitoring and Management Tool\n\n#### Possible investigation steps\n\n- Validate the alert-local process event and identify the matched RMM artifact.\n - Focus: `host.name`, `host.id`, `process.name`, `process.executable`, `process.code_signature.subject_name`.\n - Review the exact process entity on the alerted host with !{investigate{\"description\":\"Find the exact alerted process entity on the same host around the alert window.\",\"label\":\"Matched process context\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: The alert proves one Windows process start from the supported process data sources where the `host.id` and `process.name` pair is first seen within the 7-day new terms window; it does not prove the remote session or legitimacy. Close only if the exact host, account, process name, executable, signer, and support or deployment window match a validated change record or verified owner confirmation; otherwise continue.\n- Determine why this RMM process is new for the host.\n - Focus: `host.id`, `process.name`, `process.executable`, `process.command_line`, `process.hash.sha256`.\n - Review same-host executions across the rule history window with !{investigate{\"description\":\"Find same-host executions of the matched process name across the rule history window.\",\"label\":\"Same host process name history\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.name\",\"queryType\":\"phrase\",\"value\":\"{{process.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-7d/d\",\"relativeTo\":\"now\"}}\n - Implication: Repeated executions clustered around the same deployment or support window can support a bounded benign explanation only when the exact executable, command line, hash, host, and account match the recovered business context. A new hash, renamed executable, unexpected arguments, or executions outside that window keep the case suspicious.\n- Reconstruct the parent process and logon context that launched the tool.\n - Focus: `process.parent.name`, `process.parent.executable`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, `user.name`.\n - Review the parent process entity on the same host with !{investigate{\"description\":\"Recover events for the parent process entity that launched the matched RMM process.\",\"label\":\"Parent process activity\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.parent.entity_id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-24h\",\"relativeTo\":\"now\"}}\n - Implication: A parent and session that match the same validated change record and account owner confirmation can bound the activity to one workflow. A launch from user-download, browser, archive, script, or unrelated service context is suspicious for social engineering or staged access.\n- Inspect endpoint artifacts and child behavior before broader scoping.\n - Focus: `process.entity_id`, `process.Ext.ancestry`, `process.args`, `process.working_directory`, `process.Ext.token.elevation_level`.\n - Implication: Recover child process, service, file, registry, and persistence evidence from endpoint timeline or live host data before interpretation because those artifact fields are not guaranteed on the alert. Child execution, persistence, unusual working directories, or elevated token use by the matched RMM process supports escalation; absence of recoverable artifacts does not prove benign.\n- If local process, parent, and endpoint-artifact evidence is suspicious or incomplete, broaden scope for the RMM hypothesis.\n - Focus: `host.id`, `user.name`, `process.name`, `process.hash.sha256`, `process.code_signature.subject_name`.\n - Review same host and account activity with !{investigate{\"description\":\"Review activity by the same account on the same host before broader scoping.\",\"label\":\"Host account activity\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.name\",\"queryType\":\"phrase\",\"value\":\"{{user.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Review the same executable hash across available process events with !{investigate{\"description\":\"Find other executions of the same executable hash when local evidence is suspicious or unresolved.\",\"label\":\"Executable hash scope\",\"providers\":[[{\"excluded\":false,\"field\":\"process.hash.sha256\",\"queryType\":\"phrase\",\"value\":\"{{process.hash.sha256}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-7d/d\",\"relativeTo\":\"now\"}}\n - Implication: The hypothesis is RMM staging or reuse across hosts or accounts; matching hash activity, related alerts, or repeated account use should drive host and account scoping plus evidence preservation. No related alerts or hash matches only limits currently observed spread and does not prove benign; exact matches limited to the validated host, account, and time window may support closure after the earlier evidence aligns.\n\nDisposition: Escalate suspicious RMM artifacts, launch chains, or expanded scope; close only when alert-local evidence and recovered context prove one expected support or deployment workflow on the exact host and account; preserve and escalate mixed or incomplete cases for more context before final disposition.\n\n### False positive analysis\n\n- Potential benign cases include first deployment of a remote support tool, first use after host rebuild, a product update that changes `process.name`, or a one-time support session only when alert-local and recovered process evidence match `host.id`, `user.name`, `process.name`, `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, `process.pe.original_file_name`, and `process.hash.sha256` when available, and that evidence aligns with a verified owner confirmation or validated change record for the observed support or deployment window.\n- Do not close on the tool name, signer, executable path, or lack of related alerts alone. Escalate when artifacts indicate social engineering, an unexpected parent or session, a renamed executable, hash mismatch, or unbounded account or host spread.\n- Scope exceptions only to durable future-alert fields that match the validated benign workflow, using `host.id`, `user.name`, `process.name`, `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, `process.pe.original_file_name`, and `process.hash.sha256` when available. Do not scope exceptions by prose-only groups such as support teams or known RMM activity; preserve and escalate mixed or incomplete cases instead of creating broad exclusions.\n\n### Response and remediation\n\n- Preserve or export case evidence plus volatile process, memory, executable, or file-system artifacts that could be lost before isolation, process termination, cleanup, or other disruptive action.\n- For confirmed malicious activity, scope first by reviewing the matched process, parent and child processes, persistence artifacts, same-hash executions, related alerts, and account activity across affected hosts.\n- After evidence capture and initial scoping, isolate affected hosts or disable active remote access paths when containment is required to prevent continued access.\n- After containment decisions and evidence review, terminate malicious RMM processes, remove persistence, clean up dropped files or services, revoke active sessions, and reset credentials exposed through the RMM session or related activity.\n- If social engineering led to the remote access, validate the user interaction, collect relevant communications or download sources when available, and include affected accounts in credential review.\n- Document confirmed indicators and logging or detection gaps for the responsible detection or logging owners after scoping and containment.\n", + "query": "host.os.type: \"windows\" and\n event.category: \"process\" and event.type: \"start\" and\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"Aeroadmin LLC\" or\n \"AeroAdmin LLC\" or\n \"AmidaWare LLC\" or\n \"Ammyy LLC\" or\n \"AnyDesk Software GmbH\" or\n \"AOMEI International Network Limited\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"BreakingSecurity.net\" or\n \"ConnectWise, Inc.\" or\n \"ConnectWise, LLC\" or\n \"Connectwise, LLC\" or\n \"Devolutions Inc\" or\n \"Devolutions inc.\" or\n \"DOMOTZ INC.\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DWSNET O\u00dc\" or\n \"DWSNET srl\" or\n \"Electronic Team, Inc.\" or\n \"Famatech Corp.\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"GoTo Technologies USA, LLC\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"Impero Solutions Limited\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"JumpCloud Inc\" or\n \"Level Software, Inc.\" or\n \"LogMeIn, Inc.\" or\n \"LUNIXAR SAS DE CV\" or\n \"MMSOFT Design Ltd.\" or\n \"Monitoring Client\" or\n \"MSPBytes Corp\" or\n \"MSPBytes, Corp.\" or\n \"N-ABLE TECHNOLOGIES LTD\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NetSupport Ltd.\" or\n \"NETSUPPORT LTD.\" or\n \"NinjaOne LLC\" or\n \"NinjaRMM, LLC\" or\n \"Open Source Developer, Huabing Zhou\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"PURSLANE\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"REMOTE UTILITIES PTE. LTD.\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"Rsupport Co., Ltd.\" or\n \"SAFIB\" or\n \"ScreenConnect Client\" or\n \"Servably, Inc.\" or\n \"Servably Inc.\" or\n \"ShowMyPC INC\" or\n \"SimpleHelp Ltd\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"Tailscale Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\" or\n \"ZOHO Corporation Private Limited\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AcronisCyberProtectConnectAgent.exe\" or\n \"AeroAdmin.exe\" or\n \"AgentMon.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"CagService.exe\" or\n \"CloudRaCmd.exe\" or\n \"CloudRaSd.exe\" or\n \"CloudRaService.exe\" or\n ConnectWiseControl*.exe or\n \"connectwisecontrol.client.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"dwrcs.exe\" or\n \"dwrcst.exe\" or\n fleetdeck_commander*.exe or\n \"g2aservice.exe\" or\n \"getscreen.exe\" or\n \"GoToAssistService.exe\" or\n \"GoToResolveProcessChecker.exe\" or\n \"GoToResolveRemoteControl.exe\" or\n \"GoToResolveService.exe\" or\n \"GoToResolveTerminal.exe\" or\n \"GoToResolveUnattended.exe\" or\n \"gotohttp.exe\" or\n \"helpwire.exe\" or\n \"ImmyAgent.exe\" or\n \"ImmyBot.Agent.Ephemeral.exe\" or\n \"ImmyUpdater.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n \"jumpcloud-agent.exe\" or\n \"komari.exe\" or\n \"komari-agent.exe\" or\n \"level.exe\" or\n \"lmi_rescue.exe\" or\n \"lmi_rescue_srv.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ltsvc.exe\" or\n \"ltsvcmon.exe\" or\n \"lttray.exe\" or\n \"Lunixar.exe\" or\n \"LunixarRemote.exe\" or\n \"LunixarUpdater.exe\" or\n \"LvAgent.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"MeshAgent.exe\" or\n \"Mikogo-Service.exe\" or\n \"nezha-agent.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgentPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"parsec.exe\" or\n \"PService.exe\" or\n \"quickassist.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"rcengmgru.exe\" or\n \"RCClient.exe\" or\n \"rcmgrsvc.exe\" or\n \"RCService.exe\" or\n \"Remote Support.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"Remotely_Agent.exe\" or\n \"Remotely_Desktop.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"remoteview.exe\" or\n \"rfusclient.exe\" or\n \"RMM.Agent.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"rvagent.exe\" or\n \"rvagtray.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"ScreenConnect.ClientService.exe\" or\n \"session_win.exe\" or\n \"simplegatewayservice.exe\" or\n \"simplehelpcustomer.exe\" or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SplashtopSOS.exe\" or\n \"spsrv.exe\" or\n \"sragent.exe\" or\n \"SRService.exe\" or\n \"srmanager.exe\" or\n \"srserver.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"Syncro.App.Runner.exe\" or\n \"Syncro.Installer.exe\" or\n \"Syncro.Overmind.Service.exe\" or\n \"Syncro.Service.exe\" or\n \"SyncroLive.Agent.exe\" or\n \"SyncroLive.Agent.Runner.exe\" or\n \"SyncroLive.Service.exe\" or\n \"tacticalrmm.exe\" or\n \"tailscale.exe\" or\n \"tailscaled.exe\" or\n \"teamviewer.exe\" or\n \"teamviewer_desktop.exe\" or\n \"teamviewer_service.exe\" or\n \"TiAgent.exe\" or\n \"TiClientCore.exe\" or\n \"ToDesk_Service.exe\" or\n \"ToolsIQ.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n \"twingate.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"Velociraptor.exe\" or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"ZA_Access.exe\" or\n \"za_connect.exe\" or\n \"Zaservice.exe\" or\n \"ZMAgent.exe\" or\n \"ZohoMeeting.exe\" or\n \"zohotray.exe\" or\n \"ZohoURS.exe\" or\n \"ZohoURSService.exe\"\n )\n ) and\n not (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", + "references": [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", + "https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf", + "https://lolrmm.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 118 + }, + "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_118", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json deleted file mode 100644 index 03418bd3477..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Role Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json deleted file mode 100644 index 726b5936cb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", - "false_positives": [ - "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Added to Google Workspace Domain", - "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_316.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_316.json new file mode 100644 index 00000000000..293348679ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_316.json @@ -0,0 +1,228 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ScreenConnect Client Child Process", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious ScreenConnect Client Child Process\n\nScreenConnect, a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands. Malicious actors may spawn processes like PowerShell or cmd.exe via ScreenConnect to perform harmful activities. The detection rule identifies such suspicious child processes, focusing on unusual arguments and process names, indicating potential abuse of remote access capabilities.\n\n### Possible investigation steps\n\n- Review the parent process name to confirm it is one of the ScreenConnect client processes listed in the query, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, to verify the source of the suspicious activity.\n- Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed.\n- Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication.\n- Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused.\n- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender XDR to gather additional context and identify any related malicious activities.\n- Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker.\n\n### False positive analysis\n\n- Legitimate IT support activities using ScreenConnect may trigger the rule when executing scripts or commands for maintenance. To manage this, identify and whitelist specific IT support accounts or IP addresses that regularly perform these actions.\n- Automated scripts or scheduled tasks that use ScreenConnect for routine operations might be flagged. Review and document these scripts, then create exceptions for known benign processes and arguments.\n- Software updates or installations initiated through ScreenConnect can appear suspicious. Maintain a list of approved software and update processes, and exclude these from the rule.\n- Internal security tools or monitoring solutions that leverage ScreenConnect for legitimate purposes may be detected. Verify these tools and add them to an exclusion list to prevent false positives.\n- Training sessions or demonstrations using ScreenConnect to showcase command-line tools could be misinterpreted as threats. Ensure these sessions are logged and recognized as non-threatening, and adjust the rule to accommodate these scenarios.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.\n- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity.\n- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe.\n- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker.\n- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", + "references": [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender XDR", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + }, + { + "id": "T1218.007", + "name": "Msiexec", + "reference": "https://attack.mitre.org/techniques/T1218/007/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + }, + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 316 + }, + "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_316", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1.json b/packages/security_detection_engine/kibana/security_rule/7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1.json new file mode 100644 index 00000000000..40d4d016bd7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a POST to the Splunk Enterprise PostgreSQL backup endpoint followed by a POST to the restore endpoint from the same client to the same host within a 15-minute window. This sequence is unusual and can align with the public CVE-2026-20253 pre-authentication RCE chain, where an attacker stages a database dump via the backup path and executes attacker-controlled SQL via the restore path.", + "false_positives": [ + "Legitimate PostgreSQL recovery operations performed by Splunk administrators through the backup and restore API. These should be rare and originate from known management networks. If such operations occur in your environment, scope exceptions by source IP or approved management network rather than suppressing the rule entirely." + ], + "from": "now-19m", + "language": "esql", + "license": "Elastic License v2", + "max_signals": 5, + "name": "Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence\n\nThis rule fires when the same source IP sends a POST to both the `/backup` and `/restore` recovery\nendpoints on the same Splunk host within 15 minutes. This two-step sequence is unusual and aligns with\nthe watchTowr CVE-2026-20253 RCE chain: the backup request can place an attacker-controlled\nPostgreSQL dump on the Splunk filesystem (using `backupFile` path traversal or absolute path\ninjection), and the restore request can load that dump and execute attacker-controlled SQL through the\nlocal PostgreSQL instance. A backup-plus-restore pair from an unrecognized source IP on a production\nSplunk host should be investigated as potential exploitation.\n\n### Possible investigation steps\n\n- Review `http.response.status_code` for both requests. A `400` on the backup step indicates the\n sidecar handler was reached (the request parsed but failed), consistent with a vulnerable host.\n- Check whether the backup request body (if captured by a WAF or proxy) contains `hostaddr=`,\n `host=`, or `passfile=` in the `database` field, or path traversal (`../`) or absolute paths\n in the `backupFile` field. These are the connection-string injection and file-placement artifacts\n specific to this exploit chain.\n- Correlate with host telemetry on the Splunk server: look for new or modified files under\n `/opt/splunk/etc/apps/`, `/opt/splunk/var/packages/`, or `/tmp/` around the time of the requests.\n- Check for Splunk process execution of `pg_dump` or `pg_restore` with unusual arguments,\n particularly connection strings containing external hostnames or IP addresses.\n- Check for outbound network connections from the Splunk host to external PostgreSQL services\n (port 5432 or similar) following the backup request \u2014 this indicates successful connection-string\n injection causing the server to pivot to an attacker-controlled database.\n- Verify whether the target Splunk host is running an affected version (10.0.0\u201310.0.6 or\n 10.2.0\u201310.2.3). Splunk Enterprise 10.4 and Splunk Cloud are not affected.\n\n### False positive analysis\n\n- Authorized administrative recovery operations using the sidecar API. These should originate from\n known management IPs; create exceptions for approved management network ranges.\n- Red-team or vulnerability management tooling that runs a full backup-to-restore probe as part of\n a CVE-2026-20253 exposure check.\n\n### Response and remediation\n\n- Treat a confirmed backup-and-restore sequence from an unrecognized source as active exploitation.\n Isolate the Splunk host from the network immediately and preserve forensic state.\n- Examine the Splunk host for new or modified files, scheduled tasks, and PostgreSQL extension\n objects that may have been placed by the restore step.\n- Patch Splunk Enterprise to an unaffected version (SVD-2026-0603). There is no vendor-provided\n workaround; patching is the only mitigation.\n- Block Splunk Web port (default 8000) at the perimeter and restrict access to management networks\n while patching is in progress.\n", + "query": "from logs-network_traffic.http*, logs-zeek.http*, logs-suricata.eve*\n| where http.request.method == \"POST\"\n and (\n url.path like \"*splunkd/__raw/v1/postgres/recovery/*\" or\n url.path like \"/v1/postgres/recovery/*\"\n )\n| eval Esql.is_backup = case(url.path like \"*/backup\", 1, 0)\n| eval Esql.is_restore = case(url.path like \"*/restore\", 1, 0)\n| stats\n Esql.backup_count = SUM(Esql.is_backup),\n Esql.restore_count = SUM(Esql.is_restore),\n Esql.first_seen = MIN(@timestamp),\n Esql.last_seen = MAX(@timestamp),\n Esql.statuses = VALUES(http.response.status_code)\n by source.ip, destination.ip\n| eval Esql.duration_minutes = DATE_DIFF(\"minute\", Esql.first_seen, Esql.last_seen)\n| where Esql.backup_count >= 1 and Esql.restore_count >= 1\n and Esql.duration_minutes <= 15\n| keep source.ip, destination.ip, Esql.*\n", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2026-20253", + "https://advisory.splunk.com/advisories/SVD-2026-0603", + "https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/", + "https://attack.mitre.org/techniques/T1190/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + }, + { + "package": "suricata", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803", + "setup": "## Setup\n\nThis rule requires HTTP request metadata with `url.path` and `http.request.method` populated from\none of the following sources visible to the sensor without TLS decryption:\n- Zeek (`logs-zeek.http*`) where Splunk Web traffic is cleartext or the sensor is downstream of TLS\n termination.\n- Suricata (`logs-suricata.eve*`) in the same deployment conditions\n- Elastic Agent `network_traffic` integration (`logs-network_traffic.http*`) with HTTP parsing enabled\n\nSplunk Web listens on TCP port 8000 by default (`web.conf` `httpport`), which is included in the\ndefault Network Packet Capture/Packetbeat HTTP port list. Add any custom Splunk Web `httpport` value\nto the HTTP protocol configuration. Splunk's management service defaults to TCP port 8089\n(`mgmtHostPort`) and commonly uses TLS; add 8089 only if management/API traffic is directly exposed or\nvisible to the sensor after decryption. If the PostgreSQL sidecar is directly exposed or monitored\nlocally on TCP port 5435, add port 5435 as an HTTP port as well. Zeek and Suricata can identify\nplaintext HTTP on non-standard ports through protocol detection when their HTTP analyzers are enabled.\nFor TLS deployments, the sensor must observe decrypted HTTP, sit downstream of TLS termination, or use\nproxy or load balancer logs that expose the HTTP path, method, and status code.\n\nThe rule uses a 19-minute lookback and verifies that the first and last matching recovery events are\nno more than 15 minutes apart. Ensure `event.ingested` is populated and `timestamp_override` is set.\n", + "severity": "medium", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Use Case: Network Security Monitoring", + "Tactic: Initial Access", + "Data Source: Network Packet Capture", + "Data Source: Network Traffic", + "Data Source: Zeek", + "Data Source: Suricata", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "7c7d2a89-b7e9-4e8d-bbf2-5a782fdcc803_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json deleted file mode 100644 index f0fed20cc9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", - "false_positives": [ - "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Bitlocker Setting Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ed84571-58ac-46da-a0ab-9c213ef2927b_1.json b/packages/security_detection_engine/kibana/security_rule/7ed84571-58ac-46da-a0ab-9c213ef2927b_1.json new file mode 100644 index 00000000000..73adb14e6e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ed84571-58ac-46da-a0ab-9c213ef2927b_1.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of command line arguments capable of spawning shells or establishing network connections through Busybox. This technique can be used to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Command Execution via Busybox Proxy", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Command Execution via Busybox Proxy\n\nThis rule flags Busybox being used as a proxy to launch shells or make outbound connections on Linux, a common way to hide command execution behind a trusted multi-call binary and slip past simple detections. An intruder can drop a script or binary in /tmp or /dev/shm, then run Busybox sh with /dev/tcp, nc, or openssl to establish a reverse shell and execute follow-on commands.\n\n### Possible investigation steps\n\n- Reconstruct the full execution chain around the Busybox invocation to identify the initiating script or binary, the user or service account involved, and whether the parent came from a writable or ephemeral location such as /tmp, /dev/shm, or a hidden working directory.\n- Retrieve and analyze any files or command artifacts referenced in the invocation, including shell scripts, dropped binaries, or inline payloads, and compare their hashes and prevalence against internal baselines and external reputation sources.\n- Review adjacent host activity for follow-on behavior consistent with staging or hands-on-keyboard access, such as additional shell launches, curl or wget downloads, permission changes, archive extraction, credential access attempts, or persistence creation via cron, systemd, or startup scripts.\n- Pivot to network telemetry from the same host and time window to determine whether Busybox or its descendants established outbound sessions, then validate the destination IPs, domains, ports, and protocols against expected business use and known benign infrastructure.\n- Confirm whether the behavior is expected for the asset type, container image, or embedded tooling in use, and if the activity is not readily explained, isolate the host and collect volatile evidence such as active connections, running processes, loaded modules, and recent shell history.\n\n### False positive analysis\n\n- Container or host startup scripts may invoke `busybox sh` with `nc`, `openssl`, or `/dev/tcp` from a temporary path to wait for a local dependency or perform a health check; verify the parent script is part of the expected image or boot workflow and that the destination is a known internal service.\n- An administrator or automation task may stage a temporary script under `/tmp`, `/var/tmp`, or a user home directory that uses `busybox sh` to test port reachability or TLS negotiation during troubleshooting; confirm the initiating account and script contents against approved maintenance activity and check that no suspicious follow-on processes or outbound connections occurred.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network, terminate the malicious `busybox` process and any spawned shells, and block the destination IPs, domains, and ports used by the outbound session or reverse shell.\n- Preserve copies of the parent script or binary from locations such as `/tmp`, `/var/tmp`, or `/dev/shm`, then remove attacker persistence including cron jobs, `systemd` service files, `rc.local` changes, startup scripts, and unauthorized `authorized_keys` entries tied to the same activity.\n- Reset passwords, revoke tokens, and rotate SSH keys or application secrets for any user or service account that launched Busybox or was exposed on the host, especially when shell history, environment files, or config files contained credentials.\n- Reimage the host or restore it from a known-good baseline, verify trusted package integrity for replaced binaries and scripts, and return the system to service only after confirming no unexpected executables remain in writable or temporary directories.\n- Escalate to incident response immediately if the Busybox session ran as `root`, reached an external address, created persistence beyond a single host, or if other systems show the same dropped script, destination, or follow-on shell activity.\n- Harden the environment by restricting Busybox execution to approved administrative use, mounting temporary directories with `noexec` where feasible, limiting unnecessary outbound egress, and adding detections for shell-capable Busybox usage launched from temporary, hidden, or user-writable paths.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"start\") and\nprocess.name == \"busybox\" and (\n process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.command_line like (\n \"*nc *\", \"*netcat*\", \"*openssl*\", \"*telnet*\", \"*exec*\", \"*import*pty*spawn*\", \"*import*subprocess*call*\", \"*socket*\",\n \"*system*\", \"*io.popen*\", \"*os.execute*\", \"*fsockopen*\", \"*/inet/tcp/*\", \"*/dev/tcp/*\", \"*/dev/udp/*\", \"*nohup*\",\n \"*setsid*\", \"*/dev/shm/*\", \"*ld-linux*.so*\", \"*/tmp/*\", \"*/var/tmp/*\", \"*rm*-rf*\"\n )\n) and (\n process.parent.executable like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"./*\", \"/run/*\", \"/var/run/*\", \"/boot/*\", \"/sys/*\", \"/lost+found/*\",\n \"/proc/*\", \"/var/mail/*\", \"/var/www/*\", \"/home/*\", \"/root/*\" \n ) or\n process.parent.name like \".*\"\n) and not (\n process.parent.command_line in (\"runc init\", \"/usr/local/bin/runc init\") or\n process.parent.executable == \"./runc\" or\n process.parent.executable like (\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/*/bin/php\", \"/tmp/go-build*.test\") or\n process.command_line == \"sh -c echo EXEC\" or\n process.parent.name in (\"ninja_test\", \"ocamlrun\", \"ocamlopt.opt\", \"make\", \"process-wrapper\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7ed84571-58ac-46da-a0ab-9c213ef2927b", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7ed84571-58ac-46da-a0ab-9c213ef2927b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_105.json b/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_105.json deleted file mode 100644 index ef5ccfda84d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7efca3ad-a348-43b2-b544-c93a78a0ef92_105.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common utilities to gather information about the system and its security configuration.", - "from": "now-9m", - "index": [ - "endgame-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Security File Access via Common Utilities", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Security File Access via Common Utilities\n\nIn Linux environments, common utilities like `cat`, `grep`, and `less` are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities.\n\n### Possible investigation steps\n\n- Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields.\n- Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account.\n- Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity.\n- Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts.\n- Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt.\n- If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation.\n\n### False positive analysis\n\n- System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions.\n- Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts.\n- Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations.\n- Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection.\n- Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities.\n- Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered.\n- Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access.\n- Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes.\n- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network.\n- Enhance monitoring and logging for similar activities to improve detection and response times for future incidents.", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and\n process.name in (\"cat\", \"grep\", \"less\", \"more\", \"strings\", \"awk\", \"find\", \"xargs\") and\n process.args like (\n \"/etc/security/*\", \"/etc/pam.d/*\", \"/etc/login.defs\", \"/lib/security/*\", \"/lib64/security/*\",\n \"/usr/lib/security/*\", \"/usr/lib64/security/*\", \"/usr/lib/x86_64-linux-gnu/security/*\",\n \"/home/*/.aws/credentials\", \"/home/*/.aws/config\", \"/home/*/.config/gcloud/*credentials.json\",\n \"/home/*/.config/gcloud/configurations/config_default\", \"/home/*/.azure/accessTokens.json\",\n \"/home/*/.azure/azureProfile.json\"\n ) and \nnot process.parent.name in (\"wazuh-modulesd\", \"lynis\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "crowdstrike", - "version": "^2.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7efca3ad-a348-43b2-b544-c93a78a0ef92", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "7efca3ad-a348-43b2-b544-c93a78a0ef92_105", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4.json b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4.json new file mode 100644 index 00000000000..9f58835ea3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend databases or extract sensitive information.", + "from": "now-9m", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*", + "logs-iis.access-*", + "logs-traefik.access-*", + "logs-zeek.http-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Server Potential SQL Injection Request", + "note": "## Triage and analysis\n\n### Investigating Web Server Potential SQL Injection Request\n\nSQL injection (SQLi) attempts to manipulate backend database queries via unsanitized\ninput passed through web request parameters. This rule flags requests whose URL or\nquery string contains structural patterns characteristic of automated SQLi tooling\n(sqlmap and similar) or manual exploitation techniques, spanning boolean-blind,\ntime-based, error-based, and UNION-based extraction methods across MySQL, MSSQL,\nPostgreSQL, and Oracle syntax.\n\n#### Possible investigation steps\n\n- Identify the full request and response context:\n - `url.original` / `url.query` \u2014 full injected payload\n - `http.request.method`, `http.response.status_code` \u2014 was the request accepted (2xx) or rejected (4xx/5xx/WAF block)?\n - `source.ip`, `source.as.organization.name`, `source.geo.*` \u2014 is this a known scanner IP, hosting/VPS ASN, or unexpected geography for this application's userbase?\n - `user_agent.original` \u2014 check for tool signatures (`sqlmap`, `Assetnote`, `Nessus`, `Nuclei`, etc.) vs. a spoofed browser UA\n- Determine which SQLi technique is present, since it changes the likely intent and next steps:\n - **Boolean-blind** (`AND 1=1--`, `CASE WHEN...THEN...ELSE`) \u2014 attacker inferring true/false conditions one bit/char at a time; usually high request volume against the same parameter\n - **Time-based blind** (`SLEEP`, `BENCHMARK`, `WAITFOR DELAY`, `pg_sleep`) \u2014 look for abnormal response latency on matching requests to confirm exploitation succeeded vs. was blocked\n - **Error-based** (`EXTRACTVALUE`, `UPDATEXML`, `GTID_SUBSET`, `CONVERT(INT,...)`) \u2014 check `http.response.status_code`/body for a 500 or a reflected DB error message; if present, the attacker likely received leaked data directly\n - **UNION-based** (`UNION SELECT NULL,...`, `UNION ALL SELECT...CONCAT(MD5(...`) \u2014 attacker is enumerating column count or confirming a reflection point to pull data directly into the page body\n - **Stacked queries** (`;SELECT...`, `;EXEC xp_cmdshell`) \u2014 most severe; if the DB driver allows multiple statements, this can lead to command execution (`xp_cmdshell`) rather than just data disclosure\n- Pivot on the target parameter and endpoint (e.g. `url.path`, the specific query-string key such as `id=`, `sort=`, `column=`) to see:\n - How many distinct payloads/techniques were tried against the same parameter (suggests automated technique-fuzzing by a single tool run)\n - Whether the same `source.ip` hit multiple endpoints/parameters (broader scan) or repeatedly refined one payload (targeted exploitation attempt)\n- Check for a correlated spike in requests from the same IP/ASN in a tight time window \u2014 sqlmap and similar tools generate many rapid, near-identical requests when fuzzing technique/column count/character position.\n- If the backend database technology is known, cross-check the payload's SQL dialect (MySQL vs. MSSQL vs. PostgreSQL functions) against what the application actually runs \u2014 a payload using the wrong dialect's functions will simply error out and fail, lowering severity.\n- If available, correlate with database-side audit logs (e.g. MSSQL Audit `event.code: 33205`, slow query logs) for the same timeframe/client IP to confirm whether the payload actually reached and executed against the database.\n\n### False positive analysis\n\n- **Vulnerability scanners and security tooling** are the most common source of noise: Assetnote, Burp Suite, Qualys, Nessus, Acunetix, and similar tools intentionally send these exact payloads as part of authorized scanning. Check `user_agent.original` for scanner signatures and cross-reference `source.ip`/ASN against your organization's known scanning infrastructure or third-party ASM vendor.\n- Legitimate application traffic containing SQL-like keywords is rare given the specificity of these patterns (chained `CHAR()` calls, `ELT(n=n,1)` self-comparisons, hex-delimited `CONCAT`), but verify against applications that accept raw SQL fragments as legitimate input (e.g., internal admin/reporting tools with a \"custom query\" field) if any exist in your environment.\n- Consider adding a suppression/exception for confirmed, recurring authorized scanning sources rather than tuning the query patterns themselves, to avoid reducing detection coverage against real attackers using the same tools.\n\n### Response and remediation\n\n- If the request reached the application layer unblocked (`event.outcome: success` / 2xx response) and the payload matches an error-based or UNION-based technique, treat as a potential confirmed data exposure \u2014 check application/database logs for evidence of returned sensitive data.\n- If a stacked-query or `xp_cmdshell` payload succeeded, escalate immediately \u2014 this can lead to OS-level command execution, not just data disclosure.\n- Validate that the affected endpoint uses parameterized queries/prepared statements; SQL injection at this scale of tooling almost always indicates raw string concatenation in the query layer.\n- If exploitation is confirmed, review the database account's privileges used by the web application (least privilege should prevent `xp_cmdshell`, `INFORMATION_SCHEMA` enumeration, or cross-database access even if injection succeeds).\n- Block or rate-limit the source IP/ASN at the WAF or reverse proxy if not already filtered, and consider a virtual-patch WAF rule for the specific vulnerable parameter while the application fix is developed.\n- Review other requests from the same source IP across the retention window for prior reconnaissance (e.g., directory enumeration, parameter fuzzing) that may have preceded the injection attempt.\n", + "query": "any where (\nurl.original like~ (\n \"*dbms_pipe.receive_message%28chr%*\",\n \"*waitfor%20delay%20%270%3a0%3a*\",\n \"*%28select%28sleep%285*\", \"*%28select%20*from%20pg_sleep%285*\", \"*%3bselect%20pg_sleep%285*\",\n \"*and%20sleep%28*%29*\", \"*or%20sleep%28*%29*\", \"*case%20when*then%20sleep%28*\", \"*if%28sleep%28*%29*\",\n \"*benchmark%28*%2c*md5%28*\",\n \"*convert%28int%2c%28select%20char%28*\",\n \"*char%28*char%28*char%28*char%28*\",\n \"*concat%28concat%28char%28*\",\n \"*case%20when%20%28*%3d*%29%20then*else*end*\",\n \"*elt%28*%3d*%2c1%29%29*\",\n \"*union%20select%20null%2cnull*\", \"*union%20all%20select%20null*\",\n \"*union%20all%20select%20*concat%28md5%28*\",\n \"*extractvalue%28*concat%280x*\", \"*updatexml%28*concat%280x*\",\n \"*procedure%2f%2a%2a%2fanalyse%28extractvalue%28*\",\n \"*gtid_subset%28concat%280x*\", \"*gtid_subtract%28concat%280x*\",\n \"*mid%28ifnull%28session_user%28%29*\",\n \"*'qq'%2b%28%28select%20@@version%29%29%2b'qq'*\",\n \"*%27%20or%20%271%27%3d%271*\", \"*%22%20or%20%221%22%3d%221*\", \"*%27%20or%20%27a%27%3d%27a*\",\n \"*and%201%3d1--*\", \"*and%201%3d2--*\",\n \"*%29%3bselect*if%28%28ord%28mid%28*\",\n \"*xp_cmdshell*\",\n \"*select%20*into%20outfile*\", \"*select%20*into%20dumpfile*\",\n \"*load_file%28*\", \"*load%5ffile%28*\",\n \"*select%20*from%20information_schema.tables*\", \"*from%20information_schema.columns%20where%20table_schema*\",\n \"*dbms_pipe%2ereceive_message*\", \"*dbms_lock%2esleep*\",\n \"*select%20@@version*\", \"*select%20user%28%29*\", \"*select%20current_user%28%29*\", \"*select%20database%28%29*\",\n \"*sp_executesql%20*exec%20*\", \"*xp_dirtree*\"\n )\n or\n url.query like~ (\n \"*dbms_pipe.receive_message(chr*\",\n \"*waitfor delay '0:0:*\",\n \"*(select(sleep(5*\", \"*(select*from pg_sleep(5*\", \"*;select pg_sleep(5*\",\n \"*and sleep(*)*\", \"*or sleep(*)*\", \"*case when*then sleep(*\", \"*if(sleep(*)*\",\n \"*benchmark(*,*md5(*\",\n \"*convert(int,(select char(*\",\n \"*char(*char(*char(*char(*\",\n \"*concat(concat(char(*\",\n \"*case when (*=*) then*else*end*\",\n \"*elt(*=*,1))*\",\n \"*union select null,null*\", \"*union all select null*\",\n \"*union all select*concat(md5(*\",\n \"*extractvalue(*concat(0x*\", \"*updatexml(*concat(0x*\",\n \"*procedure/**/analyse(extractvalue(*\",\n \"*gtid_subset(concat(0x*\", \"*gtid_subtract(concat(0x*\",\n \"*mid(ifnull(session_user()*\",\n \"*'qq'+((select @@version))+'qq'*\",\n \"*' or '1'='1*\", \"*\\\" or \\\"1\\\"=\\\"1*\", \"*' or 'a'='a*\",\n \"*and 1=1--*\", \"*and 1=2--*\",\n \"*);select*if((ord(mid(*\",\n \"*xp_cmdshell*\",\n \"*select*into outfile*\", \"*select*into dumpfile*\",\n \"*load_file(*\",\n \"*select*from information_schema.tables*\", \"*from information_schema.columns where table_schema*\",\n \"*dbms_pipe.receive_message*\", \"*dbms_lock.sleep*\",\n \"*select @@version*\", \"*select user()*\", \"*select current_user()*\", \"*select database()*\",\n \"*sp_executesql*exec*\", \"*xp_dirtree*\"\n )\n)\n", + "required_fields": [ + { + "ecs": true, + "name": "url.original", + "type": "wildcard" + }, + { + "ecs": true, + "name": "url.query", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2", + "severity": "high", + "tags": [ + "Domain: Web", + "Domain: Network", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81139742-4d3a-49f3-a6dd-e0fb9834f959_1.json b/packages/security_detection_engine/kibana/security_rule/81139742-4d3a-49f3-a6dd-e0fb9834f959_1.json new file mode 100644 index 00000000000..a1025278d21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81139742-4d3a-49f3-a6dd-e0fb9834f959_1.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies inbound ICMP Timestamp (type 13) or Information (type 15) requests from external addresses to internal RFC1918 destinations. These message types are rarely used in modern networks and are commonly associated with host and path fingerprinting during reconnaissance.", + "from": "now-9m", + "index": [ + "logs-network_traffic.icmp-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "ICMP Timestamp or Information Request from the Internet", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating ICMP Timestamp or Information Request from the Internet\n\nICMP Timestamp and Information requests are legacy diagnostic messages. Inbound use from the Internet toward internal\nhosts is uncommon in production networks and often indicates active scanning or OS fingerprinting.\n\n### Possible investigation steps\n\n- Review `source.ip` against threat intelligence and prior scan activity on the environment.\n- Determine whether the targeted `destination.ip` is an exposed host, VPN concentrator, or mis-NATed internal asset.\n- Look for adjacent port scans, SYN sweeps, or exploit attempts from the same source around the alert window.\n- Check whether the destination host replied and whether follow-on connections were attempted.\n\n### False positive analysis\n\n- Some legacy network monitoring or SLA probes may still use ICMP Timestamp requests. Maintain exceptions for known\n monitoring source ranges after validation.\n- Shared hosting or multi-tenant environments with overlapping address space may require destination-specific tuning.\n\n### Response and remediation\n\n- Block or rate-limit the external source at the perimeter if activity is unauthorized.\n- Verify that the targeted internal host is not unintentionally exposed to the Internet.\n- Increase monitoring on targeted assets for follow-on exploitation attempts.", + "query": "data_stream.dataset:network_traffic.icmp\n and (network_traffic.icmp.request.type:(13 or 15) or icmp.request.type:(13 or 15))\n and destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n and not source.ip:(\n 10.0.0.0/8 or\n 100.64.0.0/10 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.175.48.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.88.99.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 224.0.0.0/4 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.rfc-editor.org/rfc/rfc792", + "https://nmap.org/book/host-discovery-techniques.html", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "icmp.request.type", + "type": "integer" + }, + { + "ecs": false, + "name": "network_traffic.icmp.request.type", + "type": "integer" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "81139742-4d3a-49f3-a6dd-e0fb9834f959", + "setup": "## Setup\n\nThis rule requires ICMP transaction telemetry from the Elastic network_traffic integration (`network_traffic.icmp`\ndata stream).\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", + "Use Case: Threat Detection", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "81139742-4d3a-49f3-a6dd-e0fb9834f959_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8670bf41-cb64-4d65-a0d6-78af17cf8f30_1.json b/packages/security_detection_engine/kibana/security_rule/8670bf41-cb64-4d65-a0d6-78af17cf8f30_1.json new file mode 100644 index 00000000000..6c7d0366b4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8670bf41-cb64-4d65-a0d6-78af17cf8f30_1.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.", + "from": "now-9m", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*", + "logs-iis.access-*", + "logs-traefik.access-*", + "logs-zeek.http-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Server Cloud Metadata SSRF Request", + "note": "## Triage and analysis\n\n### Investigating Web Server Cloud Metadata SSRF Request\n\nThis alert flags inbound HTTP requests to a web server whose `url.original` or `url.query` contains cloud instance\nmetadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so\nthe application fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` or equivalent GCP and Azure\nmetadata routes, then reuses the returned role credentials against cloud APIs.\n\n#### Possible investigation steps\n\n- Review `url.original`, `url.query`, `http.request.method`, `http.response.status_code`, and `source.ip` to identify\n the injected metadata target, affected route, and whether the server returned a successful response.\n- URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that\n hide the metadata destination.\n- Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound\n HTTP requests from the application.\n- Correlate with application, proxy, and outbound network logs around `@timestamp` for connections from the web server\n process to `169.254.169.254`, `100.100.100.200`, `metadata.google.internal`, or Azure metadata hosts.\n- Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials\n shortly after the request.\n- Pivot on `source.ip` and `user_agent.original` for related SSRF, scanning, or exploitation attempts across other web\n hosts.\n\n### False positive analysis\n\n- Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the\n activity aligns with an approved assessment window and source before closing as benign.\n- Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can\n trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on\n the matched input.\n\n### Response and remediation\n\n- Block the offending `source.ip` at the WAF or reverse proxy and add virtual patches to reject requests containing\n metadata addresses or credential paths.\n- If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role\n or managed identity credentials that may have been exposed.\n- Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata\n destinations, and validating user-supplied URLs.\n- Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.\n", + "query": "web where (\n url.original : (\n \"*169.254.169.254*\", \"*169%2e254%2e169%2e254*\", \"*0xa9fea9fe*\", \"*0xa9.0xfe.0xa9.0xfe*\", \n \"*2852039166*\", \"*0251.0376.0251.0376*\", \"*::ffff:169.254.169.254*\", \"*::ffff:a9fe:a9fe*\", \"*fd00:ec2::254*\",\n \"*100.100.100.200*\", \"*169.254.170.2*\", \"*metadata.google.internal*\", \"*metadata.goog*\", \"*computeMetadata/v1*\",\n \"*meta-data/iam/security-credentials*\", \"*meta-data%2Fiam%2Fsecurity-credentials*\",\n \"*latest/meta-data*\", \"*latest/api/token*\"\n )\n or\n url.query : (\n \"*169.254.169.254*\", \"*169%2e254%2e169%2e254*\", \"*0xa9fea9fe*\", \"*0xa9.0xfe.0xa9.0xfe*\", \n \"*2852039166*\", \"*0251.0376.0251.0376*\", \"*::ffff:169.254.169.254*\", \"*::ffff:a9fe:a9fe*\", \"*fd00:ec2::254*\",\n \"*100.100.100.200*\", \"*169.254.170.2*\", \"*metadata.google.internal*\", \"*metadata.goog*\", \"*computeMetadata/v1*\",\n \"*meta-data/iam/security-credentials*\", \"*meta-data%2Fiam%2Fsecurity-credentials*\",\n \"*latest/meta-data*\", \"*latest/api/token*\"\n )\n)\n", + "references": [ + "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/", + "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" + ], + "required_fields": [ + { + "ecs": true, + "name": "url.original", + "type": "wildcard" + }, + { + "ecs": true, + "name": "url.query", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8670bf41-cb64-4d65-a0d6-78af17cf8f30", + "severity": "medium", + "tags": [ + "Domain: Web", + "Domain: Cloud", + "Domain: Network", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Initial Access", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8670bf41-cb64-4d65-a0d6-78af17cf8f30_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/86817045-ea22-4038-9959-c3437bc4c064_1.json b/packages/security_detection_engine/kibana/security_rule/86817045-ea22-4038-9959-c3437bc4c064_1.json new file mode 100644 index 00000000000..85a1f3d554f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/86817045-ea22-4038-9959-c3437bc4c064_1.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Windows OpenSSH or Plink to create a reverse SSH port forward or reverse dynamic SOCKS proxy. Adversaries may abuse reverse forwarding to expose an internal service or proxy listener through an external SSH server, establishing an outbound tunnel that bypasses direct inbound connectivity controls.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.name", + "user.name", + "user.id", + "user.domain", + "process.entity_id", + "process.name", + "process.executable", + "process.command_line", + "process.parent.executable", + "process.parent.command_line" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SSH Reverse Port Forwarding", + "note": "## Triage and analysis\n\n### Investigating Potential SSH Reverse Port Forwarding Detected\n\n#### Possible investigation steps\n\n- What reverse-forward command triggered the alert?\n - Focus: `@timestamp`, `host.id`, `user.name`, `process.name`, `process.command_line`\n - Implication: Confirm via !{investigate{\"description\":\"Recover the process start event and immediate process context for the alerted OpenSSH or Plink reverse-forward command.\",\"label\":\"Matched process context\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}} a process start for `ssh.exe` or `plink.exe`/Plink with the matched `-R` or `RemoteForward` artifact. Suspicious when the command exposes an internal service or SOCKS listener without host/account owner confirmation; close only when command, host, account, parent, and remote-forward values match a recognized recurring tunnel workflow for this account.\n- Is the process lineage and executable consistent with the expected workflow?\n - Focus: `process.parent.command_line`, `process.executable`, `process.hash.sha256`, `process.working_directory`, `process.Ext.relative_file_creation_time`\n - Implication: Via !{investigate{\"description\":\"Recover the process start event and immediate process context for the alerted OpenSSH or Plink reverse-forward command.\",\"label\":\"Matched process context\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}, compare parent, path, hash, and file age. Escalate when shells, script interpreters, unusual parents, recently created binaries, or a Plink original name under another process name appear; benign requires the same artifact and parent tied to the verified host/account reverse-forward workflow.\n- Is the tunnel active or recurring on this host?\n - Focus: `host.id`, `process.entity_id`, `process.pid`, `process.uptime`, `process.exit_code`\n - Implication: Use !{investigate{\"description\":\"Find other process events with the same alerted process name on the same host for local recurrence and parent/account comparison.\",\"label\":\"Same host process launches\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.name\",\"queryType\":\"phrase\",\"value\":\"{{process.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-24h\",\"relativeTo\":\"now\"}} to check whether the SSH/Plink process remained running, exited, or relaunched with reverse-forward arguments. Recurring or long-lived commands outside a confirmed window are suspicious; a single exited process supports closure only with owner confirmation and no unresolved process or network evidence.\n- What remote SSH server and exposed service are implied?\n - Focus: `process.args`, `process.command_line`, `destination.ip`, `destination.port`, `network.direction`\n - Implication: Parse `-R`/`RemoteForward` syntax, then recover same-process connection events if network telemetry exists; `destination.*` and `network.*` are connection-event fields not present on the process alert. Missing network telemetry is unresolved, not benign. Escalate when the remote host, port, or exposed service does not match the confirmed workflow.\n- Where else does the same binary or reverse-forward pattern appear?\n - Focus: `process.hash.sha256`, `process.name`, `host.name`, `user.name`, `process.command_line`\n - Implication: Use !{investigate{\"description\":\"Find other events for the same executable hash to scope repeated use of the matched OpenSSH or Plink binary after local validation.\",\"label\":\"Executable hash scope\",\"providers\":[[{\"excluded\":false,\"field\":\"process.hash.sha256\",\"queryType\":\"phrase\",\"value\":\"{{process.hash.sha256}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-7d\",\"relativeTo\":\"now\"}} to scope the same hash, comparing command lines for `-R`/`RemoteForward` on other hosts/accounts. Absence of matches is not benign; broaden containment when the artifact appears beyond the source host/account. Close recurrence only when each match ties to the same confirmed workflow.\n\nDisposition: Escalate suspicious or unresolved commands; close only when alert-local and recovered evidence confirm the exact host/account/process/remote-forward scope; preserve and escalate mixed cases.\n\n### False positive analysis\n\n- Benign activity is limited to a confirmed reverse SSH forwarding workflow where `process.command_line`, `host.id`, `user.name`, parent process, executable, remote server, and forward port are verified.\n- Do not close because the binary is named `ssh.exe`/`plink.exe`, has a familiar path, or a trusted signature \u2014 the matched command and owner workflow must explain the `-R`/`RemoteForward` artifact.\n- Scope exceptions to `host.id`, `user.name`, `process.executable` or `process.hash.sha256`, `process.parent.executable` or `process.parent.command_line`, and the exact reverse-forward args. Do not suppress all reverse forwarding across hosts or accounts.\n\n### Response and remediation\n\n- Scope first by reviewing the exact command, same-process network evidence, same executable hash, same user/host activity, and related alerts for the same remote SSH server or port before cleanup.\n- Preserve or export case evidence plus volatile process, memory, executable, and file-system artifacts before isolation, process termination, or other disruptive action.\n- After evidence capture, use reversible containment such as isolating the affected host or blocking egress to the confirmed SSH server/port while credential and session review proceeds.\n- For confirmed malicious tunneling, terminate the SSH/Plink process, remove persistence or scripts that launched it, rotate exposed credentials, and clean staged binaries only after scoping.\n- Record confirmed indicators and logging or detection gaps for the responsible detection or logging owners after containment.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"ssh.exe\", \"plink.exe\") or\n ?process.pe.original_file_name : (\"Plink\", \"plink.exe\")\n ) and\n (\n process.args : \"-R*\" or\n process.args : \"-oRemoteForward*\" or\n (process.args : \"-o\" and process.args : \"*RemoteForward*\") or\n\n /* -R can be combined with ~20 no-arg SSH flags (e.g. -NR, -fNR) */\n process.command_line regex \"\"\".*\\s-[A-Za-z]*R[^A-Za-z].*\"\"\"\n )\n", + "references": [ + "https://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://x.com/Securityinbits/status/2067602540209021196" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "86817045-ea22-4038-9959-c3437bc4c064", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender XDR", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1090", + "name": "Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/", + "subtechnique": [ + { + "id": "T1090.002", + "name": "External Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/002/" + } + ] + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "86817045-ea22-4038-9959-c3437bc4c064_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87f8141e-4275-4d49-9e76-d215b4614a0b_1.json b/packages/security_detection_engine/kibana/security_rule/87f8141e-4275-4d49-9e76-d215b4614a0b_1.json new file mode 100644 index 00000000000..874ece73b9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/87f8141e-4275-4d49-9e76-d215b4614a0b_1.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy attachments, so their creation by an unexpected principal warrants review.", + "false_positives": [ + "Identity and platform teams and infrastructure-as-code pipelines occasionally manage group inline policies as part of normal access governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted group, and the policy document against approved change records. Known administration roles and deployment automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Inline Policy Added to a Group", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Inline Policy Added to a Group\n\n`PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions \u2014 and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group inline policies are relatively rare, which makes their creation a useful signal.\n\n### Possible investigation steps\n\n- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made.\n- Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or data-access permissions).\n- Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor is or could become a member.\n- Confirm whether the change aligns with an approved access request, onboarding, or deployment.\n- Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM modifications that may form an escalation chain.\n\n### False positive analysis\n\n- Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation.\n\n### Response and remediation\n\n- If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members used the granted permissions while it was in place.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a small set of trusted administrators.\n\n### Additional information\n\n- [IAM identity-based policies (inline)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)\n- [PutGroupPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"iam.amazonaws.com\"\n and event.action: \"PutGroupPolicy\"\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n and not user_agent.original: (*terraform* or *pulumi* or *ansible*)\n and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)\n and not source.as.organization.name: (Amazon* or AMAZON* or Google*)\n and not source.address: (\"cloudformation.amazonaws.com\" or \"servicecatalog.amazonaws.com\")\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "87f8141e-4275-4d49-9e76-d215b4614a0b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "87f8141e-4275-4d49-9e76-d215b4614a0b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/882a39ad-a404-45e3-b5d4-bc11d2b09818_1.json b/packages/security_detection_engine/kibana/security_rule/882a39ad-a404-45e3-b5d4-bc11d2b09818_1.json new file mode 100644 index 00000000000..266161d58cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/882a39ad-a404-45e3-b5d4-bc11d2b09818_1.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags sessions with many distinct chunk indices and sufficiently long encoded payloads.", + "from": "now-9m", + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "host.name", + "user.id", + "user.name", + "process.name", + "dns.question.name" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Potential DNS Exfiltration via Excessive Chunked Queries", + "note": "## Triage and analysis\n\n### Investigating Potential DNS Exfiltration via Excessive Chunked Queries\n\nDNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example,\n`42-.attacker.example`). A large number of distinct chunk indices to the same base domain from\none process within a short window strongly suggests staged data transfer rather than normal resolution behavior.\n\n### Possible investigation steps\n\n- Review **Esql.base_domain**, **Esql.unique_chunks**, and **Esql.max_index** on the alert to gauge exfil volume and\n whether chunk indices form a contiguous or near-contiguous sequence.\n- Identify **process.name** and **process.executable** (from related network events on the same host) and inspect the\n process tree for scripting runtimes, LOLBins, or unsigned binaries.\n- Pivot on **host.id** for other DNS, network, or exfiltration alerts in the past 48 hours.\n- Inspect sample **dns.question.name** values for the session to confirm encoded payload subdomains and estimate data\n volume (**Esql.avg_payload_len** \u00d7 **Esql.unique_chunks**).\n- Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside\n approved DNS allowlists.\n\n### False positive analysis\n\n- Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor\n behavior before closing.\n- Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and\n organizational ownership.\n\n### Response and remediation\n\n- If confirmed malicious: isolate the host, block the **Esql.base_domain** at DNS and egress controls, and preserve\n DNS/network logs for scoping.\n- Hunt for the same **Esql.base_domain** and process hash across other hosts and users.\n- Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.\n", + "query": "FROM logs-crowdstrike.fdr*, logs-endpoint.events.network-*, logs-windows.sysmon_operational-*\n| WHERE host.os.type == \"windows\"\n AND event.category == \"network\"\n AND event.action IN (\"lookup_requested\", \"DNSEvent (DNS query)\", \"DnsRequest\")\n AND process.name != \"svchost.exe\"\n AND dns.question.name RLIKE \"\"\"[0-9]{1,5}-[A-Za-z0-9+/=]{15,63}\\..+\"\"\"\n| GROK dns.question.name \"%{INT:chunk_index}-%{DATA:chunk_payload}\\\\.%{GREEDYDATA:Esql.base_domain}\"\n| WHERE chunk_index IS NOT NULL\n| EVAL payload_len = LENGTH(chunk_payload)\n| STATS\n Esql.occurrences = COUNT(*),\n Esql.unique_chunks = COUNT_DISTINCT(chunk_index),\n Esql.max_index = MAX(TO_INTEGER(chunk_index)),\n Esql.avg_payload_len = AVG(payload_len)\n BY process.name, Esql.base_domain, user.id, user.name, host.id, host.name, data_stream.namespace, DATE_TRUNC(5 minutes, @timestamp)\n| WHERE Esql.occurrences >= 30\n AND Esql.unique_chunks >= 30\n AND Esql.avg_payload_len >= 20\n| SORT Esql.unique_chunks DESC\n| LIMIT 20\n| KEEP host.id, host.name, process.name, user.id, user.name, data_stream.namespace, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1048/003/", + "https://attack.mitre.org/techniques/T1572/", + "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.namespace", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "882a39ad-a404-45e3-b5d4-bc11d2b09818", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/", + "subtechnique": [ + { + "id": "T1048.003", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "882a39ad-a404-45e3-b5d4-bc11d2b09818_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11.json b/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11.json deleted file mode 100644 index a2c2be90848..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Command Execution from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Command Execution from Web Server Parent\n\nWeb servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.\n\n### Possible investigation steps\n\n- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.\n- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.\n- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.\n- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.\n- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.\n- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.\n\n### False positive analysis\n\n- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.\n- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.\n- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.\n- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.\n- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.\n\n- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.\n\n- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.\n\n- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.\n\n- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.\n\n- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.\n\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.command_line like \"* -c *\" and not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/vscode/vscode-server/*\" or\n process.parent.executable like \"/vscode/vscode-server/*\" or\n process.parent.executable == \"/usr/bin/xfce4-terminal\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.command_line, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.agent_id_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.agent_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_dataset_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_namespace_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.host_name_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 11 - }, - "id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_11", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12.json b/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12.json deleted file mode 100644 index 8a1a38c07cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Command Execution from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Command Execution from Web Server Parent\n\nWeb servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.\n\n### Possible investigation steps\n\n- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.\n- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.\n- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.\n- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.\n- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.\n- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.\n\n### False positive analysis\n\n- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.\n- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.\n- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.\n- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.\n- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.\n\n- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.\n\n- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.\n\n- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.\n\n- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.\n\n- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.\n\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.command_line like \"* -c *\" and not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/vscode/vscode-server/*\" or\n process.parent.executable like \"/vscode/vscode-server/*\" or\n process.parent.executable == \"/usr/bin/xfce4-terminal\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.command_line, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 12 - }, - "id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_12", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13.json b/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13.json deleted file mode 100644 index d8e2ff1e144..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Deprecated - Unusual Command Execution from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Unusual Command Execution from Web Server Parent\n\nWeb servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.\n\n### Possible investigation steps\n\n- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.\n- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.\n- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.\n- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.\n- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.\n- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.\n\n### False positive analysis\n\n- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.\n- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.\n- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.\n- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.\n- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.\n\n- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.\n\n- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.\n\n- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.\n\n- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.\n\n- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.\n\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.command_line like \"* -c *\" and not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/vscode/vscode-server/*\" or\n process.parent.executable like \"/vscode/vscode-server/*\" or\n process.parent.executable == \"/usr/bin/xfce4-terminal\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.command_line, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 13 - }, - "id": "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d_13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_108.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_112.json similarity index 81% rename from packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_108.json rename to packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_112.json index e547bb732e5..48c01a18afd 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_108.json +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_112.json @@ -9,21 +9,29 @@ ], "from": "now-9m", "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", "logs-network_traffic.*", - "logs-panw.panos*" + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" ], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RDP (Remote Desktop Protocol) from the Internet\n\nRDP allows administrators to remotely manage systems, but exposing it to the internet poses security risks. Adversaries exploit RDP for unauthorized access, often using it as an entry point for attacks. The detection rule identifies suspicious RDP traffic by monitoring TCP connections on port 3389 from external IPs, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the source IP address flagged in the alert to determine if it is known or associated with any previous malicious activity. Check threat intelligence sources for any reported malicious behavior.\n- Analyze the destination IP address to confirm it belongs to your internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and identify the specific system targeted by the RDP connection.\n- Examine network logs for any unusual or unexpected RDP traffic patterns from the source IP, such as repeated connection attempts or connections at odd hours, which may indicate brute force attempts or unauthorized access.\n- Check for any recent changes or updates to firewall rules or security policies that might have inadvertently exposed RDP to the internet.\n- Investigate the user accounts involved in the RDP session to ensure they are legitimate and have not been compromised. Look for any signs of unauthorized access or privilege escalation.\n- Correlate the RDP traffic with other security events or alerts to identify any potential lateral movement or further malicious activity within the network.\n\n### False positive analysis\n\n- Internal testing or maintenance activities may trigger the rule if RDP is temporarily exposed to the internet. To manage this, create exceptions for known internal IP addresses or scheduled maintenance windows.\n- Legitimate third-party vendors or partners accessing systems via RDP for support purposes can be mistaken for threats. Establish a list of trusted external IP addresses and exclude them from the rule.\n- Misconfigured network devices or security tools might inadvertently expose RDP to the internet, leading to false positives. Regularly audit network configurations and update the rule to exclude known benign sources.\n- Cloud-based services or remote work solutions that use RDP over the internet can be flagged. Identify and whitelist these services' IP ranges to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately block the external IP address identified in the alert from accessing the network to prevent further unauthorized RDP connections.\n- Isolate the affected system from the network to contain any potential compromise and prevent lateral movement by the threat actor.\n- Conduct a thorough review of the affected system for signs of compromise, such as unauthorized user accounts, changes in system configurations, or the presence of malware.\n- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.\n- Apply security patches and updates to the affected system and any other systems with RDP enabled to mitigate known vulnerabilities.\n- Implement network segmentation to restrict RDP access to only trusted internal IP addresses and consider using a VPN for secure remote access.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "query": "(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:3389 or data_stream.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not (\n data_stream.dataset:\"panw.panos\" and (\n event.action:(\"flow_dropped\" or \"flow_denied\") or\n network.application:(\"incomplete\" or \"insufficient-data\" or \"not-applicable\")\n )\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], "related_integrations": [ + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, { "package": "network_traffic", "version": "^1.1.0" @@ -31,9 +39,18 @@ { "package": "panw", "version": "^5.0.0" + }, + { + "package": "zeek", + "version": "^5.0.0" } ], "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, { "ecs": true, "name": "destination.ip", @@ -44,6 +61,11 @@ "name": "destination.port", "type": "long" }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, { "ecs": true, "name": "event.category", @@ -51,7 +73,7 @@ }, { "ecs": true, - "name": "event.dataset", + "name": "network.application", "type": "keyword" }, { @@ -74,7 +96,11 @@ "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", + "Data Source: Corelight", "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", "Resources: Investigation Guide" ], "threat": [ @@ -134,8 +160,8 @@ "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 108 + "version": 112 }, - "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_108", + "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_112", "type": "security-rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/904023d7-8307-48bc-ad49-c454dfc2fae3_1.json b/packages/security_detection_engine/kibana/security_rule/904023d7-8307-48bc-ad49-c454dfc2fae3_1.json new file mode 100644 index 00000000000..76d74ecc196 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/904023d7-8307-48bc-ad49-c454dfc2fae3_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the xdg-open process that is typically used to open documents and URLs in the user's preferred desktop application. Attackers may use this command to trick users into opening malicious documents or URLs to gain access to the target system.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "XDG-Open Command Execution", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\", \"ProcessRollup2\") and (\n process.name == \"xdg-open\" or\n process.args in (\"/bin/xdg-open\", \"/usr/bin/xdg-open\", \"/usr/local/bin/xdg-open\", \"xdg-open\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "904023d7-8307-48bc-ad49-c454dfc2fae3", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.001", + "name": "Malicious Link", + "reference": "https://attack.mitre.org/techniques/T1204/001/" + }, + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + }, + { + "id": "T1204.004", + "name": "Malicious Copy and Paste", + "reference": "https://attack.mitre.org/techniques/T1204/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "904023d7-8307-48bc-ad49-c454dfc2fae3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json deleted file mode 100644 index cd43e04e184..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", - "false_positives": [ - "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Deletion", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94556bc7-e057-4759-9e49-fa79ee366101_1.json b/packages/security_detection_engine/kibana/security_rule/94556bc7-e057-4759-9e49-fa79ee366101_1.json new file mode 100644 index 00000000000..8b01cbb337b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94556bc7-e057-4759-9e49-fa79ee366101_1.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.", + "from": "now-11m", + "interval": "5m", + "language": "esql", + "license": "Elastic License v2", + "name": "GKE API Request Failure Burst by User", + "note": "## Triage and analysis\n\n### Investigating GKE API Request Failure Burst by User\n\nThe rule aggregates failed Kubernetes API calls per `user.email`, source IP, and user agent in five-minute buckets and\nalerts when failures reach ten or more.\n\n### Investigation steps\n\n- Review `Esql.actions` and `Esql.resources` for targeted API operations.\n- Validate whether the identity should exist and whether the source IP is expected.\n- Hunt for later successful calls indicating privilege escalation.\n\n### False positives\n\n- Misconfigured automation or CI jobs with stale credentials may generate bursts; exclude known service accounts.", + "query": "from logs-gcp.audit-* metadata _id, _index, _version\n| eval Esql.time_interval = date_trunc(5 minutes, @timestamp)\n| where data_stream.dataset == \"gcp.audit\"\n and service.name == \"k8s.io\"\n and event.outcome == \"failure\"\n and event.type != \"allowed\"\n and user.email is not null\n and not to_string(user.email) rlike \"(system:serviceaccount:|system:gke-spiffe-controller|system:kube-scheduler|system:node:).*\"\n| stats\n Esql.unique_actions = count_distinct(event.action),\n Esql.failures_count = count(*),\n Esql.actions = values(event.action),\n Esql.resources = values(orchestrator.resource.name)\n by user.email, source.ip, user_agent.original, data_stream.namespace, Esql.time_interval\n| where Esql.failures_count >= 10\n| keep Esql.*, user.email, source.ip, user_agent.original, data_stream.namespace\n", + "references": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://attack.mitre.org/techniques/T1613/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.namespace", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "94556bc7-e057-4759-9e49-fa79ee366101", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "94556bc7-e057-4759-9e49-fa79ee366101_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_108.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_108.json deleted file mode 100644 index dc0cc32eb4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_108.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", - "false_positives": [ - "Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Custom Gmail Route Created or Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", - "references": [ - "https://support.google.com/a/answer/2685650?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.31.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.003", - "name": "Email Forwarding Rule", - "reference": "https://attack.mitre.org/techniques/T1114/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 108 - }, - "id": "9510add4-3392-11ed-bd01-f661ea17fbce_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9679c838-ec24-4e3a-bf0b-68a9878828c3_1.json b/packages/security_detection_engine/kibana/security_rule/9679c838-ec24-4e3a-bf0b-68a9878828c3_1.json new file mode 100644 index 00000000000..5c27eebb4d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9679c838-ec24-4e3a-bf0b-68a9878828c3_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a potential privilege escalation sequence via a parent/child process relationship. This rule checks for non-root execution of a parent process executable in a user or world-writable directory by a non-root user followed by a UID change event to 0 (root) by the child process. This sequence is indicative of a potential local privilege escalation exploit.", + "from": "now-6m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via a Parent/Child Process Sequence", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privilege Escalation via a Parent/Child Process Sequence\n\nThis rule catches a Linux process chain where a non-root user launches code from a user- or world-writable location and the child process quickly switches to running as root, a strong sign of local privilege escalation. An attacker might drop or compile an exploit in /tmp, execute it from an unprivileged account, and use the spawned child process to obtain a root shell without going through normal administrative tools.\n\n### Possible investigation steps\n\n- Retrieve the executable and nearby artifacts from the writable location, then review ownership, permissions, timestamps, hashes, package provenance, and whether the file was recently dropped or compiled on the host.\n- Reconstruct the surrounding process ancestry and user activity, including the originating shell, SSH or console session, working directory, and available history, to decide whether the sequence matches expected administration or interactive exploitation.\n- Examine the root-context child\u2019s immediate follow-on actions for signs of successful escalation, such as spawning an interactive shell, altering sudoers or setuid permissions, creating persistence, accessing credential stores, or initiating unexpected network connections.\n- Correlate the event with evidence of local exploit staging on the host, including use of gcc or make, extracted proof-of-concept files, suspicious downloads, kernel or library versions associated with public LPEs, and related audit, dmesg, or crash messages.\n- If the activity cannot be explained, collect volatile evidence and isolate the system while hunting across the environment for the same file hash, command pattern, writable-directory execution, or account activity on other Linux hosts.\n\n### False positive analysis\n\n- An administrator or developer may intentionally run a locally built or staged privileged helper from `/tmp`, `/var/tmp`, `/run/user`, or a home directory during testing or maintenance, so verify the file is expected by checking ownership, setuid permissions, recent build or modification times, and whether the user had an approved task on the host.\n- A legitimate installation, upgrade, or login-time setup task can unpack a temporary helper into a writable directory and then re-exec into a root context, so confirm benign activity by correlating the event with authorized change windows and local package or maintenance logs and ensuring the executable path and hash match the expected artifact.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network while preserving EDR or console access, terminate the malicious parent and root child processes, and disable the user account, SSH session, or source IP used to launch the executable from the writable directory.\n- Remove attacker footholds by deleting the dropped exploit and related files from `/tmp`, `/dev/shm`, `/var/tmp`, `/run/user`, or the user\u2019s home directory, then revert unauthorized changes such as added `authorized_keys`, new sudoers entries, cron jobs, systemd services, modified shell startup files, and unexpected setuid or setgid permissions.\n- If the root-level process altered system binaries, shared libraries, PAM files, kernel modules, or package-managed content, treat the host as fully compromised and restore it from a known-good image or backup instead of relying on in-place cleanup.\n- Rotate credentials exposed on the host, including local passwords, SSH keys, API tokens, and service account secrets, because a successful root escalation can give the attacker access to authentication material and session data.\n- Escalate immediately to incident response if the activity produced an interactive root shell, used a known local privilege escalation exploit, appeared on more than one Linux host, or was followed by lateral movement, credential collection, or data staging behavior.\n- Harden the environment by patching the vulnerable kernel and userland packages, enforcing `noexec`, `nosuid`, and `nodev` on temporary writable mounts where practical, limiting who can compile or run untrusted code locally, and adding detections for execution from writable directories and unexpected new setuid files.\n", + "query": "sequence by host.id with maxspan=15s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n user.id != \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n (\n process.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/run/user/*\", \"/var/run/user/*\", \"/home/*/*\") or\n process.parent.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/home/*/*\", \"/run/user/*\", \"/var/run/user/*\")\n )] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"uid_change\" and\n user.id == \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n not process.executable in (\"/usr/bin/sudo\", \"/bin/sudo\")] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9679c838-ec24-4e3a-bf0b-68a9878828c3", + "severity": "high", + "tags": [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "9679c838-ec24-4e3a-bf0b-68a9878828c3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1.json b/packages/security_detection_engine/kibana/security_rule/96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1.json new file mode 100644 index 00000000000..0c65bc306c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies ICMP Echo traffic from an internal host to an external destination with a larger-than-typical transaction size. Covert channels and ICMP tunneling tools embed data in echo payloads that exceed normal OS ping behavior, which is usually limited to small fixed-size packets.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-network_traffic.icmp-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential ICMP Tunneling Activity to the Internet", + "new_terms_fields": [ + "source.ip", + "destination.ip" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential ICMP Tunneling Activity to the Internet\n\nICMP tunneling encodes C2 or exfiltrated data inside echo request and reply payloads. This rule focuses on internal\nhosts sending unusually large echo transactions to external destinations, a pattern that differs from routine\noperating-system ping and most availability monitoring.\n\n### Possible investigation steps\n\n- Identify the `source.ip` host role. Servers and workstations that rarely initiate ICMP externally are higher concern.\n- Review the volume and cadence of echo traffic to the same `destination.ip` for beacon-like regularity.\n- Compare `network.bytes` across the conversation for asymmetric or variable payload sizes.\n- Correlate with endpoint process telemetry for non-standard ping utilities or custom clients if available.\n\n### False positive analysis\n\n- Some network path MTU discovery, diagnostic suites, or vendor appliances generate larger ICMP payloads. Validate and\n except known monitoring sources and destinations.\n- Cloud health checks occasionally use ICMP with non-default sizes; confirm against provider documentation before\n excepting.\n\n### Response and remediation\n\n- Block unauthorized outbound ICMP at the perimeter where policy permits, or restrict it to approved monitoring paths.\n- Isolate the source host if covert-channel tooling is confirmed.\n- Inspect the external destination against threat intelligence and block if malicious.", + "query": "data_stream.dataset:network_traffic.icmp\n and (network_traffic.icmp.request.type:(8 or 128) or icmp.request.type:(8 or 128))\n and network.transport:(icmp or ipv6-icmp)\n and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FC00::/7\")\n and network.bytes >= 256\n and not destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or\n 192.0.0.0/24 or 192.0.0.0/29 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.0.10/32 or 192.0.0.170/32 or\n 192.0.0.171/32 or 192.0.2.0/24 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or\n 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FC00::/7\" or\n \"FE80::/10\" or \"FF00::/8\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1572/", + "https://www.rfc-editor.org/rfc/rfc792", + "https://www.levelblue.com/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "icmp.request.type", + "type": "integer" + }, + { + "ecs": true, + "name": "network.bytes", + "type": "long" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": false, + "name": "network_traffic.icmp.request.type", + "type": "integer" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47", + "setup": "## Setup\n\nThis rule requires the Elastic network_traffic integration capturing ICMP transactions (`network_traffic.icmp` data\nstream). Flow-only telemetry without ICMP payload size is insufficient.\n", + "severity": "medium", + "tags": [ + "Domain: Network", + "Tactic: Command and Control", + "Use Case: Threat Detection", + "Use Case: Network Security Monitoring", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "96dd08d8-8f3d-4f55-ada8-7dc1e05dbd47_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_11.json b/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_11.json deleted file mode 100644 index 5e081f9a29c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_11.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Process Spawned from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Process Spawned from Web Server Parent\n\nWeb servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.\n\n### Possible investigation steps\n\n- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.\n- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.\n- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.\n- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.\n- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.\n- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.\n\n### False positive analysis\n\n- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.\n- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.\n- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.\n- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.\n- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.\n- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.\n- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.\n- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.\n- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.\n- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and (\n process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\", \"openssl\", \"busybox\",\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"nc.traditional\", \"nohup\", \"setsid\", \"mkfifo\", \"mknod\",\n \"node\", \"socket\"\n ) or\n process.name like \"python*\" or\n process.name like \"php*\" or\n process.name like \"perl\" or\n process.name like \"ruby*\" or\n process.name like \"lua*\" or\n process.executable like \"/tmp/*\" or\n process.executable like \"/var/tmp/*\" or\n process.executable like \"/dev/shm/*\" or\n process.executable like \"/var/log/*\" or\n process.executable like \"/sys/*\" or\n process.executable like \"/media/*\" or\n process.executable like \"/proc/*\" or\n process.executable like \"/var/backups/*\" or\n process.executable like \"/var/mail/*\" or\n process.executable like \"/var/spool/*\" or\n process.executable like \"/var/www/*\" or\n process.executable like \"./*\" or\n process.name like \".*\"\n ) and \n not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/var/www/*.ch\" or\n process.parent.executable like \"/vscode/vscode-server/*\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.executable, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.executable, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.agent_id_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.agent_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_dataset_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_namespace_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.host_name_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "976b2391-413f-4a94-acb4-7911f3803346", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - }, - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - }, - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - }, - { - "id": "T1059.011", - "name": "Lua", - "reference": "https://attack.mitre.org/techniques/T1059/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 11 - }, - "id": "976b2391-413f-4a94-acb4-7911f3803346_11", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_12.json b/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_12.json deleted file mode 100644 index 13b7617a4ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_12.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Unusual Process Spawned from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Process Spawned from Web Server Parent\n\nWeb servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.\n\n### Possible investigation steps\n\n- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.\n- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.\n- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.\n- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.\n- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.\n- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.\n\n### False positive analysis\n\n- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.\n- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.\n- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.\n- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.\n- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.\n- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.\n- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.\n- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.\n- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.\n- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and (\n process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\", \"openssl\", \"busybox\",\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"nc.traditional\", \"nohup\", \"setsid\", \"mkfifo\", \"mknod\",\n \"node\", \"socket\"\n ) or\n process.name like \"python*\" or\n process.name like \"php*\" or\n process.name like \"perl\" or\n process.name like \"ruby*\" or\n process.name like \"lua*\" or\n process.executable like \"/tmp/*\" or\n process.executable like \"/var/tmp/*\" or\n process.executable like \"/dev/shm/*\" or\n process.executable like \"/var/log/*\" or\n process.executable like \"/sys/*\" or\n process.executable like \"/media/*\" or\n process.executable like \"/proc/*\" or\n process.executable like \"/var/backups/*\" or\n process.executable like \"/var/mail/*\" or\n process.executable like \"/var/spool/*\" or\n process.executable like \"/var/www/*\" or\n process.executable like \"./*\" or\n process.name like \".*\"\n ) and \n not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/var/www/*.ch\" or\n process.parent.executable like \"/vscode/vscode-server/*\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.executable, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.executable, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "976b2391-413f-4a94-acb4-7911f3803346", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - }, - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - }, - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - }, - { - "id": "T1059.011", - "name": "Lua", - "reference": "https://attack.mitre.org/techniques/T1059/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 12 - }, - "id": "976b2391-413f-4a94-acb4-7911f3803346_12", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_13.json b/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_13.json deleted file mode 100644 index 526ac45570a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/976b2391-413f-4a94-acb4-7911f3803346_13.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.", - "from": "now-61m", - "interval": "1h", - "language": "esql", - "license": "Elastic License v2", - "name": "Deprecated - Unusual Process Spawned from Web Server Parent", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Unusual Process Spawned from Web Server Parent\n\nWeb servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.\n\n### Possible investigation steps\n\n- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.\n- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.\n- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.\n- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.\n- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.\n- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.\n\n### False positive analysis\n\n- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.\n- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.\n- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.\n- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.\n- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.\n- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.\n- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.\n- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.\n- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.\n- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.\n", - "query": "from logs-endpoint.events.process-* metadata _id, _index, _version\n| mv_expand event.action\n| where\n host.os.type == \"linux\" and\n event.type == \"start\" and\n event.action == \"exec\" and (\n (\n process.parent.name in (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"mongrel_rails\", \"gunicorn\",\n \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"tornado\", \"hypercorn\",\n \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\", \"php-cgi\",\n \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n process.parent.name like \"php-fpm*\" or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.parent.name == \"java\" and process.parent.working_directory like \"/u0?/*\") or\n process.parent.working_directory like \"/var/www/*\"\n )\n ) and (\n process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\", \"openssl\", \"busybox\",\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"nc.traditional\", \"nohup\", \"setsid\", \"mkfifo\", \"mknod\",\n \"node\", \"socket\"\n ) or\n process.name like \"python*\" or\n process.name like \"php*\" or\n process.name like \"perl\" or\n process.name like \"ruby*\" or\n process.name like \"lua*\" or\n process.executable like \"/tmp/*\" or\n process.executable like \"/var/tmp/*\" or\n process.executable like \"/dev/shm/*\" or\n process.executable like \"/var/log/*\" or\n process.executable like \"/sys/*\" or\n process.executable like \"/media/*\" or\n process.executable like \"/proc/*\" or\n process.executable like \"/var/backups/*\" or\n process.executable like \"/var/mail/*\" or\n process.executable like \"/var/spool/*\" or\n process.executable like \"/var/www/*\" or\n process.executable like \"./*\" or\n process.name like \".*\"\n ) and \n not (\n process.working_directory like \"/home/*\" or\n process.working_directory == \"/\" or\n process.working_directory like \"/var/www/*.ch\" or\n process.parent.executable like \"/vscode/vscode-server/*\"\n )\n\n| keep\n @timestamp,\n _id,\n _index,\n _version,\n host.os.type,\n event.type,\n event.action,\n process.parent.name,\n user.name,\n user.id,\n process.working_directory,\n process.parent.working_directory,\n process.name,\n process.executable,\n process.command_line,\n process.parent.executable,\n agent.id,\n host.name,\n data_stream.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.agent_id_count_distinct = count_distinct(agent.id),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.data_stream_dataset_values = values(data_stream.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n\n by process.executable, process.working_directory, process.parent.executable\n\n| where\n Esql.agent_id_count_distinct == 1 and\n Esql.event_count < 5\n| sort Esql.event_count asc\n\n// Extract unique values to ECS fields for alerts exclusion\n| eval agent.id = mv_min(Esql.agent_id_values),\n host.name = mv_min(Esql.host_name_values)\n\n| keep agent.id, host.name, process.executable, process.working_directory, process.parent.executable, Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "976b2391-413f-4a94-acb4-7911f3803346", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - }, - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - }, - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - }, - { - "id": "T1059.011", - "name": "Lua", - "reference": "https://attack.mitre.org/techniques/T1059/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 13 - }, - "id": "976b2391-413f-4a94-acb4-7911f3803346_13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json deleted file mode 100644 index 41fa1fecef0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", - "false_positives": [ - "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "eql", - "license": "Elastic License v2", - "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\n\nGoogle Workspace Drive allows users to store and share files, including sensitive encryption keys. If shared improperly, these keys can be accessed by unauthorized users, potentially leading to data breaches. Adversaries exploit links with open access to obtain these keys. The detection rule identifies suspicious activities, such as anonymous access to key files, by monitoring file actions and link visibility settings.\n\n### Possible investigation steps\n\n- Review the file activity logs to identify the specific file(s) accessed by the anonymous user, focusing on actions such as \"copy\", \"view\", or \"download\" and the file extensions listed in the query.\n- Check the sharing settings of the accessed file(s) to confirm if they are set to \"people_with_link\" and assess whether this level of access is appropriate for the file's sensitivity.\n- Investigate the source of the rogue access link by examining any recent changes to the file's sharing settings or any unusual activity in the file's access history.\n- Identify and contact the file owner or relevant stakeholders to verify if the sharing of the file was intentional and authorized.\n- Assess the potential impact of the accessed encryption key(s) by determining what systems or data they protect and evaluate the risk of unauthorized access.\n- Consider revoking or changing the encryption keys if unauthorized access is confirmed to mitigate potential security risks.\n\n### False positive analysis\n\n- Shared project files with encryption keys may trigger alerts if accessed by external collaborators. To manage this, ensure that only trusted collaborators have access and consider using Google Workspace's sharing settings to restrict access to specific users.\n- Automated backup systems that access encryption keys for legitimate purposes might be flagged. Verify the source of access and, if legitimate, create an exception for the backup system's IP address or service account.\n- Internal users accessing encryption keys via shared links for routine tasks could be misidentified as anonymous users. Encourage users to access files through authenticated sessions and adjust monitoring rules to recognize internal IP ranges or user accounts.\n- Third-party integrations that require access to encryption keys might cause false positives. Review the integration's access patterns and whitelist known, secure integrations to prevent unnecessary alerts.\n- Temporary access links for external audits or compliance checks can be mistaken for unauthorized access. Use time-bound access links and document these activities to differentiate them from potential threats.\n\n### Response and remediation\n\n- Immediately revoke access to the specific Google Workspace Drive file by changing its sharing settings to restrict access to only authorized users.\n- Conduct a thorough review of the file's access history to identify any unauthorized access and determine the scope of potential data exposure.\n- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized access and any potential data compromise.\n- Rotate and replace any encryption keys that were accessed or potentially compromised to prevent unauthorized use.\n- Implement additional monitoring and alerting for similar file types and sharing settings to detect future unauthorized access attempts.\n- Escalate the incident to senior management and, if necessary, involve legal or compliance teams to assess any regulatory implications.\n- Review and update access policies and sharing settings within Google Workspace to ensure that sensitive files are not shared with open access links.\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", - "references": [ - "https://support.google.com/drive/answer/2494822", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.drive.visibility", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.email", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.004", - "name": "Private Keys", - "reference": "https://attack.mitre.org/techniques/T1552/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 7 - }, - "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/996e2e09-087e-4e99-a3cc-a9225d24ba3d_1.json b/packages/security_detection_engine/kibana/security_rule/996e2e09-087e-4e99-a3cc-a9225d24ba3d_1.json new file mode 100644 index 00000000000..b4eea8c737e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/996e2e09-087e-4e99-a3cc-a9225d24ba3d_1.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects applications making a curl request to a known public IP address lookup web service. Malware tends to perform this action to assess potential targets.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux External IP Address Discovery via Curl", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Linux External IP Address Discovery via Curl\n\nThis rule flags a Linux process that uses curl to contact public IP lookup sites, a common way malware learns the host\u2019s internet-facing address before choosing follow-on actions. An attacker who gains shell access on a server or container may run curl against services like ifconfig.me or ipify, then use the returned address to verify outbound reachability, tailor command-and-control, or decide whether the system sits behind cloud or NAT infrastructure.\n\n### Possible investigation steps\n\n- Trace the full process ancestry and nearby commands to determine whether the curl execution came from an interactive shell, scheduled task, deployment script, container entrypoint, or an unexpected program launched from a writable path.\n- Review the invoked URL, arguments, working directory, and any captured output to determine whether the request was a one-off connectivity check or part of a broader script performing follow-on discovery, download, or beaconing.\n- Correlate the activity with the initiating account, TTY/session details, recent SSH and sudo events, and change records to quickly separate approved administrator troubleshooting from suspicious post-compromise behavior.\n- Pivot to surrounding network activity from the same host to identify repeated lookups, subsequent outbound connections to unfamiliar infrastructure, or signs of staging and command-and-control immediately after the public IP query.\n- Inspect the parent script or binary on disk for recent creation or modification, unusual persistence mechanisms, and prevalence on peer systems to assess whether the behavior is tied to malware, a rogue change, or benign automation.\n\n### False positive analysis\n\n- Legitimate startup, login-banner, or scheduled maintenance scripts may use curl to learn the host\u2019s public IP for configuration or status display, so verify the parent script or service path is expected, recently approved, and consistently seen at boot or on a routine schedule.\n- An administrator or engineer may manually run curl to a public IP lookup site during troubleshooting or deployment validation, so confirm the initiating user, TTY or session context, and shell history align with authorized activity and that no suspicious follow-on commands occurred.\n\n### Response and remediation\n\n- Isolate the affected Linux host or container from the network immediately, allow only a secured management path, and preserve volatile evidence such as the running parent process, shell history, and the script or binary that launched curl.\n- Terminate the malicious process chain and remove persistence by inspecting and cleaning cron jobs, systemd unit files, rc.local, user shell profiles, container entrypoints, SSH authorized_keys, and any attacker files staged in writable locations such as /tmp, /var/tmp, or /dev/shm.\n- Rotate credentials and secrets exposed to the compromised system, including SSH keys, API tokens, cloud instance credentials, and application secrets found in scripts, environment files, or shell history.\n- Restore the asset to a known-good state by rebuilding from a trusted image or clean backup and validating startup scripts, packages, and container images before returning the system to production.\n- Escalate to incident response and broaden scoping across peer systems if the IP lookup was followed by downloads, reverse shells, new outbound connections to unfamiliar infrastructure, or if the same parent script, binary, or persistence artifact appears on multiple hosts.\n- Harden the environment by restricting outbound curl access to approved destinations, blocking public IP lookup services where not needed, limiting execution from writable directories, and adding detections for unexpected systemd, cron, and shell-profile modifications.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"start\") and\nprocess.name == \"curl\" and (\n process.parent.name like \".*\" or process.parent.executable like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/opt/*\", \"/etc/*\", \"./*\", \"/run/user/*\", \"/var/run/user/*\",\n \"/usr/bin/*\", \"/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\",\n \"/usr/lib/*\", \"/usr/local/lib/*\", \"/lib/*\", \"/lib64/*\", \"/usr/lib64/*\", \"/usr/local/lib64/*\"\n )\n) and\nprocess.command_line like~ (\n \"*ip-api.com*\", \"*checkip.dyndns.org*\", \"*api.ipify.org*\", \"*whatismyip.akamai.com*\", \"*bot.whatismyipaddress.com*\",\n \"*ifcfg.me*\", \"*ifconfig.me*\", \"*ident.me*\", \"*ipof.in*\", \"*ip.tyk.nu*\", \"*icanhazip.com*\", \"*curlmyip.com*\",\n \"*wgetip.com*\", \"*eth0.me*\", \"*ipecho.net*\", \"*ip.appspot.com*\", \"*api.myip.com*\", \"*geoiptool.com*\", \"*api.2ip.ua*\",\n \"*api.ip.sb*\", \"*ipinfo.io*\", \"*checkip.amazonaws.com*\", \"*wtfismyip.com*\", \"*iplogger.*\", \"*freegeoip.net*\",\n \"*freegeoip.app*\", \"*geoplugin.net*\", \"*myip.dnsomatic.com*\", \"*www.geoplugin.net*\",\n \"*api64.ipify.org*\", \"*ip4.seeip.org*\", \"*.geojs.io*\", \"*portmap.io*\", \"*api.db-ip.com*\",\n \"*geolocation-db.com*\", \"*httpbin.org*\", \"*myip.opendns.com*\", \"*ipv4.icanhazip.com*\", \"*ipv6.icanhazip.com*\"\n) and\nnot (\n process.parent.name in (\"jamf\", \"make\") or\n process.parent.name in (\".\", \"./alert_api_call.sh\", \"nvim\", \"teleport\") or\n process.parent.executable like (\n \"/usr/local/bin/teleport\", \"/usr/local/bin/current_ip\", \"/tmp/go-build*\", \"/usr/bin/neofetch\",\n \"/usr/bin/show-location-info\", \"/opt/tpot/bin/myip.sh\", \"/usr/sbin/sshd\", \"/tmp/newroot/var/quest/kace/scripts/*\",\n \"./Linux_Inventory_Sheets.sh\", \"/opt/qvm/bin/update_info_qsuite\", \"/usr/lib/check_mk_agent/local/public_ip_check\",\n \"/opt/teleport/system/bin/teleport\", \"/opt/Elastic/Endpoint/elastic-endpoint\", \"/etc/update-motd.d/motd.sh\",\n \"/opt/coe/cadence/IC231/tools.lnx86/cda/bin/64bit/cda.exe\", \"/etc/update-motd.d/10-armbian-header\",\n \"/opt/saltstack/salt/bin/python*\", \"/usr/bin/python*\", \"/usr/local/bin/detect-external-ip\"\n ) or\n process.parent.args in (\"/var/www/html/admin/modules/leucoalarm/scripts/system.php\", \"/etc/cont-init.d/50-ddns\") or\n (\n process.parent.executable == \"/usr/bin/java\" and\n process.args like \"/opt/streamsets-datacollector/libexec/bootstrap-libs/*\"\n ) or\n process.parent.command_line == \"runc init\" or\n (\n process.parent.executable == \"/usr/bin/busybox\" and\n (process.parent.command_line == \"sh /etc/cont-init.d/50-ddns\" or process.working_directory == \"/opt/outline-server\")\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "996e2e09-087e-4e99-a3cc-a9225d24ba3d", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "996e2e09-087e-4e99-a3cc-a9225d24ba3d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9bed06f5-0c32-488a-9353-d565fc9d1573_1.json b/packages/security_detection_engine/kibana/security_rule/9bed06f5-0c32-488a-9353-d565fc9d1573_1.json new file mode 100644 index 00000000000..26a899bed98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9bed06f5-0c32-488a-9353-d565fc9d1573_1.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.", + "from": "now-9m", + "index": [ + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Protected Storage Service Access via SMB", + "note": "## Triage and analysis\n\n### Investigating Protected Storage Service Access via SMB\n\nThe Protected Storage Service manages sensitive user data such as passwords, certificates, and private keys. Remote\naccess to the `protected_storage` named pipe over the IPC$ share is unusual and may indicate an attempt to extract\ncredentials or abuse DPAPI to retrieve domain backup keys from domain controllers.\n\n#### Possible investigation steps\n\n- Identify the source system and user account that initiated the access by reviewing `source.ip`, `user.name`, and\n `winlog.event_data.SubjectUserName`.\n- Determine whether the target host is a domain controller or other high-value system that stores DPAPI backup keys.\n- Review authentication events (4624, 4625) around the alert time to identify how the source authenticated to the\n target.\n- Investigate other alerts associated with the source host or user during the past 48 hours.\n- Check for follow-on credential access activity such as registry hive access, LSASS access, or lateral movement.\n\n### False positive analysis\n\n- This activity is rarely expected in most environments. If legitimate administrative tooling accesses this pipe,\n confirm the source, account, and target system before adding an exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host if unauthorized access is confirmed.\n- Investigate credential exposure and reset passwords for potentially compromised accounts.\n- Review domain controller DPAPI backup key exposure if the target is a domain controller.\n", + "query": "host.os.type:windows and event.category:file and event.code:5145 and\n winlog.event_data.ShareName:\"\\\\\\\\*\\\\IPC$\" and\n winlog.event_data.RelativeTargetName:\"protected_storage\" and\n not source.ip:(\"::\" or \"::1\" or \"0.0.0.0\" or \"127.0.0.1\")\n", + "references": [ + "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "9bed06f5-0c32-488a-9353-d565fc9d1573", + "setup": "## Setup\n\nAudit Detailed File Share must be enabled to generate the events used by this rule.\nSetup instructions: https://ela.st/audit-detailed-file-share\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + }, + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "9bed06f5-0c32-488a-9353-d565fc9d1573_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1.json b/packages/security_detection_engine/kibana/security_rule/9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1.json new file mode 100644 index 00000000000..fbaea7e6f50 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation or renaming of a new Systemd override configuration file in any of the Systemd service locations for both root and regular users. Systemd override configuration files are configuration files in Linux systems used to override the default Systemd service configuration for a specific service. Malicious actors can leverage systemd override configuration files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Systemd Service Override Configuration File Created", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Systemd Service Override Configuration File Created\n\nThis alert fires when a new systemd service override file appears in standard system or user service directories, which can silently change how a service starts and make malicious behavior survive reboots or user logins. An attacker might drop an override for sshd.service or a common daemon to add an ExecStartPre or timer-triggered command that launches a backdoor every boot while leaving the original unit intact.\n\n### Possible investigation steps\n\n- Open the new override and compare it with the base unit and any recent approved change, focusing on directives like ExecStart, ExecStartPre, ExecStartPost, Environment, User, WorkingDirectory, OnCalendar, and WantedBy that could introduce persistence or alter privileges.\n- Trace the creation back to the initiating binary, parent process chain, account, and session context to determine whether it originated from expected package management or configuration automation versus an interactive shell, script, or unknown tool.\n- Review nearby host activity for `systemctl daemon-reload`, `enable`, `start`, `restart`, or timer operations, then verify whether the affected service or timer loaded the override and launched any newly referenced command.\n- Examine any scripts, binaries, environment files, sockets, or network destinations referenced by the override for newly dropped or suspicious content, and hunt for similar override files on the same host and peer systems to assess spread.\n\n### False positive analysis\n\n- A system administrator may legitimately create `/etc/systemd/system/.d/override.conf` during maintenance to change startup order, resource limits, or environment settings for a supported service, so verify a corresponding approved change and confirm the creating process and user session map to expected administrative activity.\n- A user or root account may create a user-level `override.conf` under `~/.config/systemd/user/` or `~/.local/share/systemd/user/` to customize a legitimate per-user service, so confirm the file owner matches the affected account and that any `Exec*` or `Environment` entries reference the expected application path and business use.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network while keeping it powered on, preserve the malicious `override.conf`, the base unit file, any referenced scripts or binaries, and the output of `systemctl cat ` and `systemctl status ` for evidence and scoping.\n- Remove attacker persistence by disabling and stopping the altered service or timer, deleting the malicious drop-in directory or `override.conf`, reversing any added `Exec*`, `Environment`, or `OnCalendar` directives, and running `systemctl daemon-reload` before confirming the unit now matches the approved baseline.\n- Search the host and peer systems for additional drop-ins under `/etc/systemd/system`, `/usr/lib/systemd/system`, and user service paths, then quarantine any newly referenced payloads, kill related processes, and block their hashes or paths in endpoint controls.\n- Restore the system to a known-good state by reinstalling or replacing any modified unit files, scripts, and binaries from trusted packages or backups, rotating credentials and secrets used by the affected service account, and rebuilding the host if integrity cannot be confidently verified.\n- Escalate to incident response immediately if the override modified a high-value service such as `sshd`, a security agent, or a network-facing daemon, if root-level user service paths were abused, or if the same persistence appears on multiple hosts, because these signs indicate broader compromise.\n- Harden the environment by restricting write access to systemd service directories, tightening sudo and configuration-management permissions, enforcing file integrity monitoring on `*.service.d/override.conf`, and alerting on unauthorized `systemctl enable`, `daemon-reload`, and service or timer changes.\n", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.extension == \"conf\" and file.path like (\n \"/etc/systemd/system/*.d/*.conf\", \"/etc/systemd/user/*.d/*.conf\", \"/usr/local/lib/systemd/system/*.d/*.conf\",\n \"/lib/systemd/system/*.d/*.conf\", \"/usr/lib/systemd/system/*.d/*.conf\", \"/usr/lib/systemd/user/*.d/*.conf\",\n \"/home/*/.config/systemd/user/*.d/*.conf\", \"/home/*/.local/share/systemd/user/*.d/*.conf\",\n \"/root/.config/systemd/user/*.d/*.conf\", \"/root/.local/share/systemd/user/*.d/*.conf\",\n \"/run/systemd/system/*.d/*.conf\", \"/var/run/systemd/system/*.d/*.conf\"\n) and\nnot process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/dnf5\",\n \"/usr/bin/apt\", \"/usr/bin/puppet\", \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/pacman\",\n \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/usr/bin/pamac-daemon\", \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\",\n \"/usr/bin/crio\", \"/usr/bin/podman\", \"/usr/bin/tdnf\", \"/usr/bin/apk\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "9e8c185c-8237-4b13-a4da-4a8d4e9bb6ef_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json deleted file mode 100644 index 10052f53eaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", - "false_positives": [ - "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", - "references": [ - "https://support.google.com/a/answer/6089179?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 110 - }, - "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_110", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1.json b/packages/security_detection_engine/kibana/security_rule/a2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1.json new file mode 100644 index 00000000000..c2b6ba54e6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of a command or binary through the systemd-run binary. Systemd-run can schedule commands to be executed in the background through systemd. Attackers may use this technique to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Proxy Execution via Systemd-run", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Proxy Execution via Systemd-run\n\nThis alert fires when a Linux process launches another command through systemd-run instead of executing it directly, which can hide execution behind a trusted system utility and detach it into a transient service or scope. An attacker might use systemd-run --user or a transient unit to start a shell, downloader, or credential-harvesting script in the background from an interactive session, reducing visibility into the real payload and parent-child chain.\n\n### Possible investigation steps\n\n- Reconstruct the full process tree around the event to determine which user, shell, script, service, or remote access session invoked systemd-run and whether the ancestry aligns with normal administrative or automation activity on that host.\n- Review the exact command passed through systemd-run, including flags such as --user, --scope, scheduling options, or custom unit names, and classify the spawned payload as expected software management, benign interactive use, or suspicious shell, downloader, or persistence behavior.\n- Query systemd and journal artifacts for the transient unit that was created, including unit properties, start time, execution account, service output, and whether the unit remained active, failed, or was configured to run again.\n- Correlate the execution with nearby events from the same user or host such as logins, sudo activity, file creation in writable locations, outbound network connections, or follow-on launches of interpreters and admin tools to identify a broader intrusion sequence.\n- If the activity is unauthorized or unclear, inspect the referenced binary or script for path reputation, package ownership, hash prevalence, and recent modification history, then stop the transient unit and contain any files or persistence it introduced.\n\n### False positive analysis\n\n- A legitimate administrator or maintenance script may use `systemd-run` to launch a transient unit for package updates, cache rebuilds, or controlled service restarts, so verify the initiating user, the parent script or shell history, and nearby package-management or scheduled change activity.\n- A normal desktop or user session can invoke `systemd-run --user` or `--scope` to start an application, terminal, or session task in a transient scope, so confirm the parent process belongs to the logged-in user\u2019s graphical session and that the spawned command matches expected interactive activity in systemd or journal logs.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network except for approved management channels, terminate the malicious `systemd-run` transient unit or scope, and kill any child shell, downloader, or script it launched.\n- Remove attacker persistence by deleting unauthorized unit files and drop-ins from `/etc/systemd/system/`, `/run/systemd/transient/`, `/var/lib/systemd/`, and affected users\u2019 `~/.config/systemd/user/` directories, then run `systemctl daemon-reload` and disable any malicious timers or services.\n- Preserve and quarantine the executed payload, related scripts, and any files created from writable locations such as `/tmp`, `/var/tmp`, `/dev/shm`, or a user home directory, and revoke exposed access by resetting compromised passwords, SSH keys, tokens, and sudo access tied to the initiating account.\n- Restore the system to a known-good state by reimaging or rebuilding the host from a trusted baseline if the command ran as `root`, modified security tooling, or executed an unknown binary, and validate that only approved packages, services, and startup entries remain before returning it to production.\n- Escalate to incident response immediately if the `systemd-run` activity spawned a reverse shell, downloader, credential access tool, or lateral movement utility, if similar transient units appear on multiple hosts, or if the affected account has privileged or production access.\n- Harden the environment by restricting who can invoke `systemd-run` through sudoers and privileged group membership, enforcing MFA and least privilege for administrative access, monitoring for new transient units and unexpected `--user` executions, and blocking execution from world-writable paths where the payload was staged.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\", \"start\", \"ProcessRollup2\") and\nprocess.name == \"systemd-run\" and ?process.parent.executable != null and\nnot (\n ?process.parent.executable in (\n \"/usr/lib/systemd\", \"/lib/systemd/systemd\", \"/opt/saltstack/salt/run/run\", \"/etc/update-motd.d/70-available-updates\",\n \"/tmp/newroot/usr/libexec/ptyxis-agent\", \"/usr/local/sbin/clamscan.sh\", \"/opt/sentinelone/bin/sentinelone-agent\",\n \"/usr/local/bin/salt-minion\", \"/var/vanta/launcher\", \"/opt/traps/bin/pmd\", \"/usr/sbin/gdm\", \"/usr/bin/salt-minion\",\n \"/opt/GC_Ext/GC/gc_linux_service\", \"/usr/lib/plesk-task-manager\", \"/opt/forticlient/epctrl\", \"/usr/lib/snapd/snap-exec\",\n \"/usr/bin/yay\", \"/usr/local/bin/hexnode_agent\", \"/opt/halcyon/halcyonar/agent\", \"/usr/local/bin/qsetup\", \"/usr/bin/pamac\",\n \"/usr/bin/elephant\", \"/usr/bin/Hyprland\"\n ) or\n ?process.parent.executable like (\n \"/opt/tableau/tableau_server/packages/scripts.*/after-install\", \"/opt/acronis/bin/acp-update-controller\", \"/snap/*\",\n \"/var/lib/amagent/*\", \"/opt/msp-agent/msp-agent-core\", \"/opt/beyondtrust/*\", \"/var/lib/rancher/k3s/*/bin/k3s\"\n ) or\n ?process.parent.name like \"platform-python*\" or\n ?process.parent.name in (\n \"udevadm\", \"daemon.start\", \"snap\", \"systemd\", \"ptyxis-agent\", \"run-slack\", \"run-firefox\", \"dbus.service\", \"k3s-server\",\n \"systemd-udevd\", \"kubelet\", \"hyperkube\", \"kthreadd\", \"gnome-shell\", \"xdg-desktop-portal\", \"firefox\", \"picus_updater\",\n \"rpm-ostree\", \"prompt-agent\"\n ) or\n ?process.command_line in (\n \"/usr/bin/systemd-run /usr/bin/systemctl start man-db-cache-update\", \"systemd-run env\",\n \"systemd-run --user dnf-automatic-notifyonly.timer\", \"systemd-run --user systemctl suspend\", \"systemd-run /var/lib/aws-replication-agent/uninstall-agent.sh\",\n \"systemd-run --on-active=10 --timer-property=AccuracySec=100ms --slice=system.slice systemctl start gc-agent\",\n \"systemd-run --user --scope --unit=tmux-server -- tmux\", \"systemd-run bash -c sleep 60 && reboot\"\n ) or\n ?process.command_line like~ (\n \"systemd-run --scope -p CPUQuota=10% rpm -qa*\", \"systemd-run --scope -p CPUQuota=10% dpkg -l*\"\n ) or\n ?process.parent.command_line in (\"runc init\", \"/usr/local/bin/main\") or\n ?process.parent.command_line like (\"*/var/lib/waagent/*\", \"bash ./run.sh\") or\n process.args in (\n \"--help\", \"list-timers\", \"/usr/lib/udev/kdump-udev-throttler\", \"kubectl\", \"--unit=ngt_guest_agent_upgrade\", \"i3-zoom\", \"google-chrome\",\n \"thunar\", \"/usr/bin/google-chrome-stable\", \"snap.lxd.workaround\", \"--unit=firefox\", \"--unit=slack\", \"--slice=zoom.slice\",\n \"autorandr-launcher\", \"--unit=restart-dbus\", \"--unit=autorandr-debounce\"\n ) or\n process.args like (\"--unit=app-Hyprland-wezterm-*.scope\", \"--unit=app-Hyprland-swaybg-*.scope\", \"--unit=rmf_sim_*\") or\n ?process.working_directory == \"/opt/Tychon/Endpoint/bin\" or\n (process.args in (\"rpm\", \"dpkg\") and process.args like~ \"CPUQuota=*\") or\n (process.args == \"--slice=app-graphical.slice\" and process.args == \"--description=xdg-terminal-exec\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a2e5e290-f534-4b71-bc3f-2dd1932b4cd6", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Auditd Manager\n- CrowdStrike\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a2e5e290-f534-4b71-bc3f-2dd1932b4cd6_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7b984e4-16ff-405b-80be-31a94a03e929_1.json b/packages/security_detection_engine/kibana/security_rule/a7b984e4-16ff-405b-80be-31a94a03e929_1.json new file mode 100644 index 00000000000..b27155312ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7b984e4-16ff-405b-80be-31a94a03e929_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects successful GKE audit events where a pod is created with allowPrivilegeEscalation enabled. This weakens container isolation and can help an attacker escalate toward host access. Standalone pods are included; workloads owned by ReplicaSet, DaemonSet, or StatefulSet controllers are excluded.", + "false_positives": [ + "Debug or break-glass pods may enable privilege escalation intentionally. Exclude trusted namespaces, users, or deployment patterns after baselining." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Privileged Pod Created", + "note": "## Triage and analysis\n\n### Investigating GKE Privileged Pod Created\n\nReview `user.email`, `orchestrator.resource.name`, `orchestrator.namespace`, and the pod spec in `gcp.audit.request`.\nConfirm whether allowPrivilegeEscalation is required for the workload.\n\n### Investigation steps\n\n- Identify the actor and source (`user.email`, `source.ip`, `user_agent.original`).\n- Inspect container images and securityContext in the audit request payload.\n- Correlate with RBAC changes, secret access, or exec activity from the same identity.\n\n### False positives\n\n- One-off admin debugging pods; tune by user or namespace when documented.", + "query": "data_stream.dataset:gcp.audit and event.action:\"io.k8s.core.v1.pods.create\" and event.outcome:success and\ngcp.audit.request.spec.containers.securityContext.allowPrivilegeEscalation:true and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\")\n", + "references": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.containers.securityContext.allowPrivilegeEscalation", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a7b984e4-16ff-405b-80be-31a94a03e929", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "a7b984e4-16ff-405b-80be-31a94a03e929_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_318.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_318.json new file mode 100644 index 00000000000..7454a2fe71b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_318.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "host.name", + "user.name", + "user.id", + "process.entity_id", + "process.executable", + "process.command_line", + "process.pe.original_file_name", + "process.parent.entity_id", + "process.parent.pid", + "process.parent.executable", + "process.parent.command_line", + "process.code_signature.subject_name", + "process.Ext.session_info.logon_type" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\n#### Possible investigation steps\n\n- What exact hive-export behavior did the alert capture?\n - Focus: `process.command_line`, `process.executable`, `process.pe.original_file_name`, and `process.code_signature.subject_name`.\n - Implication: escalate if the command saves or exports SAM or SECURITY to temp, public, admin-share, UNC, removable, or deceptive paths; lower suspicion only when the signed Microsoft reg.exe identity, destination, and export set fit the same recognized backup, recovery, forensic, or break-glass workflow. Identity alone never clears the export.\n\n- Does the parent and session context explain why credential-bearing hives were exported?\n - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, and `user.id`.\n - Hint: If the parent is generic and lineage remains unclear, expand ancestry before accepting a maintenance explanation.\n - Implication: escalate when an interactive shell, script host, RMM tool, service account, remote-style session, or unexpected user initiated the export; lower suspicion when the same user or service identity, parent workflow, and session type recur for a recognized backup, recovery, forensic, or break-glass process.\n\n- Did the alert parent launch accompanying SYSTEM export, staging, transfer, cleanup, or alternate dump commands?\n - Focus: process events from the alert parent and reg.exe children, using `process.parent.entity_id`, `process.parent.pid`, `process.executable`, and `process.command_line`. !{investigate{\"description\":\"\",\"label\":\"Processes from same parent as alert\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.parent.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"}],[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.pid\",\"queryType\":\"phrase\",\"value\":\"{{process.parent.pid}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}} !{investigate{\"description\":\"\",\"label\":\"Child processes of reg.exe\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Hint: If `process.parent.entity_id` is absent, use the `host.id` + alert `process.parent.pid` branch in a tight alert-time window; if reg.exe spawned a helper, pivot from alert `process.entity_id` to child `process.parent.entity_id`.\n - Hint: If file or network telemetry is available, recover file activity and connections for reg.exe and its children to identify hive output, archives, share writes, removable-media staging, or off-host transfer. Missing network telemetry is unresolved, not benign. !{investigate{\"description\":\"\",\"label\":\"File activity for reg.exe and children\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"file\",\"valueType\":\"string\"}],[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"file\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}} !{investigate{\"description\":\"\",\"label\":\"Network activity for reg.exe and children\",\"providers\":[[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}],[{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.parent.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when the same parent exports SYSTEM, packages, copies, deletes, or transfers hive output, or launches vssadmin.exe, diskshadow.exe, or shadow-copy paths to continue dumping outside this rule; absence of same-parent support reduces staging evidence but does not clear the original export.\n\n- Does the host role or hive combination raise credential-exposure severity?\n - Focus: `host.id`, `host.name`, and `process.command_line`, plus asset or case records only as corroboration.\n - Hint: Do not infer privileged role from `host.name` alone.\n - Implication: raise urgency when asset context or host history identifies a jump host, backup node, admin workstation, server, or shared management platform, or when same-parent process review confirms SYSTEM was exported with SAM or SECURITY; lower urgency only when the host role and export set fit the same recognized workflow.\n\n- If local evidence remains suspicious or unresolved, does related alert scope show broader credential-access activity?\n - Focus: related alerts for the same `user.id` and `host.id`, looking for credential dumping, archiving, privilege escalation, persistence, or lateral movement.\n - Hint: Start with same-user alerts. !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the user\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Hint: Compare same-host alerts. !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the host\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Implication: broaden scope and credential review when related alerts show complementary abuse; keep the case local when related alert scope is quiet and local telemetry already binds the export to one recognized workflow.\n\n- Based on the evidence gathered, what disposition is supported?\n - Focus: binary identity, hive targets and output path, parent/session context, same-parent or child-process activity, host exposure, and related-alert scope.\n - Implication: escalate when an unrecognized SAM or SECURITY export has a risky destination, suspicious lineage or session, follow-on staging, privileged-host exposure, or related credential-access alerts; close only when the same evidence categories bind one exact recognized workflow on this host, with outside confirmation if telemetry cannot prove legitimacy; preserve artifacts and escalate when evidence is mixed or incomplete.\n\n### False positive analysis\n\n- Backup, recovery, forensic, or break-glass workflows can legitimately export SAM or SECURITY hives. Confirm that the signed Microsoft utility identity, command-line hive and destination pattern, parent workflow, session context, `user.id`, `host.id`, host role, and same-parent or child-process activity all align with the same workflow. If telemetry cannot prove legitimacy, use case records, change records, or owner confirmation only as corroboration for that exact activity. If any evidence dimension contradicts the workflow, do not close as benign.\n- Before creating an exception, validate that the same `process.executable`, `process.code_signature.subject_name`, `process.parent.command_line`, `process.command_line` hive/destination pattern, `user.id`, and `host.id` recur across prior alerts from this rule. Build from that minimum confirmed pattern. Avoid exceptions on `process.name`, reg.exe, the hive name, or the host alone.\n\n### Response and remediation\n\n- If confirmed benign, reverse any temporary restriction and document the recognized utility path, hive/destination pattern, parent and session context, `user.id`, `host.id`, host role, and corroborating case evidence that justified closure. Create an exception only if that same pattern recurs consistently across prior alerts from this rule.\n- If suspicious but unconfirmed, preserve the alert record, process tree, `process.entity_id`, `process.command_line`, output path named in the command, same-parent or child-process command lines, session context, `user.id`, and `host.id` before containment or cleanup. Apply reversible containment tied to the findings, such as temporary share restriction or limited outbound access for the affected host; escalate to host isolation or account action only if staging, transfer commands, related alerts, or host criticality justify the impact.\n- If confirmed malicious, preserve the same evidence set, then isolate the host if its role can tolerate it and the findings show unauthorized hive export or movement risk. Contain the responsible account only when the user/session evidence indicates account misuse. Terminate the process only after evidence capture if it is still running.\n- Scope exposure from the copied material: SAM implies local account hash exposure; SECURITY implies LSA secret or cached-credential exposure; a same-parent SYSTEM export makes offline decryption more plausible and should raise urgency.\n- Before deleting or rotating anything, review related `host.id` and `user.id` activity for the same command patterns, hive-copy names, archive names, share paths, transfer commands, and alternate copy methods such as vssadmin.exe, diskshadow.exe, or raw shadow-copy access. Then remove only the unauthorized dump scripts, archives, copied hive files, and persistence mechanisms identified during the investigation, and remediate the access path that allowed the export.\n- Post-incident hardening: restrict hive export activity to recognized recovery or forensic workflows, document the confirmed `process.command_line` and destination patterns behind any exception, and retain process telemetry needed to distinguish future recovery work from repeated abuse.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\n \"hklm\\\\sam\", \"hklm\\\\security\", \"hklm\\\\system\",\n \"hkey_local_machine\\\\sam\", \"hkey_local_machine\\\\security\", \"hkey_local_machine\\\\system\"\n )\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender XDR", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 318 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_318", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1.json b/packages/security_detection_engine/kibana/security_rule/a8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1.json new file mode 100644 index 00000000000..8dab96defe4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques. Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.", + "false_positives": [ + "Some platform or security images legitimately require elevated capabilities. Add image or namespace exceptions after review." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Container Created with Excessive Linux Capabilities", + "note": "## Triage and analysis\n\n### Investigating GKE Container Created with Excessive Linux Capabilities\n\nCapabilities such as SYS_ADMIN, NET_ADMIN, and BPF can enable host escape. Review `gcp.audit.request.spec.containers`\nand the creating identity.\n\n### Investigation steps\n\n- Confirm which capability was added and whether the image requires it.\n- Review `user.email`, namespace, and follow-on API activity from the same actor.\n\n### False positives\n\n- Known DaemonSet or operator images may need capabilities; exclude after validation.", + "query": "data_stream.dataset:gcp.audit and event.action:\"io.k8s.core.v1.pods.create\" and event.outcome:success and\ngcp.audit.request.spec.containers.securityContext.capabilities.add:(\n \"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or\n \"SYSLOG\"\n) and not gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\")\n", + "references": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.containers.securityContext.capabilities.add", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a8a48752-58f3-43a9-beb5-14b9e9f6a8b0", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "a8a48752-58f3-43a9-beb5-14b9e9f6a8b0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json deleted file mode 100644 index ea72300c996..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Password Policy Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", - "references": [ - "https://support.google.com/a/answer/7061566", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", - "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_108.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_108.json deleted file mode 100644 index 540fa167d47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_108.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", - "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "IPSEC NAT Traversal Port Activity", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating IPSEC NAT Traversal Port Activity\n\nIPSEC NAT Traversal facilitates secure VPN communication across NAT devices by encapsulating IPSEC packets in UDP, typically using port 4500. While essential for legitimate encrypted traffic, adversaries exploit this to mask malicious activities, bypassing network defenses. The detection rule identifies unusual UDP traffic on port 4500, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the source and destination IP addresses associated with the UDP traffic on port 4500 to determine if they are known or expected within your network environment.\n- Analyze the volume and frequency of the detected traffic to assess whether it aligns with typical IPSEC NAT Traversal usage or if it appears anomalous.\n- Check for any associated network traffic events in the same timeframe that might indicate a pattern of suspicious activity, such as unusual data transfer volumes or connections to known malicious IP addresses.\n- Investigate the endpoint or device generating the traffic to verify if it is authorized to use IPSEC NAT Traversal and if it has any history of security incidents or vulnerabilities.\n- Correlate the detected activity with any recent changes in network configurations or security policies that might explain the traffic pattern.\n- Consult threat intelligence sources to determine if the destination IP address or domain has been associated with known threat actors or command and control infrastructure.\n\n### False positive analysis\n\n- Legitimate VPN traffic using IPSEC NAT Traversal can trigger alerts. Regularly review and whitelist known IP addresses or subnets associated with authorized VPN connections to reduce false positives.\n- Network devices or services that rely on IPSEC for secure communication may generate expected traffic on port 4500. Identify and document these devices, then create exceptions in the detection rule to prevent unnecessary alerts.\n- Automated backup or synchronization services that use IPSEC for secure data transfer might be flagged. Monitor these services and exclude their traffic patterns if they are verified as non-threatening.\n- Some enterprise applications may use IPSEC NAT Traversal for secure communication. Conduct an inventory of such applications and adjust the rule to exclude their traffic after confirming their legitimacy.\n- Regularly update the list of known safe IP addresses and services to ensure that new legitimate sources of IPSEC NAT Traversal traffic are promptly excluded from triggering alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further potential malicious activity and lateral movement.\n- Conduct a thorough analysis of the isolated system to identify any signs of compromise, such as unauthorized access or data exfiltration, focusing on logs and network traffic related to UDP port 4500.\n- Block all suspicious IP addresses associated with the detected traffic on port 4500 at the network perimeter to prevent further communication with potential threat actors.\n- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to ensure they effectively block unauthorized IPSEC NAT Traversal traffic, particularly on UDP port 4500.\n- Restore the affected system from a known good backup if any signs of compromise are confirmed, ensuring that all security patches and updates are applied before reconnecting to the network.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for UDP traffic on port 4500 to detect and respond to any future suspicious activity promptly.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "severity": "low", - "tags": [ - "Tactic: Command and Control", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 108 - }, - "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_112.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_112.json new file mode 100644 index 00000000000..30e632dcdfa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_112.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects outbound IPSEC NAT Traversal (NAT-T) tunnels established from an internal host to an external destination. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal encapsulates IPSEC ESP traffic in UDP and, once a NAT device is detected, both peers float to UDP port 4500 for the tunnel data channel. The rule keys on this NAT-T signature, UDP traffic where both the source and destination port are 4500, from an internal source to an external destination, rather than on any UDP traffic to port 4500. This may be common on your network, but this technique is also used by threat actors to tunnel command and control or exfiltration traffic over the Internet to avoid detection.", + "false_positives": [ + "Legitimate site-to-site or client VPNs that use IPSEC NAT Traversal will establish outbound tunnels on UDP port 4500. Where these tunnels are expected, the internal source hosts or external VPN gateway IP addresses can be excluded. Requiring both the source and destination port to be 4500 already removes alerts caused by an external server coincidentally replying to an ephemeral UDP source port of 4500." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*", + "logs-panw.*", + "logs-pfsense.log-*", + "logs-zeek.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IPSEC NAT Traversal Port Activity", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating IPSEC NAT Traversal Port Activity\n\nIPSEC NAT Traversal facilitates secure VPN communication across NAT devices by encapsulating IPSEC packets in UDP, typically using port 4500. While essential for legitimate encrypted traffic, adversaries exploit this to mask malicious activities, bypassing network defenses. The detection rule identifies outbound NAT-T tunnels, UDP traffic where both the source and destination port are 4500, originating from an internal host to an external destination, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the source and destination IP addresses associated with the UDP traffic on port 4500 to determine if they are known or expected within your network environment.\n- Analyze the volume and frequency of the detected traffic to assess whether it aligns with typical IPSEC NAT Traversal usage or if it appears anomalous.\n- Check for any associated network traffic events in the same timeframe that might indicate a pattern of suspicious activity, such as unusual data transfer volumes or connections to known malicious IP addresses.\n- Investigate the endpoint or device generating the traffic to verify if it is authorized to use IPSEC NAT Traversal and if it has any history of security incidents or vulnerabilities.\n- Correlate the detected activity with any recent changes in network configurations or security policies that might explain the traffic pattern.\n- Consult threat intelligence sources to determine if the destination IP address or domain has been associated with known threat actors or command and control infrastructure.\n\n### False positive analysis\n\n- Legitimate VPN traffic using IPSEC NAT Traversal can trigger alerts. Regularly review and whitelist known IP addresses or subnets associated with authorized VPN connections to reduce false positives.\n- Network devices or services that rely on IPSEC for secure communication may generate expected traffic on port 4500. Identify and document these devices, then create exceptions in the detection rule to prevent unnecessary alerts.\n- Automated backup or synchronization services that use IPSEC for secure data transfer might be flagged. Monitor these services and exclude their traffic patterns if they are verified as non-threatening.\n- Some enterprise applications may use IPSEC NAT Traversal for secure communication. Conduct an inventory of such applications and adjust the rule to exclude their traffic after confirming their legitimacy.\n- Regularly update the list of known safe IP addresses and services to ensure that new legitimate sources of IPSEC NAT Traversal traffic are promptly excluded from triggering alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further potential malicious activity and lateral movement.\n- Conduct a thorough analysis of the isolated system to identify any signs of compromise, such as unauthorized access or data exfiltration, focusing on logs and network traffic related to UDP port 4500.\n- Block all suspicious IP addresses associated with the detected traffic on port 4500 at the network perimeter to prevent further communication with potential threat actors.\n- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to ensure they effectively block unauthorized IPSEC NAT Traversal traffic, particularly on UDP port 4500.\n- Restore the affected system from a known good backup if any signs of compromise are confirmed, ensuring that all security patches and updates are applied before reconnecting to the network.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for UDP traffic on port 4500 to detect and respond to any future suspicious activity promptly.", + "query": "(data_stream.dataset: (network_traffic.flow or zeek.connection) or (event.category: (network or network_traffic))) and\n network.transport:udp and source.port:4500 and destination.port:4500 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Tactic: Command and Control", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + }, + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json deleted file mode 100644 index 4e5aa9d03ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", - "false_positives": [ - "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace API Access Granted via Domain-Wide Delegation", - "note": "## Triage and analysis\n\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin\n and event.provider:admin\n and event.category:iam\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\n and event.outcome:success\n", - "references": [ - "https://developers.google.com/admin-sdk/directory/v1/guides/delegation", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json deleted file mode 100644 index 0520823a6a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Custom Admin Role Created", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5f94e78-fb4d-4f4b-879e-e51ea667d09c_1.json b/packages/security_detection_engine/kibana/security_rule/b5f94e78-fb4d-4f4b-879e-e51ea667d09c_1.json new file mode 100644 index 00000000000..16a345486e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5f94e78-fb4d-4f4b-879e-e51ea667d09c_1.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a burst of DHCP DISCOVER messages with an unusually high number of distinct client hardware addresses observed on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MAC addresses to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential DHCP Starvation via High Client MAC Cardinality", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential DHCP Starvation via High Client MAC Cardinality\n\nDHCP starvation floods a segment with DISCOVER messages that use many distinct client hardware addresses to consume\navailable leases. This rule keys on high DHCP DISCOVER volume paired with high `client_mac` cardinality seen by the\nsame network capture sensor, which is the wire-level starvation pattern and does not depend on host operating system.\n\n### Possible investigation steps\n\n- Review `Esql.count_distinct_client_macs` and sample values in `Esql.values_client_macs` to confirm the burst is not a\n single client retrying with one address.\n- Identify the L2 segment or VLAN monitored by `Esql.observer` and check DHCP server logs for pool exhaustion, NAK spikes,\n or lease-denial events during the same window.\n- Look for follow-on rogue DHCP OFFER/ACK activity on the segment, including the Multiple DHCP Servers Responding to the\n Same Transaction rule.\n- Locate the transmitting host using switch CAM tables if Ethernet source addresses are available in raw capture exports.\n\n### False positive analysis\n\n- Large Wi-Fi reconnect or onboarding events can temporarily increase DISCOVER volume. Compare against historical\n baselines for the same `Esql.observer` and time of day before treating as malicious.\n- Virtualization or VDI provisioning bursts may generate many distinct client MAC addresses during imaging. Exclude known\n provisioning VLANs or sensors when the workflow is confirmed.\n\n### Response and remediation\n\n- Enable or verify DHCP snooping and rate limits on the affected access switches.\n- Block or isolate the source host if link-layer evidence confirms a single transmitter is generating the flood.\n- Restore DHCP service capacity and monitor for rogue OFFER/ACK responses after the starvation attempt.\n", + "query": "from logs-network_traffic.dhcpv4-*, packetbeat-*\n| eval\n Esql.message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),\n Esql.client_mac = COALESCE(network_traffic.dhcpv4.client_mac, dhcpv4.client_mac),\n Esql.observer_hostname = COALESCE(host.name, observer.hostname)\n| where Esql.message_type == \"discover\" and Esql.client_mac is not null and Esql.observer_hostname is not null\n| eval Esql.time_window = DATE_TRUNC(1 minute, @timestamp)\n| stats\n Esql.dhcpv4_discover_count = COUNT(*),\n Esql.dhcpv4_client_mac_count_distinct = COUNT_DISTINCT(Esql.client_mac),\n Esql.dhcpv4_client_mac_values = MV_SLICE(VALUES(Esql.client_mac), 0, 10)\n by Esql.time_window, Esql.observer_hostname\n| where Esql.dhcpv4_discover_count >= 75 and Esql.dhcpv4_client_mac_count_distinct >= 50\n| keep Esql.observer_hostname, Esql.time_window, Esql.dhcpv4_discover_count, Esql.dhcpv4_client_mac_count_distinct, Esql.dhcpv4_client_mac_values\n", + "references": [ + "https://attack.mitre.org/techniques/T1498/", + "https://www.leviathansecurity.com/blog/tunnelvision", + "https://wazuh.com/blog/monitoring-dhcp-starvation-attack-with-suricata-and-wazuh/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 47, + "rule_id": "b5f94e78-fb4d-4f4b-879e-e51ea667d09c", + "setup": "## Setup\n\nThis rule requires the Elastic network_traffic (Packetbeat) integration capturing DHCP (UDP 67/68) on the broadcast\nsegment where clients acquire leases, either Packetbeat running on the segment or a SPAN/mirror feeding it.\n\nZeek and flow-only firewall sources are intentionally not supported: this rule requires per-DISCOVER DHCP transaction\nfields and client hardware address values (`client_mac`) to measure high client MAC cardinality in a short time window.\n", + "severity": "medium", + "tags": [ + "Domain: Network", + "Use Case: Threat Detection", + "Use Case: Network Security Monitoring", + "Tactic: Impact", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/", + "subtechnique": [ + { + "id": "T1498.001", + "name": "Direct Network Flood", + "reference": "https://attack.mitre.org/techniques/T1498/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "b5f94e78-fb4d-4f4b-879e-e51ea667d09c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7.json new file mode 100644 index 00000000000..15ce1a87c18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", + "false_positives": [ + "False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + ], + "from": "now-24h", + "index": [ + ".alerts-security.*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Multiple Alerts in Different ATT&CK Tactics on a Single Host\n\nThe detection rule identifies hosts with alerts across various attack phases, indicating potential compromise. Adversaries exploit system vulnerabilities, moving through different tactics like execution, persistence, and exfiltration. This rule prioritizes hosts with diverse tactic alerts, aiding analysts in focusing on high-risk threats by correlating alert data to detect complex attack patterns.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host involved and the different ATT&CK tactics that triggered the alerts.\n- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.\n- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.\n- Investigate any known vulnerabilities or misconfigurations on the host that could have been exploited by the adversary.\n- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.\n- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.\n\n### False positive analysis\n\n- Alerts from routine administrative tasks may trigger multiple tactics. Review and exclude known benign activities such as scheduled software updates or system maintenance.\n- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.\n- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.\n- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.\n- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities.\n\n### Response and remediation\n\n- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.\n- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.\n- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.\n- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.\n- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.\n- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.\n- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.", + "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* and host.id:* and host.name:* and\nevent.dataset:* and kibana.alert.risk_score > 21 and\nnot kibana.alert.rule.type:(threat_match or machine_learning)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "kibana.alert.risk_score", + "type": "unknown" + }, + { + "ecs": false, + "name": "kibana.alert.rule.threat.tactic.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "kibana.alert.rule.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide" + ], + "threshold": { + "cardinality": [ + { + "field": "kibana.alert.rule.threat.tactic.id", + "value": 3 + } + ], + "field": [ + "host.id", + "host.name" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 7 + }, + "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json b/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json deleted file mode 100644 index 94047daff7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*", - "logs-crowdstrike.fdr*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Data Exfiltration Through Curl", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Data Exfiltration Through Curl\n\nCurl is a command-line tool used for transferring data with URLs, commonly employed for legitimate data exchange tasks. However, adversaries can exploit curl to exfiltrate sensitive data by uploading compressed files to remote servers. The detection rule identifies suspicious curl usage by monitoring for specific command patterns and arguments indicative of data uploads, flagging abnormal activities for further investigation.\n\n### Possible investigation steps\n\n- Review the process command line to confirm the presence of suspicious arguments such as \"-F\", \"-T\", \"-d\", or \"--data*\" and check for any compressed file extensions like .zip, .gz, or .tgz being uploaded to an external server.\n- Investigate the parent process of the curl command to understand the context in which curl was executed, including the parent executable and its purpose.\n- Examine network logs to identify the destination IP address or domain to which the data was being uploaded, and assess whether it is a known or suspicious entity.\n- Check for any recent file creation or modification events on the host that match the compressed file types mentioned in the query, which could indicate data collection prior to exfiltration.\n- Correlate this event with other security alerts or logs from the same host to identify any patterns of behavior that might suggest a broader compromise or data exfiltration attempt.\n\n### False positive analysis\n\n- Legitimate data transfers using curl for system backups or data synchronization can trigger the rule. To manage this, identify and whitelist specific processes or scripts that are known to perform these tasks regularly.\n- Automated system updates or software installations that use curl to download and upload data might be flagged. Exclude these processes by verifying their source and adding them to an exception list if they are from trusted vendors.\n- Internal data transfers within a secure network that use curl for efficiency can be mistaken for exfiltration. Monitor the destination IP addresses and exclude those that are internal or known safe endpoints.\n- Developers or system administrators using curl for testing or development purposes may inadvertently trigger the rule. Educate these users on the potential alerts and establish a process for them to notify security teams of their activities to prevent unnecessary investigations.\n- Scheduled tasks or cron jobs that use curl for routine data uploads should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.\n- Terminate any suspicious curl processes identified by the detection rule to stop ongoing data transfers.\n- Conduct a forensic analysis of the affected system to identify any additional malicious activities or compromised data.\n- Change credentials and access keys that may have been exposed or used during the incident to prevent unauthorized access.\n- Notify the security operations team and relevant stakeholders about the incident for awareness and further action.\n- Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers.\n- Implement enhanced monitoring and logging for curl usage and similar data transfer tools to detect and respond to future exfiltration attempts promptly.\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\", \"start\") and\nprocess.name == \"curl\" and ?process.parent.executable != null and\n(\n process.args in (\"-T\", \"--upload-file\") or\n (\n (process.args in (\"-F\", \"-d\", \"--form\") or process.args like \"--data*\") and process.command_line like \"*@*\"\n )\n) and\n(\n process.command_line like (\"*http:*\", \"*https:*\", \"*ftp:*\", \"*ftps:*\") or\n process.command_line regex \".*[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}.*\"\n)\n", - "references": [ - "https://everything.curl.dev/usingcurl/uploads", - "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "crowdstrike", - "version": "^3.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "be70614d-4295-473c-a953-582aef41c865", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", - "Data Source: SentinelOne" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "be70614d-4295-473c-a953-582aef41c865_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_8.json b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_8.json new file mode 100644 index 00000000000..4b6f3de9c82 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_8.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Accessing Sensitive Files", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Accessing Sensitive Files\n\nThis rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.\n\n### Possible investigation steps\n\n- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.\n- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.\n- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.\n- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.\n- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.\n- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.\n\n### False positive analysis\n\n- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.\n- Development workflows that use GenAI tools for code analysis may occasionally access credential files.\n\n### Response and remediation\n\n- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.\n- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.\n- Investigate the document access patterns to determine the scope of potential data exfiltration.\n- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.\n", + "query": "file where event.action in (\"open\", \"creation\", \"modification\") and event.outcome == \"success\" and\n\n // GenAI process \n (\n process.name in~ (\n \"ollama.exe\", \"ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\",\n \"cursor.exe\", \"cursor\",\n \"copilot.exe\", \"copilot\",\n \"codex.exe\", \"codex\",\n \"jan.exe\", \"jan\",\n \"gpt4all.exe\", \"gpt4all\",\n \"gemini-cli.exe\", \"gemini-cli\", \"gemini.exe\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\",\n \"llama-server\", \"llama-cli\",\n \"windsurf.exe\", \"windsurf\",\n \"zed.exe\", \"zed\",\n \"opencode.exe\", \"opencode\",\n \"goose.exe\", \"goose\"\n )\n ) and\n\n // Sensitive file paths\n (\n // Persistence via Shell configs\n file.name in (\".bashrc\", \".bash_profile\", \".zshrc\", \".zshenv\", \".zprofile\", \".profile\", \".bash_logout\") or\n\n // Credentials In Files \n file.name like~ \n (\"key?.db\", \n \"logins.json\", \n \"Login Data\", \n \"Local State\",\n \"signons.sqlite\",\n \"Cookies\", \n \"cookies.sqlite\",\n \"Cookies.binarycookies\", \n \"login.keychain-db\", \n \"System.keychain\", \n \"credentials.db\", \n \"credentials\", \n \"access_tokens.db\", \n \"accessTokens.json\", \n \"azureProfile.json\",\n \"RDCMan.settings\", \n \"known_hosts\", \n \"KeePass.config.xml\", \n \"Unattended.xml\")\n ) and not (\n host.os.type == \"windows\" and\n file.name like~ \"Local State\" and\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Local State\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\LocalCache\\\\Roaming\\\\*\\\\Local State\"\n )\n )\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0085", + "https://atlas.mitre.org/techniques/AML.T0085.001", + "https://atlas.mitre.org/techniques/AML.T0055", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0136397-f82a-45e5-9b9f-a3651d77e21a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0085", + "Mitre Atlas: T0085.001", + "Mitre Atlas: T0055" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "c0136397-f82a-45e5-9b9f-a3651d77e21a_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c040c962-1c60-4259-8ea3-601a40d4ab9f_1.json b/packages/security_detection_engine/kibana/security_rule/c040c962-1c60-4259-8ea3-601a40d4ab9f_1.json new file mode 100644 index 00000000000..dc464ec8994 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c040c962-1c60-4259-8ea3-601a40d4ab9f_1.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a non-system GKE identity establishing an exec session into a pod. kubectl exec enables interactive command execution inside workloads and is a common post-compromise technique to access secrets and expand access.", + "false_positives": [ + "Administrators routinely exec into pods for troubleshooting. Baseline expected users and target pods, then exclude known break-glass identities." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE User Exec into Pod", + "new_terms_fields": [ + "user.email", + "orchestrator.resource.name" + ], + "note": "## Triage and analysis\n\n### Investigating GKE User Exec into Pod\n\nThis new-terms rule alerts on the first exec into a given pod by a user identity in the lookback window.\n\n### Investigation steps\n\n- Review `user.email`, `orchestrator.resource.name`, `source.ip`, and `user_agent.original`.\n- Determine whether the target pod holds sensitive data or cluster credentials.\n- Correlate with secret access or RBAC changes from the same identity.\n\n### False positives\n\n- Approved admin debugging; exclude stable operator identities after review.", + "query": "data_stream.dataset:gcp.audit and event.action:(\"io.k8s.core.v1.pods.exec.create\" or \"io.k8s.core.v1.pods.exec.get\") and\nnot user.email:system\\:*\n", + "references": [ + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c040c962-1c60-4259-8ea3-601a40d4ab9f", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "c040c962-1c60-4259-8ea3-601a40d4ab9f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1326e45-6d3c-4a2d-9882-606a0c310299_1.json b/packages/security_detection_engine/kibana/security_rule/c1326e45-6d3c-4a2d-9882-606a0c310299_1.json new file mode 100644 index 00000000000..f77ed3d4c15 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c1326e45-6d3c-4a2d-9882-606a0c310299_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify files, or reach sensitive paths without confirmation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI CLI Started with Unsafe Permission Bypass", + "note": "## Triage and analysis\n\n### Investigating GenAI CLI Started with Unsafe Permission Bypass\n\nGenAI coding agents normally prompt before running shell commands or editing files. Vendor-supplied bypass flags remove\nthose controls entirely or auto-approve all tool calls. On a networked host this materially increases blast radius from\nprompt injection, poisoned MCP servers, malicious project configs, and autonomous agent workflows.\n\n### Possible investigation steps\n\n- Identify which GenAI tool and bypass flag were used from `process.command_line` and `process.executable`.\n- Determine whether the session was intentional (CI/CD, isolated lab VM) or an interactive developer workstation.\n- Review child processes spawned after startup for credential access, network exfiltration, or persistence.\n- Check for recent GenAI config changes (MCP servers, skills, `.claude/settings.json`, `~/.codex/config.toml`).\n- Correlate with other GenAI-related alerts on the same host and user.\n\n### False positive analysis\n\n- Deliberate use in approved sandbox/CI images with no outbound network access.\n- Internal automation scripts that wrap GenAI CLIs with bypass flags; scope exceptions by host or user group.\n- Each matching process start produces one alert; habitual bypass use in CI or developer workflows may need host or user exceptions.\n\n### Response and remediation\n\n- Remove bypass flags from scripts, shell profiles, and CI job definitions; use default or plan-only permission modes.\n- Rotate API keys and cloud credentials accessible to the user account that ran the agent.\n- Audit GenAI tool configs and MCP servers loaded during the session.\n- Restrict GenAI agent usage policies to disallow permission bypass on production endpoints.\n", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"start\") and\n(\n (\n process.args in (\n \"--dangerously-skip-permissions\",\n \"--allow-dangerously-skip-permissions\",\n \"--permission-mode=bypassPermissions\"\n ) or\n (process.args == \"--permission-mode\" and process.args == \"bypassPermissions\")\n ) and\n (\n process.name in (\"claude\", \"claude.exe\") or\n process.executable : (\n \"*/.local/share/claude/versions/*\",\n \"*/.claude/downloads/*\",\n \"*Caskroom/claude-code/*\",\n \"*\\\\Claude\\\\versions\\\\*\"\n ) or\n (process.name in (\"node\", \"node.exe\") and process.args : \"*@anthropic-ai/claude-code*\")\n )\n) or\n(\n (\n process.args in (\"--dangerously-bypass-approvals-and-sandbox\", \"--full-auto\", \"--yolo\") or\n process.command_line : (\n \"* -s danger-full-access*\",\n \"*--sandbox danger-full-access*\",\n \"*--sandbox=danger-full-access*\",\n \"*--ask-for-approval never*\",\n \"*--ask-for-approval=never*\"\n )\n ) and\n (\n process.name in (\n \"codex\", \"codex.exe\", \"codex-exec\",\n \"codex-aarch64-apple-darwin\", \"codex-x86_64-apple-darwin\",\n \"codex-linux-arm64\", \"codex-linux-x64\"\n ) or\n (process.name in (\"node\", \"node.exe\") and process.args : (\"*@openai/codex*\", \"*/codex\", \"*\\\\codex*\"))\n )\n) or\n(\n (\n process.args in (\"--yolo\", \"-y\") or\n (process.args == \"--approval-mode\" and process.args == \"yolo\") or\n process.args == \"--approval-mode=yolo\"\n ) and\n (\n process.name in (\"gemini\", \"gemini-cli\", \"gemini.exe\", \"gemini-cli.exe\") or\n (process.name in (\"node\", \"node.exe\") and process.args : (\"*@google/gemini-cli*\", \"*/gemini\", \"*\\\\gemini*\"))\n )\n) or\n(\n (\n process.args in (\n \"--yolo\",\n \"--autopilot\",\n \"--allow-all\",\n \"--allow-all-tools\",\n \"--allow-all-paths\",\n \"--allow-all-urls\"\n )\n ) and\n (\n process.name in (\"copilot\", \"copilot.exe\") or\n (process.name in (\"node\", \"node.exe\") and process.args : (\"*@github/copilot*\", \"*/copilot\", \"*\\\\copilot*\"))\n )\n) or\n(\n process.args == \"--dangerously-skip-permissions\" and\n (\n process.name in (\"opencode\", \"opencode.exe\", \".opencode\") or\n process.executable : (\"*opencode-ai*\", \"*\\\\.opencode*\") or\n (process.name in (\"node\", \"node.exe\") and process.args : (\"*opencode-ai*\", \"*/opencode\", \"*\\\\opencode*\"))\n )\n)\n", + "references": [ + "https://code.claude.com/docs/en/permission-modes", + "https://developers.openai.com/codex/cli/reference", + "https://developers.openai.com/codex/agent-approvals-security", + "https://google-gemini.github.io/gemini-cli/docs/get-started/configuration.html", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c1326e45-6d3c-4a2d-9882-606a0c310299", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c1326e45-6d3c-4a2d-9882-606a0c310299_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4.json b/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4.json new file mode 100644 index 00000000000..b6c3b1c969a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.", + "from": "now-9m", + "interval": "8m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Remote Management Tool Vendors on Same Host", + "note": "## Triage and analysis\n\n### Investigating Multiple Remote Management Tool Vendors on Same Host\n\nThis rule aggregates process start events by `host.id` and host name within the rule's nine-minute lookback window. Data can come from Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender XDR, SentinelOne, or CrowdStrike FDR\u2014where ECS process fields are populated. Each known RMM-related process name maps to one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear within the same lookback window, the rule signals.\n\n### Possible investigation steps\n\n- Open **Esql.vendors_seen** and **Esql.processes_executable_values** on the alert to see which tools fired in the window.\n- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.\n- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.\n- Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same `host.id`.\n- Check asset inventory and change tickets for approved RMM software.\n\n### False positive analysis\n\n- **MSP / IT tooling**: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.\n- **Vendor rebrands or bundles**: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.\n\n### Response and remediation\n\n- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools, and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.\n", + "query": "from logs-endpoint.events.process-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where (host.os.type == \"windows\" or host.os.family == \"windows\")\n and event.category == \"process\"\n and event.type == \"start\"\n and process.name is not null\n| eval Esql.rmm_vendor = case(\n process.name.caseless like \"aa_v*.exe\", \"AnyAssist\",\n process.name.caseless == \"acroniscyberprotectconnectagent.exe\", \"Acronis\",\n process.name.caseless == \"aeroadmin.exe\", \"AeroAdmin\",\n process.name.caseless == \"agentmon.exe\", \"ConnectWiseAutomate\",\n process.name.caseless == \"anydesk.exe\", \"AnyDesk\",\n process.name.caseless == \"apc_admin.exe\", \"APC\",\n process.name.caseless == \"apc_host.exe\", \"APC\",\n process.name.caseless == \"ateraagent.exe\", \"Atera\",\n process.name.caseless like \"aweray_remote*.exe\", \"AweSun\",\n process.name.caseless == \"awesun.exe\", \"AweSun\",\n process.name.caseless == \"b4-service.exe\", \"BeyondTrust\",\n process.name.caseless == \"basupsrvc.exe\", \"BeyondTrust\",\n process.name.caseless == \"bomgar-scc.exe\", \"BeyondTrust\",\n process.name.caseless == \"remote support.exe\", \"BeyondTrust\",\n process.name.caseless == \"cagservice.exe\", \"BarracudaRMM\",\n process.name.caseless == \"cloudracmd.exe\", \"CloudRadial\",\n process.name.caseless == \"cloudrasd.exe\", \"CloudRadial\",\n process.name.caseless == \"cloudraservice.exe\", \"CloudRadial\",\n process.name.caseless like \"connectwisecontrol*.exe\", \"ScreenConnect\",\n process.name.caseless == \"domotzagent.exe\", \"Domotz\",\n process.name.caseless == \"domotz-windows-x64-10.exe\", \"Domotz\",\n process.name.caseless == \"dwagsvc.exe\", \"DWService\",\n process.name.caseless == \"dwrcc.exe\", \"DWService\",\n process.name.caseless == \"dwrcs.exe\", \"DWService\",\n process.name.caseless == \"dwrcst.exe\", \"DWService\",\n process.name.caseless like \"fleetdeck_commander*.exe\", \"FleetDeck\",\n process.name.caseless == \"g2aservice.exe\", \"GoTo\",\n process.name.caseless == \"getscreen.exe\", \"GetScreen\",\n process.name.caseless == \"gotoassistservice.exe\", \"GoTo\",\n process.name.caseless == \"gotohttp.exe\", \"GoTo\",\n process.name.caseless == \"gotoresolveprocesschecker.exe\", \"GoTo\",\n process.name.caseless == \"gotoresolveremotecontrol.exe\", \"GoTo\",\n process.name.caseless == \"gotoresolveservice.exe\", \"GoTo\",\n process.name.caseless == \"gotoresolveterminal.exe\", \"GoTo\",\n process.name.caseless == \"gotoresolveunattended.exe\", \"GoTo\",\n process.name.caseless == \"helpwire.exe\", \"HelpWire\",\n process.name.caseless == \"immyagent.exe\", \"ImmyBot\",\n process.name.caseless == \"immybot.agent.ephemeral.exe\", \"ImmyBot\",\n process.name.caseless == \"immyupdater.exe\", \"ImmyBot\",\n process.name.caseless == \"imperoclientsvc.exe\", \"Impero\",\n process.name.caseless == \"imperoserversvc.exe\", \"Impero\",\n process.name.caseless == \"isllight.exe\", \"ISLOnline\",\n process.name.caseless == \"isllightclient.exe\", \"ISLOnline\",\n process.name.caseless == \"jumpcloud-agent.exe\", \"JumpCloud\",\n process.name.caseless == \"komari.exe\", \"Komari\",\n process.name.caseless == \"komari-agent.exe\", \"Komari\",\n process.name.caseless == \"level.exe\", \"Level\",\n process.name.caseless == \"lmi_rescue.exe\", \"LogMeIn\",\n process.name.caseless == \"lmi_rescue_srv.exe\", \"LogMeIn\",\n process.name.caseless == \"lmiignition.exe\", \"LogMeIn\",\n process.name.caseless == \"logmein.exe\", \"LogMeIn\",\n process.name.caseless == \"ltsvc.exe\", \"ConnectWiseAutomate\",\n process.name.caseless == \"ltsvcmon.exe\", \"ConnectWiseAutomate\",\n process.name.caseless == \"lttray.exe\", \"ConnectWiseAutomate\",\n process.name.caseless == \"lunixar.exe\", \"Lunixar\",\n process.name.caseless == \"lunixarremote.exe\", \"Lunixar\",\n process.name.caseless == \"lunixarupdater.exe\", \"Lunixar\",\n process.name.caseless == \"lvagent.exe\", \"Level\",\n process.name.caseless == \"manageengine_remote_access_plus.exe\", \"ManageEngine\",\n process.name.caseless == \"meshagent.exe\", \"MeshCentral\",\n process.name.caseless == \"mikogo-service.exe\", \"Mikogo\",\n process.name.caseless == \"nezha-agent.exe\", \"Nezha\",\n process.name.caseless == \"ninjarmmagent.exe\", \"NinjaOne\",\n process.name.caseless == \"ninjarmmagentpatcher.exe\", \"NinjaOne\",\n process.name.caseless == \"ninjarmm-cli.exe\", \"NinjaOne\",\n process.name.caseless == \"parsec.exe\", \"Parsec\",\n process.name.caseless == \"pservice.exe\", \"Pulseway\",\n process.name.caseless == \"quickassist.exe\", \"QuickAssist\",\n process.name.caseless == \"r_server.exe\", \"Radmin\",\n process.name.caseless == \"radmin.exe\", \"Radmin\",\n process.name.caseless == \"radmin3.exe\", \"Radmin\",\n process.name.caseless == \"rcengmgru.exe\", \"Rsupport\",\n process.name.caseless == \"rcclient.exe\", \"RPCSuite\",\n process.name.caseless == \"rcmgrsvc.exe\", \"Rsupport\",\n process.name.caseless == \"rcservice.exe\", \"RPCSuite\",\n process.name.caseless == \"remotedesktopmanager.exe\", \"Devolutions\",\n process.name.caseless == \"remotely_agent.exe\", \"Remotely\",\n process.name.caseless == \"remotely_desktop.exe\", \"Remotely\",\n process.name.caseless == \"remotepc.exe\", \"RemotePC\",\n process.name.caseless == \"remotepcdesktop.exe\", \"RemotePC\",\n process.name.caseless == \"remotepcservice.exe\", \"RemotePC\",\n process.name.caseless == \"remoteview.exe\", \"Rsupport\",\n process.name.caseless == \"rfusclient.exe\", \"RemoteUtilities\",\n process.name.caseless == \"rmm.agent.exe\", \"SuperOps\",\n process.name.caseless == \"romserver.exe\", \"RealVNC\",\n process.name.caseless == \"romviewer.exe\", \"RealVNC\",\n process.name.caseless == \"rpcsuite.exe\", \"RPCSuite\",\n process.name.caseless == \"rserver3.exe\", \"Radmin\",\n process.name.caseless == \"rustdesk.exe\", \"RustDesk\",\n process.name.caseless == \"rutserv.exe\", \"RemoteUtilities\",\n process.name.caseless == \"rutview.exe\", \"RemoteUtilities\",\n process.name.caseless == \"rvagent.exe\", \"Rsupport\",\n process.name.caseless == \"rvagtray.exe\", \"Rsupport\",\n process.name.caseless == \"saazapsc.exe\", \"Kaseya\",\n process.name.caseless like \"screenconnect*.exe\", \"ScreenConnect\",\n process.name.caseless == \"session_win.exe\", \"ZohoAssist\",\n process.name.caseless == \"simplegatewayservice.exe\", \"SimpleHelp\",\n process.name.caseless == \"simplehelpcustomer.exe\", \"SimpleHelp\",\n process.name.caseless == \"smpcview.exe\", \"Splashtop\",\n process.name.caseless == \"spclink.exe\", \"Splashtop\",\n process.name.caseless == \"splashtop-streamer.exe\", \"Splashtop\",\n process.name.caseless == \"splashtopsos.exe\", \"Splashtop\",\n process.name.caseless == \"spsrv.exe\", \"Splashtop\",\n process.name.caseless == \"sragent.exe\", \"Splashtop\",\n process.name.caseless == \"srservice.exe\", \"Splashtop\",\n process.name.caseless == \"srmanager.exe\", \"Splashtop\",\n process.name.caseless == \"srserver.exe\", \"Splashtop\",\n process.name.caseless == \"strwinclt.exe\", \"Splashtop\",\n process.name.caseless == \"supremo.exe\", \"Supremo\",\n process.name.caseless == \"supremoservice.exe\", \"Supremo\",\n process.name.caseless == \"syncro.app.runner.exe\", \"Splashtop\",\n process.name.caseless == \"syncro.installer.exe\", \"Splashtop\",\n process.name.caseless == \"syncro.overmind.service.exe\", \"Splashtop\",\n process.name.caseless == \"syncro.service.exe\", \"Splashtop\",\n process.name.caseless == \"syncrolive.agent.exe\", \"Splashtop\",\n process.name.caseless == \"syncrolive.agent.runner.exe\", \"Splashtop\",\n process.name.caseless == \"syncrolive.service.exe\", \"Splashtop\",\n process.name.caseless == \"tacticalrmm.exe\", \"TacticalRMM\",\n process.name.caseless == \"tailscale.exe\", \"Tailscale\",\n process.name.caseless == \"tailscaled.exe\", \"Tailscale\",\n process.name.caseless == \"teamviewer.exe\", \"TeamViewer\",\n process.name.caseless == \"teamviewer_desktop.exe\", \"TeamViewer\",\n process.name.caseless == \"teamviewer_service.exe\", \"TeamViewer\",\n process.name.caseless == \"tiagent.exe\", \"Tiflux\",\n process.name.caseless == \"ticlientcore.exe\", \"Tiflux\",\n process.name.caseless == \"todesk_service.exe\", \"ToDesk\",\n process.name.caseless == \"toolsiq.exe\", \"ToolsIQ\",\n process.name.caseless == \"tsclient.exe\", \"Techinline\",\n process.name.caseless == \"tvn.exe\", \"TightVNC\",\n process.name.caseless == \"tvnserver.exe\", \"TightVNC\",\n process.name.caseless == \"tvnviewer.exe\", \"TightVNC\",\n process.name.caseless == \"twingate.exe\", \"Twingate\",\n process.name.caseless like \"ultravnc*.exe\", \"UltraVNC\",\n process.name.caseless like \"ultraviewer*.exe\", \"UltraViewer\",\n process.name.caseless == \"velociraptor.exe\", \"Velociraptor\",\n process.name.caseless == \"vncserver.exe\", \"RealVNC\",\n process.name.caseless == \"vncviewer.exe\", \"RealVNC\",\n process.name.caseless == \"winvnc.exe\", \"RealVNC\",\n process.name.caseless == \"winwvc.exe\", \"TightVNC\",\n process.name.caseless == \"za_access.exe\", \"ZohoAssist\",\n process.name.caseless == \"za_connect.exe\", \"ZohoAssist\",\n process.name.caseless == \"zaservice.exe\", \"ZohoAssist\",\n process.name.caseless == \"zmagent.exe\", \"ZohoAssist\",\n process.name.caseless == \"zohomeeting.exe\", \"ZohoAssist\",\n process.name.caseless == \"zohotray.exe\", \"ZohoAssist\",\n process.name.caseless == \"zohours.exe\", \"ZohoAssist\",\n process.name.caseless == \"zohoursservice.exe\", \"ZohoAssist\",\n \"\"\n )\n| where Esql.rmm_vendor != \"\" and Esql.rmm_vendor is not NULL\n| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor),\n Esql.vendors_seen = values(Esql.rmm_vendor),\n Esql.processes_executable_values = values(process.executable),\n Esql.first_seen = min(@timestamp),\n Esql.last_seen = max(@timestamp)\n by host.name, host.id\n| where Esql.vendor_count >= 2\n| sort Esql.vendor_count desc\n| keep host.id, host.name, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1219/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", + "https://lolrmm.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [CrowdStrike](https://ela.st/crowdstrike-integration)\n- [Microsoft Defender XDR](https://ela.st/m365-defender)\n- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)\n- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)\n- [Windows Process Creation Logs](https://ela.st/audit-process-creation)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender XDR", + "Data Source: Crowdstrike", + "Data Source: Windows Security Event Logs", + "Data Source: Winlogbeat" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 4 + }, + "id": "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_6.json b/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_6.json new file mode 100644 index 00000000000..40d31e59922 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_6.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "source.ip", + "source.port", + "host.id" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Kerberos Authentication Ticket Request", + "note": "## Triage and analysis\n\n### Investigating Suspicious Kerberos Authentication Ticket Request\n\n#### Possible investigation steps\n\n- Which Timeline member events define this Kerberos sequence?\n - Focus: Timeline members keyed by alert `source.ip` and `source.port`; recover source `process.executable`, Kerberos `destination.ip`, and auth `event.code`.\n - Hint: record `host.id` and `process.entity_id`; verify auth `winlog.computer_name` is the DC.\n - Implication: escalate when one non-\"lsass.exe\" source process maps to a DC \"4768\" or \"4769\" event in the sequence window; lower concern for socket reuse, a different process, or non-DC destination.\n\n- Is the recovered source process a recognized Kerberos-capable client?\n - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.\n - Hint: open process start with recovered `host.id` and `process.entity_id`; if absent, use `host.id`, `process.pid`, and sequence window.\n - Implication: escalate when the binary is unsigned, renamed, user-writable, signer-mismatched, or outside known AD audit, Kerberos diagnostic, or security-test tooling; lower concern only when path, signer, hash history, command, and parent converge on one known tool.\n\n- Does command-line and parentage show ticket-tool intent?\n - Focus: recovered `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and broader process lineage when needed.\n - Implication: escalate on Bifrost-like verbs or flags such as asktgt, asktgs, s4u, ptt, kerberoast, service/SPN targets, hashes, keytabs, RC4, or base64 tickets, especially from shell or script parents; bounded diagnostics from a recognized admin tool reduce but do not clear concern.\n\n- Which ticket path and target account did the DC member event show?\n - Focus: recovered auth `event.code`, `winlog.event_data.TargetUserName`, and `winlog.event_data.TargetDomainName`.\n - Implication: escalate when \"4769\" shows service-ticket activity or \"4768\" shows TGT handling for privileged, service, machine, or delegation-sensitive targets from the unusual process; fan-out increases concern.\n\n- Does the source user and session context fit one bounded admin or audit source?\n - Focus: recovered `user.id`, `user.name`, `user.domain`, and `winlog.event_data.TargetUserName`.\n - Implication: escalate when privileged, service, or user-account tickets originate from a workstation, user session, or non-management tool; lower concern only when source host, user, process identity, command/parent, and target account recur as one bounded Kerberos diagnostic or audit pattern.\n\n- Do surrounding Kerberos events show repetition or account fan-out?\n - Focus: same-source Kerberos network and authentication events, checking additional \"4768\"/\"4769\" events and `winlog.event_data.TargetUserName`.\n - !{investigate{\"description\":\"\",\"label\":\"Kerberos network events from the same source IP\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"source.ip\",\"queryType\":\"phrase\",\"value\":\"{{source.ip}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"destination.port\",\"queryType\":\"phrase\",\"value\":\"88\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"description\":\"\",\"label\":\"Authentication events for the same source IP\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"authentication\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"source.ip\",\"queryType\":\"phrase\",\"value\":\"{{source.ip}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when requests repeat or fan out across accounts; a single bounded request narrows scope but does not close if process identity or command intent remains suspicious. Missing network or authentication telemetry is unresolved, not benign.\n\n- Do later logon or explicit-credential events suggest ticket use?\n - Focus: same-source authentication results, checking later `event.code` \"4624\"/\"4648\", `winlog.event_data.TargetUserName`, and 4648 `winlog.event_data.TargetServerName`.\n - Implication: escalate when post-ticket logon or explicit-credential activity reaches sensitive accounts or servers from the same source; absence narrows impact but does not close if the ticket request remains suspicious. Missing same-source authentication telemetry leaves ticket use unresolved, not benign.\n\n- If local evidence remains suspicious or unresolved, does the same source show related alerts?\n - Focus: related alerts for `source.ip`; manually pivot on recovered `process.hash.sha256` or `winlog.event_data.TargetUserName` when locally suspicious. !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the same source IP\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"source.ip\",\"queryType\":\"phrase\",\"value\":\"{{source.ip}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Implication: broaden scope when credential-access, Kerberoasting, relay, or lateral-movement alerts share the source, process, or target account; keep local only when related alerts are absent and recovered evidence resolves cleanly.\n\n- Escalate when sequence recovery, source-process identity, command intent, DC ticket target, account context, or surrounding ticket/logon activity show unauthorized direct Kerberos; close only when telemetry binds one recognized tool, source host, user, and target account and outside confirmation verifies exact activity when telemetry cannot; preserve and escalate when visibility is incomplete or evidence conflicts.\n\n### False positive analysis\n\n- AD audit tools, Kerberos diagnostics, interoperability testing, or security testing can request tickets directly instead of through \"lsass.exe\". Confirm only when process path, signer/hash, parent, command line, `source.ip`, `user.id`, `event.code`, and target account align with the same recognized tool on a dedicated admin, lab, or audit source; without outside records, require the same process identity, source host/user, target account, and bounded ticket pattern across prior alerts from this rule.\n- Treat partial matches as unresolved when process identity fits but the command targets unusual SPNs, privileged accounts, RC4/kerberoast behavior, or follow-on \"4624\"/\"4648\" activity. Do not close on signer, source IP, or event code alone when ticket target or command intent contradicts benign workflow.\n- Before creating an exception, anchor it to the minimum stable workflow: dedicated `source.ip` or source host, process signer/hash/path, parent workflow, `user.id`, target account, and bounded `event.code` pattern. Avoid exceptions on `source.port`, `event.code`, process name, or broad account patterns alone.\n\n### Response and remediation\n\n- If confirmed benign, reverse temporary containment and document the recovered source host/IP, process identity, command line, source user, DC ticket event, and target account that proved the recognized workflow. Create an exception only after the same dedicated source and process pattern recurs consistently.\n- If suspicious but unconfirmed, preserve the alert, Timeline member events, suspicious process binary and command line, source socket, DC authentication record, and any follow-on \"4624\" or \"4648\" evidence before containment or process action.\n- Apply reversible containment next: restrict the recovered source host's Kerberos/DC access or isolate the host when its role tolerates isolation, and suspend the recovered process only after process and authentication artifacts are captured.\n- If confirmed malicious, isolate the recovered source host, terminate or suspend the recovered process after recording its `process.entity_id`, expire exposed Kerberos tickets where operationally appropriate, and reset or rotate impacted credentials, prioritizing privileged, service, machine, and delegation-capable accounts.\n- Before cleanup, search for the same source IP, recovered process hash, target account, and related credential-access, Kerberoasting, relay, or lateral-movement activity so scope is not limited to the first sequence.\n- After containment, retain DC \"4768\"/\"4769\" auditing and endpoint network telemetry, restrict direct Kerberos tooling to controlled admin/testing hosts, and document the recovered tool pattern and any logging gaps in the case record.\n", + "query": "sequence by source.port, source.ip with maxspan=3s\n [network where host.os.type == \"windows\" and destination.port == 88 and\n process.executable != null and process.pid != 4 and \n not process.executable : (\n \"?:\\\\Windows\\\\system32\\\\lsass.exe\",\n \"\\\\device\\\\harddiskvolume*\\\\windows\\\\system32\\\\lsass.exe\",\n \"\\\\device\\\\harddiskvolume*\\\\windows\\\\system32\\\\svchost.exe\"\n ) and\n not (\n process.executable : (\n \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"C:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"C:\\\\Program Files\\\\Omnissa\\\\Horizon\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"C:\\\\Program Files\\\\SysAidServer\\\\root\\\\WEB-INF\\\\domains\\\\NetworkDiscovery.exe\",\n \"C:\\\\Program Files (x86)\\\\IGEL\\\\RemoteManager\\\\*\\\\bin\\\\tomcat10.exe\",\n \"F:\\\\IGEL\\\\RemoteManager\\\\*\\\\bin\\\\tomcat10.exe\"\n ) and\n user.id in (\"S-1-5-20\", \"S-1-5-18\")\n ) and\n source.ip != \"127.0.0.1\" and destination.ip != \"::1\" and destination.ip != \"127.0.0.1\"]\n [authentication where host.os.type == \"windows\" and event.code in (\"4768\", \"4769\")]\n", + "references": [ + "https://github.com/its-a-feature/bifrost", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c6b40f4c-c6a9-434e-adb8-989b0d06d005", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [Sysmon Event ID 3 - Network Connection](https://ela.st/sysmon-event-3-setup)\n- [Audit Kerberos Authentication Service](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-authentication-service)\n- [Audit Kerberos Service Ticket Operations](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-service-ticket-operations)\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Domain: Identity", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + }, + { + "id": "T1558.004", + "name": "AS-REP Roasting", + "reference": "https://attack.mitre.org/techniques/T1558/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "c6b40f4c-c6a9-434e-adb8-989b0d06d005_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_109.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_109.json deleted file mode 100644 index 288215c5a60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_109.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", - "from": "now-9m", - "history_window_start": "now-5d", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMB (Windows File Sharing) Activity to the Internet", - "new_terms_fields": [ - "source.ip" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMB (Windows File Sharing) Activity to the Internet\n\nSMB, a protocol for sharing files and resources within trusted networks, is vulnerable when exposed to the Internet. Adversaries exploit it for unauthorized access or data theft. The detection rule identifies suspicious SMB traffic from internal IPs to external networks, flagging potential threats by monitoring specific ports and excluding known safe IP ranges.\n\n### Possible investigation steps\n\n- Review the source IP address from the alert to identify the internal system initiating the SMB traffic. Check if this IP belongs to a known device or user within the organization.\n- Investigate the destination IP address to determine if it is associated with any known malicious activity or if it belongs to a legitimate external service that might require SMB access.\n- Analyze network logs to identify any patterns or anomalies in the SMB traffic, such as unusual data transfer volumes or repeated access attempts, which could indicate malicious activity.\n- Check for any recent changes or updates on the source system that might explain the SMB traffic, such as new software installations or configuration changes.\n- Correlate the alert with other security events or logs, such as authentication logs or endpoint security alerts, to gather additional context and determine if this is part of a broader attack or isolated incident.\n- Consult threat intelligence sources to see if there are any known vulnerabilities or exploits related to the SMB traffic observed, which could provide insight into potential attack vectors.\n\n### False positive analysis\n\n- Internal testing environments may generate SMB traffic to external IPs for legitimate reasons. Identify and whitelist these IPs to prevent false positives.\n- Cloud services or remote backup solutions might use SMB for data transfer. Verify these services and add their IP ranges to the exception list if they are trusted.\n- VPN connections can sometimes appear as external traffic. Ensure that VPN IP ranges are included in the list of known safe IPs to avoid misclassification.\n- Misconfigured network devices might inadvertently route SMB traffic externally. Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs.\n- Some third-party applications may use SMB for updates or data synchronization. Confirm the legitimacy of these applications and exclude their associated IPs from the detection rule.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445.\n- Perform a comprehensive scan of the isolated system for malware or unauthorized access tools, focusing on identifying any backdoors or persistence mechanisms.\n- Reset credentials and review access permissions for any accounts that may have been compromised or used in the suspicious activity.\n- Notify the security operations center (SOC) and relevant stakeholders about the incident for further analysis and potential escalation.\n- Implement additional monitoring and logging for SMB traffic to detect any future unauthorized attempts to access the Internet.\n- Review and update security policies and procedures to prevent similar incidents, ensuring that SMB services are only accessible within trusted network segments.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "medium", - "tags": [ - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Domain: Network", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 109 - }, - "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cc8192-f4f5-4ed3-8368-544ca738d506_1.json b/packages/security_detection_engine/kibana/security_rule/c8cc8192-f4f5-4ed3-8368-544ca738d506_1.json new file mode 100644 index 00000000000..8e230fdf482 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8cc8192-f4f5-4ed3-8368-544ca738d506_1.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS Lambda function invoked directly by a principal from a source network (ASN) not seen for that principal in the prior 10 days, excluding common cloud provider networks. Direct invocation from an unfamiliar external network can indicate use of stolen execution-role or user credentials from attacker-controlled infrastructure to execute functions or retrieve the data they return. This rule relies on AWS Lambda data event logging, which is not enabled by default.", + "false_positives": [ + "Operators and automation may legitimately invoke functions from new networks (new offices, VPNs, home IPs, or new egress infrastructure). Verify the principal in `aws.cloudtrail.user_identity.arn`, the source network, and the function, and exclude known operator networks or identities after validation." + ], + "from": "now-6m", + "history_window_start": "now-10d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "interval": "5m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.organization.name", + "source.geo.country_name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "event.action", + "cloud.account.id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Function Invoked from an Unusual Source ASN", + "new_terms_fields": [ + "source.as.organization.name", + "cloud.account.id", + "user.name" + ], + "note": "## Triage and analysis\n\n### Investigating AWS Lambda Function Invoked from an Unusual Source ASN\n\nLambda execution-role credentials and user credentials are frequently abused after theft (for example via SSRF or RCE against a function, or leaked access keys). When such credentials are replayed from attacker infrastructure, the resulting direct `Invoke` calls originate from a network the legitimate principal has not used. This rule uses a new terms approach over the source ASN organization and the principal, excluding common cloud provider networks, to surface invocation from unfamiliar external networks.\n\n### Possible investigation steps\n\n- Review `source.ip`, `source.as.organization.name`, and `source.geo` for the invoking network and determine whether it is expected for the principal in `aws.cloudtrail.user_identity.arn`.\n- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and `user_agent.original` for the client used.\n- Determine whether the credential (`aws.cloudtrail.user_identity.access_key_id`) was recently seen used elsewhere or outside the Lambda runtime, which would corroborate credential theft.\n- Correlate with other activity by the same principal from the same network, including data-plane access, IAM, or STS calls.\n\n### False positive analysis\n\n- New legitimate networks (offices, VPNs, home IPs, new egress) will generate this alert. Confirm the principal and network are expected and exclude known operator networks or identities after validation.\n- If source ASN is legitimate and expected, add as an exclusion to reduce false-positives.\n\n### Response and remediation\n\n- If credential abuse is confirmed, rotate or revoke the affected credentials and execution-role permissions, and review what the invoked function accessed or returned.\n- Constrain `lambda:InvokeFunction` to expected identities and, where possible, restrict invocation to known networks using IAM conditions.\n\n### Additional information\n\n- [Invoke API](https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html)\n- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.action: Invoke*\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.invoked_by: *\n and source.as.organization.name:(* and not (Amazon* or AMAZON* or Google* or GOOGLE* or Microsoft* or MICROSOFT*))\n", + "references": [ + "https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html", + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.invoked_by", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8cc8192-f4f5-4ed3-8368-544ca738d506", + "setup": "## Setup\n\nThis rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration\n(`aws.cloudtrail` data stream). Lambda invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable\ndata event logging for Lambda functions in the trail (optionally scoped to sensitive functions to manage volume). Source\nASN enrichment (`source.as.organization.name`) must be available on the ingested events.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "c8cc8192-f4f5-4ed3-8368-544ca738d506_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_5.json b/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_5.json deleted file mode 100644 index 6e990651cf5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca3bcacc-9285-4452-a742-5dae77538f61_5.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects Polkit version discovery activity on Linux systems. Polkit version discovery can be an indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service.", - "from": "now-9m", - "index": [ - "endgame-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Polkit Version Discovery", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Polkit Version Discovery\n\nPolkit, a system service in Linux, manages system-wide privileges, enabling non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by discovering its version to identify vulnerabilities or misconfigurations. The detection rule identifies suspicious activities by monitoring specific command executions related to Polkit version checks, signaling potential reconnaissance efforts by attackers.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the command used for Polkit version discovery, focusing on the process name and arguments such as \"dnf\", \"rpm\", \"apt\", or \"pkaction\".\n- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.\n- Investigate the host from which the command was executed to assess if it has a history of suspicious activities or if it is a high-value target.\n- Correlate the event with other logs or alerts to identify if there are additional indicators of compromise or related reconnaissance activities.\n- Evaluate the necessity and frequency of Polkit version checks in the environment to determine if this behavior is expected or anomalous.\n\n### False positive analysis\n\n- Routine system updates or package management activities may trigger the rule when administrators use package managers like dnf, rpm, or apt to check for updates or verify installed packages. To mitigate this, create exceptions for known administrative scripts or user accounts that regularly perform these actions.\n- Automated system monitoring tools that check software versions for compliance or inventory purposes might also cause false positives. Identify these tools and exclude their processes from triggering the rule.\n- Developers or system administrators testing Polkit configurations or updates might execute version checks as part of their workflow. Consider excluding specific user accounts or process paths associated with development and testing environments.\n- Security audits or vulnerability assessments conducted by internal teams may involve version checks as part of their procedures. Coordinate with these teams to whitelist their activities during scheduled assessments.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent potential lateral movement by the attacker.\n- Terminate any suspicious processes identified in the alert, such as those involving the execution of Polkit version discovery commands.\n- Conduct a thorough review of system logs and command history to identify any unauthorized access or further malicious activities.\n- Apply any available security patches or updates to the Polkit service to address known vulnerabilities.\n- Implement stricter access controls and monitoring on systems running Polkit to prevent unauthorized version checks and other reconnaissance activities.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Enhance detection capabilities by configuring alerts for similar reconnaissance activities across the network to ensure early detection of potential threats.", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and (\n (process.name == \"dnf\" and process.args == \"dnf\" and process.args == \"info\" and process.args == \"polkit\") or\n (process.name == \"rpm\" and process.args == \"polkit\") or\n (process.name == \"apt\" and process.args == \"show\" and process.args == \"policykit-1\") or\n (process.name == \"pkaction\" and process.args == \"--version\")\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "crowdstrike", - "version": "^2.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "ca3bcacc-9285-4452-a742-5dae77538f61", - "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "ca3bcacc-9285-4452-a742-5dae77538f61_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json deleted file mode 100644 index 19c273b4d26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace MFA Enforcement Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en#", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 210 - }, - "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json deleted file mode 100644 index c14b1087daf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", - "false_positives": [ - "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Domain Added to Google Workspace Trusted Domains", - "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", - "references": [ - "https://support.google.com/a/answer/6160020?hl=en", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_109.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_109.json deleted file mode 100644 index e9cd48eb8f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_109.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", - "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMTP on Port 26/TCP", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMTP on Port 26/TCP\n\nSMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 by analyzing network traffic patterns, helping to uncover potential threats.\n\n### Possible investigation steps\n\n- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.\n- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.\n- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.\n- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.\n- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.\n- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.\n\n### False positive analysis\n\n- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.\n- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.\n- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.\n- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.\n- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.\n- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.\n- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.\n- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.\n- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication.", - "query": "(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\n", - "references": [ - "https://unit42.paloaltonetworks.com/unit42-badpatch/", - "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "severity": "low", - "tags": [ - "Tactic: Command and Control", - "Tactic: Exfiltration", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.003", - "name": "Mail Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/003/" - } - ] - }, - { - "id": "T1571", - "name": "Non-Standard Port", - "reference": "https://attack.mitre.org/techniques/T1571/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 109 - }, - "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_113.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_113.json new file mode 100644 index 00000000000..c681aeac51c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_113.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.", + "false_positives": [ + "Internal hosts that legitimately send mail to external mail transfer agents listening on TCP port 26 may cause false positives. Mail servers or applications with known external SMTP relays can be excluded by source or destination IP address as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "logs-network_traffic.*", + "logs-panw.panos*", + "logs-pfsense.log-*", + "logs-zeek.*", + "logs-corelight.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP to the Internet on Port 26/TCP", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SMTP to the Internet on Port 26/TCP\n\nSMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 originating from an internal host to an external destination, helping to uncover potential command and control or exfiltration while suppressing benign internal mail traffic.\n\n### Possible investigation steps\n\n- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.\n- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.\n- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.\n- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.\n- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.\n- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.\n\n### False positive analysis\n\n- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.\n- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.\n- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.\n- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.\n- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.\n- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.\n- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.\n- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.\n- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication.", + "query": "(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and\n network.transport:tcp and destination.port:26 and\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:(10.0.0.0/8\n or 100.64.0.0/10\n or 127.0.0.0/8\n or 169.254.0.0/16\n or 172.16.0.0/12\n or 192.0.0.0/24\n or 192.0.0.0/29\n or 192.0.0.10/32\n or 192.0.0.170/32\n or 192.0.0.171/32\n or 192.0.0.8/32\n or 192.0.0.9/32\n or 192.0.2.0/24\n or 192.168.0.0/16\n or 192.175.48.0/24\n or 192.31.196.0/24\n or 192.52.193.0/24\n or 192.88.99.0/24\n or 198.18.0.0/15\n or 198.51.100.0/24\n or 203.0.113.0/24\n or 224.0.0.0/4\n or 240.0.0.0/4\n or \"::1\"\n or \"FE80::/10\"\n or \"FF00::/8\")\n", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "related_integrations": [ + { + "package": "panw", + "version": "^5.0.0" + }, + { + "package": "pfsense", + "version": "^1.0.0" + }, + { + "package": "corelight", + "version": "^1.0.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + }, + { + "package": "zeek", + "version": "^5.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Domain: Endpoint", + "Use Case: Threat Detection", + "Data Source: Corelight", + "Data Source: PAN-OS", + "Data Source: Network Traffic", + "Data Source: pfSense", + "Data Source: Zeek", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.003", + "name": "Mail Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/003/" + } + ] + }, + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 113 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_15.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_15.json new file mode 100644 index 00000000000..7d0b825446f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_15.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an untrusted driver loaded by the Windows kernel. Adversaries may modify code signing policies to enable execution of unsigned or self-signed kernel code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.name", + "host.id", + "process.pid", + "dll.path", + "dll.name", + "dll.hash.sha256", + "dll.pe.original_file_name", + "dll.code_signature.exists", + "dll.code_signature.trusted", + "dll.code_signature.status", + "dll.code_signature.subject_name", + "dll.code_signature.thumbprint_sha256", + "dll.Ext.relative_file_creation_time", + "dll.Ext.relative_file_name_modify_time" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Untrusted Driver Loaded", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\n#### Possible investigation steps\n\n- What exact kernel driver loaded, and what trust failure made it alert?\n - Focus: `process.pid`, `dll.path`, `dll.code_signature.exists`, `dll.code_signature.trusted`, and `dll.code_signature.status`.\n - Implication: escalate when System loaded an unsigned or untrusted driver from a non-vendor, user-writable, temp, or renamed path; lower concern only when the trust failure fits a controlled driver-development or hardware-validation host class.\n\n- Does the driver identity map to a known vulnerable driver, BYOVD chain, or offensive loader?\n - Why: TDL-style and BYOVD activity may be easier to recognize by stable hash, original PE name, or signer than current file name.\n - Focus: `dll.hash.sha256`, `dll.pe.original_file_name`, `dll.code_signature.subject_name`, and `dll.code_signature.thumbprint_sha256`.\n - Implication: escalate when hash, original name, or signer maps to a vulnerable-driver blocklist, signature-bypass loader, or malicious kernel tooling; lower concern only when the same artifact is tied to a controlled lab or validation cohort.\n\n- Does recency or rename timing show the driver was staged for this load?\n - Focus: `dll.Ext.relative_file_creation_time`, `dll.Ext.relative_file_name_modify_time`, and `dll.path`; if file-event telemetry is available, use the same `host.id` and path to identify who wrote or renamed it. !{investigate{\"description\":\"\",\"label\":\"File events for the loaded driver path\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"file\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"file.path\",\"queryType\":\"phrase\",\"value\":\"{{dll.path}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when the driver appeared just before load, was recently renamed, or was written by an unrelated staging process. Missing file-event telemetry leaves provenance unresolved, not benign.\n\n- What resident service or device identity is tied to the loaded image?\n - Focus: compare `dll.path`, `dll.hash.sha256`, and `dll.code_signature.subject_name` with current Osquery driver inventory and service output.\n - Hint: For non-Microsoft drivers by `image`, `service`, `signed`, `subject_name`, and `VtLink`; use it as current-state context, and keep the alert as the historical load record if no matching image exists.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - Hint: For unsigned current drivers when the alert shows missing or untrusted signature metadata; current signed or service values do not prove what existed at `@timestamp`.\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Implication: escalate when current inventory lacks a coherent image or service entry, the service is unexpected for the host, or other unsigned drivers do not fit the host role. Treat osquery as corroboration; do not delay escalation when alert-local identity, trust, or recency evidence is decisive.\n\n- Did signing or code-integrity control activity make this load possible?\n - Why: 64-bit Windows normally enforces kernel-mode driver signing, while test-signing, DSE tampering, or vulnerable-driver loaders can open a path for untrusted kernel code.\n - Focus: same-host process events around the load using `host.id`, `process.name`, `process.executable`, and `process.command_line` for bcdedit test-signing/nointegritychecks changes or known vulnerable-driver loader activity. !{investigate{\"description\":\"\",\"label\":\"Process events on the driver host\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"process\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.id\",\"queryType\":\"phrase\",\"value\":\"{{host.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-1h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when surrounding process evidence shows test-signing changes, code-integrity bypass tooling, or vulnerable-driver loader execution; absent process evidence weakens this corroborator but does not clear an unexplained untrusted driver load.\n\n- Does the host cohort and prevalence fit a controlled driver workflow?\n - Focus: `host.id`, `host.name`, and the smallest stable indicator, usually `dll.hash.sha256`, `dll.path`, or `dll.code_signature.subject_name`.\n - Hint: broaden only when identity, recency, inventory, or tampering evidence remains suspicious or unresolved. !{investigate{\"description\":\"\",\"label\":\"Alerts associated with the driver identity\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"dll.hash.sha256\",\"queryType\":\"phrase\",\"value\":\"{{dll.hash.sha256}}\",\"valueType\":\"string\"}],[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"dll.path\",\"queryType\":\"phrase\",\"value\":\"{{dll.path}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - Implication: escalate when the driver appears on production systems, user-writable paths, unrelated hosts, or outside the expected lab cohort; lower concern only when artifact, path pattern, signer, and host cohort consistently match a controlled validation workflow.\n\n- Using identity, trust failure, staging/provenance, osquery inventory, signing-control evidence, and host-cohort spread: escalate unauthorized kernel code, BYOVD, or signature-bypass evidence; close only when telemetry binds the load to one controlled driver workflow; preserve artifacts and escalate mixed or incomplete cases.\n\n### False positive analysis\n\n- Controlled driver-development, OEM hardware validation, and authorized security or EDR compatibility testing can load test-signed or unsigned drivers on isolated lab hosts. Confirm first with telemetry: `dll.hash.sha256`, `dll.path`, `dll.code_signature.status` or `dll.code_signature.subject_name`, current osquery image and service output, and `host.id` cohort must align with one workflow. Use build, test, or change records only after telemetry binds the exact artifact and cohort; if unavailable, require prior alerts for the same driver artifact and host cohort before exceptioning. If any evidence dimension contradicts the workflow, do not close as benign.\n- Build exceptions only from the minimum confirmed pattern, such as `dll.hash.sha256` plus `dll.path` plus bounded `host.id` cohort or service identity. Avoid exceptions on `dll.name`, signer, or generic unsigned-driver conditions alone.\n\n### Response and remediation\n\n- If confirmed benign:\n - Reverse temporary containment and document the driver artifact, host cohort, current osquery image and service values, and any corroborating external record. Keep exceptions narrow to the confirmed hash, path, host cohort, or service identity.\n- If suspicious but unconfirmed:\n - Preserve the driver file if accessible, the alert event export, osquery driver inventory results, surrounding signing-control process events, and the case timeline before containment or cleanup.\n - Apply reversible containment first, such as temporary network restriction or heightened monitoring, while scoping the same `dll.hash.sha256` or `dll.path` across other hosts.\n - Escalate to host isolation before reboot, uninstall, or cleanup only if evidence shows code-integrity tampering, vulnerable-driver loader activity, post-load abuse, or spread outside the expected lab cohort.\n- If confirmed malicious:\n - Isolate the host after preserving the driver artifact, service or boot-start context, signing-control evidence, and affected `host.id` or `host.name`. If endpoint response is unavailable, hand off that evidence set to the team that can contain the system.\n - Scope other hosts for the same `dll.hash.sha256`, `dll.path`, or `dll.code_signature.subject_name` before uninstalling the driver, deleting the file, removing the backing service, or rebooting.\n - Remove the malicious driver, related service or boot-start entry, and code-signing or DSE changes identified during investigation, then remediate the loader or vulnerable-driver path that introduced it.\n- Post-incident hardening:\n - Re-enable or enforce driver-signing and code-integrity controls on the affected host class, block confirmed malicious or vulnerable `dll.hash.sha256` values and `dll.path` locations, and restrict test-signing to isolated lab systems.\n - Document any BYOVD family, loader service name, or host-cohort pattern uncovered during triage for future response cases.\n", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n (dll.code_signature.trusted == false or dll.code_signature.exists == false) and\n /* errorExpired and errorRevoked are handled by d12bac54-ab2a-4159-933f-d7bcefa7b61d */\n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\", \"errorCode_endpoint:*\") and\n \n not dll.hash.sha256 : (\n /* HP DOT4 printer driver family FPs (Dot4.sys, Dot4Prt.sys, Dot4usb.sys, Dot4Scan.sys) */\n \"f21c1d478180bc5e932bb2c2e4618e3ed463ca87acedeb139682d218435f82f1\",\n \"7e2f2a139e897eae56038b920bda9381094bc0ae9e626f6634e6b444b8b0c91f\",\n \"12ffdf5f48a79b1b4adbb88ba2cb6c59dd6719554e8ea6beefe99b3e3c66f1ac\",\n \"dbc6afaf80141e2480e19878f581edfe9c2b018da2ec527c4025ff04d5587afd\",\n /* (dc3d.sys, test-signed) */\n \"ca8f9564733ded4c3895cf7150bb254995d66889e6be08d6654e4f897e4ff7a4\"\n )\n", + "references": [ + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 15 + }, + "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_15", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d994a184-ab93-4cff-8fb6-31a4b4dd18b1_1.json b/packages/security_detection_engine/kibana/security_rule/d994a184-ab93-4cff-8fb6-31a4b4dd18b1_1.json new file mode 100644 index 00000000000..a8e9462f2f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d994a184-ab93-4cff-8fb6-31a4b4dd18b1_1.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.", + "false_positives": [ + "Legacy internal applications, industrial control systems, or embedded devices may still require deprecated TLS versions or weak ciphers. Exclude known legacy destination IPs or subnets after validation." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-network_traffic.tls-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated TLS Version or Weak Cipher Negotiated Externally", + "new_terms_fields": [ + "source.ip", + "destination.ip", + "tls.version" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally\n\nTLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed\noutbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a\ncipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.\n\n### Possible investigation steps\n\n- Review `source.ip`, `destination.ip`, `destination.port`, `tls.version`, `tls.version_protocol`, and `tls.cipher`.\n- Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.\n- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).\n- Compare against baseline: does this destination normally negotiate modern TLS from other clients?\n\n### False positive analysis\n\n- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.\n- Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm\n whether the server accepted the weak option (this rule requires `tls.established:true`).\n\n### Response and remediation\n\n- Block or proxy traffic to the destination if downgrade appears attacker-driven.\n- Patch or replace the client or server that accepted deprecated TLS.\n- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.\n", + "query": "data_stream.dataset:network_traffic.tls\n and network.protocol: tls\n and network.transport: tcp\n and tls.established: true\n and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and not destination.ip:(\n 10.0.0.0/8 or\n 100.64.0.0/10 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.2.0/24 or\n 192.168.0.0/16 or\n 192.175.48.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.88.99.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 224.0.0.0/4 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n and (\n tls.version:(1.0 or 1.1) or\n (tls.version_protocol:ssl and tls.version:3.0) or\n (\n not tls.version:1.3 and (\n tls.cipher:(\n *RC4* or\n *3DES* or\n *NULL* or\n *EXPORT* or\n *_anon_* or\n *ADH* or\n *AECDH*\n )\n )\n )\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1557/", + "https://www.elastic.co/docs/reference/integrations/network_traffic", + "https://www.elastic.co/docs/reference/ecs/ecs-tls", + "https://www.rfc-editor.org/rfc/rfc9325.html" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "tls.cipher", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.established", + "type": "boolean" + }, + { + "ecs": true, + "name": "tls.version", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.version_protocol", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d994a184-ab93-4cff-8fb6-31a4b4dd18b1", + "setup": "## Setup\n\nThis rule requires TLS metadata from the Elastic network_traffic integration (`network_traffic.tls` data stream) that\npopulates ECS `tls.version`, `tls.version_protocol`, `tls.cipher`, and `tls.established` fields.\n", + "severity": "medium", + "tags": [ + "Domain: Network", + "Use Case: Network Security Monitoring", + "Use Case: Threat Detection", + "Data Source: Network Traffic", + "Tactic: Credential Access", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "d994a184-ab93-4cff-8fb6-31a4b4dd18b1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e5420ced-bc42-4783-a8df-99320567e090_2.json b/packages/security_detection_engine/kibana/security_rule/e5420ced-bc42-4783-a8df-99320567e090_2.json new file mode 100644 index 00000000000..ec0272c79e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e5420ced-bc42-4783-a8df-99320567e090_2.json @@ -0,0 +1,169 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph, or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration APIs.", + "false_positives": [ + "Rare legitimate interactive device code flows that use the Microsoft Authentication Broker against Exchange, Graph, or Yammer may match, for example during troubleshooting or specialized kiosk setups. Document approved scenarios and exclude known principals or networks." + ], + "from": "now-9m", + "index": [ + "logs-azure.signinlogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.geo.country_name", + "event.outcome", + "azure.signinlogs.properties.user_principal_name", + "azure.signinlogs.properties.session_id", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.resource_id", + "azure.signinlogs.properties.resource_display_name", + "azure.signinlogs.properties.authentication_protocol", + "azure.signinlogs.properties.is_interactive", + "azure.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID OAuth Device Code Phishing via AiTM", + "note": "## Triage and analysis\n\n### Investigating Entra ID OAuth Device Code Phishing via AiTM\n\nReview `azure.signinlogs.properties.user_principal_name`, `azure.signinlogs.properties.session_id`, `source.ip`,\n`user_agent.original`, and `azure.signinlogs.properties.resource_display_name` for context around the device code\ncompletion.\n\nConfirm whether the user knowingly entered a device code (for example on a shared or headless device) and whether\nbroker-mediated access to Exchange, Graph, or Yammer is expected for that account.\n\n### Possible investigation steps\n\n- Interview the user about recent links, QR codes, or prompts to approve a device code.\n- Correlate with `azure.signinlogs` and Microsoft 365 audit logs for mailbox, Teams, or file access from the same\n session or IP shortly after the event.\n- Review conditional access and MFA satisfaction details for the same `session_id`.\n\n### Response and remediation\n\n- If malicious, revoke refresh tokens for the user, reset credentials per policy, and review application consent.\n- Block or monitor the source IP and escalate per incident procedures.\n", + "query": "data_stream.dataset:\"azure.signinlogs\" and event.category:\"authentication\" and event.action:\"Sign-in activity\" and\nevent.outcome:success and azure.signinlogs.properties.app_id:\"29d9ed98-a469-4536-ade2-f981bc1d605e\" and\nazure.signinlogs.properties.authentication_protocol:deviceCode and\nazure.signinlogs.properties.resource_id:(\n \"00000002-0000-0ff1-ce00-000000000000\" or\n \"00000003-0000-0ff1-ce00-000000000000\" or\n \"00000003-0000-0000-c000-000000000000\"\n) and azure.signinlogs.properties.is_interactive:true\n", + "references": [ + "https://any.run/malware-trends/tycoon/", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows", + "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.authentication_protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.is_interactive", + "type": "boolean" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.resource_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e5420ced-bc42-4783-a8df-99320567e090", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Use Case: Threat Detection", + "Threat: Tycoon2FA", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "e5420ced-bc42-4783-a8df-99320567e090_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json deleted file mode 100644 index 85172f00363..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "MFA Disabled for Google Workspace Organization", - "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", - "references": [ - "https://support.google.com/a/answer/7061566", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e5d219fd-8362-4b67-a0b8-e3dd4331acdd_1.json b/packages/security_detection_engine/kibana/security_rule/e5d219fd-8362-4b67-a0b8-e3dd4331acdd_1.json new file mode 100644 index 00000000000..f23519dfa5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e5d219fd-8362-4b67-a0b8-e3dd4331acdd_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential SQL injection attempts against Microsoft SQL Server by detecting obfuscated T-SQL patterns in SQL Server Audit events. Attackers use CHAR concatenation, CONVERT-based subqueries, and CASE/UNION constructs to bypass input validation and extract data or execute unauthorized statements.", + "from": "now-9m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "host.id", + "host.name", + "host.ip", + "winlog.computer_name", + "message", + "event.outcome", + "Esql.original_message" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Potential SQL Injection Against Microsoft SQL Server", + "note": "## Triage and analysis\n\n### Investigating Potential SQL Injection Against Microsoft SQL Server\n\nMicrosoft SQL Server can write audit records to the Windows Application log as event ID 33205 when SQL Server Audit is\nenabled. Adversaries exploit SQL injection vulnerabilities in applications that query SQL Server, often using obfuscated\nT-SQL such as CHAR concatenation or UNION-based payloads to evade simple signature checks.\n\n#### Possible investigation steps\n\n- Review `Esql.original_message` and `message` for the full audited statement, including the application name, client\n address, database, and object targeted by the query.\n- Identify the source application or service account associated with the audited session and determine whether it should\n execute dynamic or user-supplied SQL against the affected database.\n- Correlate with web server, application, or proxy logs around `@timestamp` to identify the HTTP request or client that\n delivered the malicious input.\n- Check for additional SQL Server Audit events (33205) from the same `host.id` or client address before and after the\n alert for follow-on statements such as xp_cmdshell, credential access, or data exfiltration.\n- Investigate other alerts on `host.id` during the past 48 hours for signs of post-exploitation or lateral movement.\n\n### False positive analysis\n\n- Security scanners, penetration tests, or authorized application vulnerability assessments may generate matching audit\n events. Confirm the activity aligns with an approved test window, source address, and application before closing as\n benign.\n- Custom applications that legitimately build dynamic SQL using CHAR concatenation are uncommon but possible. Review the\n full statement context and application owner before adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If exploitation is confirmed, isolate the affected SQL Server or application tier, block the source IP at the\n perimeter, and preserve SQL Server Audit and application logs for forensic analysis.\n- Patch or remediate the vulnerable application code path that allowed unsanitized input to reach SQL Server.\n- Review SQL Server permissions for the compromised application account and restrict access to only required databases\n and objects.\n- Ensure SQL Server is not directly exposed to the internet and that SQL Server Audit remains enabled with appropriate\n retention.\n", + "query": "from logs-system.application-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where host.os.type == \"windows\" and winlog.provider_name like \"MSSQL*\" and event.code == \"33205\"\n| EVAL message_upper = TO_UPPER(message)\n| where (\n message_upper RLIKE \".*CONVERT\\\\(INT,\\\\(SELECT (CHAR\\\\(\\\\d{1,3}\\\\)\\\\+){3,}.*\" or \n message_upper RLIKE \".*(CHAR\\\\(\\\\d{1,3}\\\\)\\\\+){3,}CHAR\\\\(\\\\d{1,3}\\\\).*\" or \n message_upper RLIKE \".*CASE WHEN \\\\(\\\\d+=\\\\d+\\\\).*UNION SELECT \\\\d+.*\" or\n message_upper RLIKE \".*WAITFOR DELAY \\\\'0:0:\\\\d+\\\\'.*\" or\n message_upper RLIKE \".*;\\\\s*(EXEC|EXECUTE)\\\\s*\\\\(?\\\\s*(MASTER\\\\.)?\\\\.?XP_CMDSHELL.*\" or\n message_upper RLIKE \".*UNION SELECT (NULL\\\\s*,\\\\s*){2,}NULL.*\" or\n message_upper RLIKE \".*'\\\\w*'\\\\s*\\\\+\\\\s*\\\\(\\\\(SELECT @@VERSION\\\\)\\\\)\\\\s*\\\\+\\\\s*'\\\\w*'.*\" or\n message_upper RLIKE \".*(OR|AND)\\\\s+'?\\\\d+'?\\\\s*=\\\\s*'?\\\\d+'?\\\\s*--.*\"\n )\n| eval Esql.original_message = message\n| keep\n @timestamp,\n host.id,\n host.name,\n host.ip,\n winlog.computer_name,\n message,\n event.outcome,\n Esql.original_message,\n _id,\n _version,\n _index,\n data_stream.namespace\n \n| limit 10\n", + "references": [ + "https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions", + "https://owasp.org/www-community/attacks/SQL_Injection" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "@timestamp", + "type": "date" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": false, + "name": "_version", + "type": "long" + }, + { + "ecs": true, + "name": "data_stream.namespace", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e5d219fd-8362-4b67-a0b8-e3dd4331acdd", + "setup": "## Setup\n\nSQL Server Audit must be configured to write audit events to the Windows Application log so that event ID 33205 is\ngenerated by the MSSQLSERVER provider (or MSSQL$ for named instances).\n\nSetup instructions: https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Windows Application Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "e5d219fd-8362-4b67-a0b8-e3dd4331acdd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5.json b/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5.json new file mode 100644 index 00000000000..3fa4aa5fb95 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.", + "from": "now-7205m", + "interval": "5m", + "language": "esql", + "license": "Elastic License v2", + "name": "First Time Seen DNS Query to RMM Domain", + "note": "## Triage and analysis\n\n### Investigating First Time Seen DNS Query to RMM Domain\n\nThis rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement.\n\n### Possible investigation steps\n\n- Identify the process process.executable that performed the DNS query and verify if it is an approved RMM or remote access tool.\n- Review the full process tree and parent process to understand how the binary was launched.\n- Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers.\n- Correlate with the companion rule \"First Time Seen Remote Monitoring and Management Tool\" for the same host to see if the RMM process was first-time seen.\n- Investigate other alerts for the same host or user in the past 48 hours.\n\n### False positive analysis\n\n- Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools.\n- Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise.\n\n### Response and remediation\n\n- If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits.\n- Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff.\n", + "query": "FROM logs-endpoint.events.network-*, logs-windows.sysmon_operational-* METADATA _index\n| WHERE host.os.type == \"windows\"\n AND event.category == \"network\"\n AND event.action in (\"lookup_requested\", \"DNSEvent (DNS query)\")\n AND dns.question.name IS NOT NULL\n\n// Exclude browser processes\n| WHERE NOT\n process.name IN (\n \"chrome.exe\", \"msedge.exe\", \"MicrosoftEdge.exe\", \"MicrosoftEdgeCP.exe\",\n \"firefox.exe\", \"iexplore.exe\", \"safari.exe\", \"brave.exe\",\n \"opera.exe\", \"vivaldi.exe\", \"msedgewebview2.exe\"\n )\n\n// Extract the parent domain (last two labels, e.g. example.com)\n| GROK dns.question.name \"\"\"(?:[^.]+\\.)+(?[^.]+\\.[^.]+)$\"\"\"\n| EVAL parent_domain = COALESCE(parent_domain, dns.question.name)\n\n// Known RMM parent domains, add or remove entries here as your environment changes.\n| WHERE parent_domain IN (\n \"01com.com\",\n \"247ithelp.com\",\n \"action1.com\",\n \"addigy.com\",\n \"aeroadmin.com\",\n \"ammyy.com\",\n \"anydesk.com\",\n \"anyplace-control.com\",\n \"anysupport.net\",\n \"atera.com\",\n \"aurelius.host\",\n \"auvik.com\",\n \"aweray.com\",\n \"aweray.net\",\n \"backdrop.cloud\",\n \"barracudamsp.com\",\n \"beamyourscreen.com\",\n \"beanywhere.com\",\n \"beinsync.com\",\n \"beinsync.net\",\n \"beyondtrustcloud.com\",\n \"bomgar.com\",\n \"bomgarcloud.com\",\n \"centrastage.net\",\n \"centuriontech.com\",\n \"connectwise.com\",\n \"crossloop.com\",\n \"dameware.com\",\n \"datto.com\",\n \"datto.net\",\n \"deskday.ai\",\n \"deskroll.com\",\n \"desktopstreaming.com\",\n \"distantdesktop.com\",\n \"donkz.nl\",\n \"dwservice.net\",\n \"ehorus.com\",\n \"electric.ai\",\n \"emcosoftware.com\",\n \"ericom.com\",\n \"fastsupport.com\",\n \"fastviewer.com\",\n \"fixme.it\",\n \"fleetdeck.io\",\n \"gatherplace.com\",\n \"gatherplace.net\",\n \"getgo.com\",\n \"getscreen.me\",\n \"gotoassist.at\",\n \"gotoassist.com\",\n \"gotoassist.me\",\n \"gotohttp.com\",\n \"gotoresolve.com\",\n \"goverlan.com\",\n \"heartbeatrm.com\",\n \"helpme.net\",\n \"helpwire.app\",\n \"hoptodesk.com\",\n \"hostedrmm.com\",\n \"immy.bot\",\n \"immybot.com\",\n \"imperosoftware.com\",\n \"instanthousecall.com\",\n \"instanthousecall.net\",\n \"intelliadmin.com\",\n \"internapcdn.net\",\n \"internetid.ru\",\n \"iperius-rs.com\",\n \"iperius.net\",\n \"iperiusremote.com\",\n \"islonline.com\",\n \"islonline.net\",\n \"itarian.com\",\n \"itsupport247.net\",\n \"jumpcloud.com\",\n \"jumpdesktop.com\",\n \"jumpto.me\",\n \"kabuto.io\",\n \"kabutoservices.com\",\n \"kaseya.com\",\n \"kaseya.net\",\n \"kickidler.com\",\n \"laplink.com\",\n \"level.io\",\n \"liongard.com\",\n \"litemanager.com\",\n \"litemanager.ru\",\n \"logicnow.com\",\n \"logmein-gateway.com\",\n \"logmein.com\",\n \"logmeininc.com\",\n \"logmeinrescue.com\",\n \"logmeinrescue.eu\",\n \"lunixar.com\",\n \"meshcentral.com\",\n \"mikogo.com\",\n \"mikogo4.com\",\n \"miradore.com\",\n \"msp360.com\",\n \"mygreenpc.com\",\n \"n-able.com\",\n \"naverisk.com\",\n \"nchuser.com\",\n \"netop.com\",\n \"netsupportmanager.com\",\n \"netsupportsoftware.com\",\n \"netviewer.com\",\n \"ninjaone.com\",\n \"ninjarmm.com\",\n \"ninjarmm.net\",\n \"nomachine.com\",\n \"ntrsupport.com\",\n \"opti-tune.com\",\n \"optitune.us\",\n \"oray.com\",\n \"oray.net\",\n \"panorama9.com\",\n \"parsec.app\",\n \"parsecusercontent.com\",\n \"pcvisit.de\",\n \"pilixo.com\",\n \"playanext.com\",\n \"pulseway.com\",\n \"qetqo.com\",\n \"r-hud.net\",\n \"real-time-collaboration.com\",\n \"remmon.hu\",\n \"remote.it\",\n \"remote.management\",\n \"remotecall.com\",\n \"remotedesktop.com\",\n \"remotepc.com\",\n \"remotetopc.com\",\n \"remoteutilities.com\",\n \"remotix.com\",\n \"remotly.com\",\n \"repairshopr.com\",\n \"rmansys.ru\",\n \"rmmservice.ca\",\n \"rmmservice.eu\",\n \"royalapps.com\",\n \"rport.io\",\n \"rudesktop.ru\",\n \"rustdesk.com\",\n \"rview.com\",\n \"screenconnect.com\",\n \"screenmeet.com\",\n \"scrn.mt\",\n \"servably.com\",\n \"server-eye.de\",\n \"set.me\",\n \"setme.net\",\n \"showmypc.com\",\n \"signalserver.xyz\",\n \"simple-help.com\",\n \"skyfex.com\",\n \"sorillus.com\",\n \"splashtop.com\",\n \"splashtop.eu\",\n \"spyanywhere.com\",\n \"spytech-web.com\",\n \"startsupport.com\",\n \"superops.ai\",\n \"superops.com\",\n \"superopsalpha.com\",\n \"superopsbeta.com\",\n \"supremocontrol.com\",\n \"swi-rc.com\",\n \"swi-tc.com\",\n \"syncroapi.com\",\n \"syncromsp.com\",\n \"syspectr.com\",\n \"system-monitor.com\",\n \"systemmonitor.us\",\n \"tacticalrmm.com\",\n \"tailscale.com\",\n \"teamviewer.com\",\n \"techinline.net\",\n \"tele-desk.com\",\n \"tiflux.com\",\n \"tightvnc.com\",\n \"tmate.io\",\n \"todesk.com\",\n \"twingate.com\",\n \"ultraviewer.net\",\n \"ultravnc.com\",\n \"vnc.com\",\n \"weezo.me\",\n \"weezo.net\",\n \"xeox.com\",\n \"zoho.eu\",\n \"zohoassist.com\",\n \"zohoassist.jp\"\n)\n\n// Aggregate by parent domain and get 1st time seen timestamp as well as unique count of agents\n| STATS\n event_count = COUNT(*),\n Esql.first_time_seen = MIN(@timestamp),\n Esql.count_distinct_host_id = COUNT_DISTINCT(host.id),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.dns_question_name_values = VALUES(dns.question.name),\n Esql.host_name_values = VALUES(host.name),\n Esql.host_id_values = VALUES(host.id),\n Esql.user_name_values = VALUES(user.name),\n Esql.user_id_values = VALUES(user.id),\n Esql.namespace_values = VALUES(data_stream.namespace) BY parent_domain\n\n// Calculate the time difference between first time seen and rule execution time\n| eval Esql.recent = DATE_DIFF(\"minute\", Esql.first_time_seen, now())\n\n// First time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique host\n| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1\n\n// populate fields for rule exception and triage\n| eval host.name = MV_FIRST(Esql.host_name_values),\n host.id = MV_FIRST(Esql.host_id_values),\n user.name = MV_FIRST(Esql.user_name_values),\n user.id = MV_FIRST(Esql.user_id_values),\n data_stream.namespace = MV_FIRST(Esql.namespace_values),\n process.executable = MV_FIRST(Esql.process_executable_values),\n dns.question.name = MV_FIRST(Esql.dns_question_name_values)\n| keep host.name, host.id, user.name, user.id, data_stream.namespace, process.executable, dns.question.name, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1219/002/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", + "https://lolrmm.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.namespace", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b", + "setup": "## Setup\n\nThis rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.\n\nSetup instructions: https://ela.st/install-elastic-defend\n\n### Additional data sources\n\nThis rule also supports the following third-party data sources. For setup instructions, refer to the links below:\n\n- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_7.json b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_7.json new file mode 100644 index 00000000000..6b91d8935d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_7.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.graphactivitylogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Graph Request Email Access by Unusual User and Client", + "new_terms_fields": [ + "azure.graphactivitylogs.properties.app_id", + "azure.graphactivitylogs.properties.user_principal_object_id" + ], + "note": "## Triage and analysis\n\n### Investigating Microsoft Graph Request Email Access by Unusual User and Client\n\nThis rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.\n\n### Possible Investigation Steps:\n\n- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal \u2192 Enterprise Applications \u2192 Search by App ID to determine app details, publisher, and consent status.\n- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.\n- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).\n- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.\n- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.\n- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.\n- `http.request.method`: Determine intent based on HTTP method \u2014 `GET` (reading), `POST` (sending), `PATCH`/`DELETE` (modifying/removing messages).\n- `token_issued_at` and `@timestamp`: Determine how long the token has been active and whether access is ongoing or recent.\n- `azure.graphactivitylogs.properties.c_sid`: Use the session correlation ID to identify other related activity in the same session. This may help identify if the app is accessing multiple users' mailboxes or if the same user is accessing multiple apps.\n- Correlate with Microsoft Entra ID (`azure.auditlogs` and `azure.signinlogs`) to determine whether:\n - The app was recently granted admin or user consent\n - Risky sign-ins occurred just prior to or after mail access\n - The same IP or app ID appears across multiple users\n\n### False Positive Analysis\n\n- New legitimate apps may appear after a user consents via OAuth. Developers, third-party tools, or IT-supplied utilities may access mail APIs if users consent.\n- Users leveraging Microsoft development environments (e.g., Visual Studio Code) may trigger this behavior with delegated `.default` permissions.\n- Admin-approved apps deployed via conditional access may trigger similar access logs if not previously seen in detection baselines.\n\n### Response and Remediation\n\n- If access is unauthorized or unexpected:\n - Revoke the app's consent in Azure AD via the Enterprise Applications blade.\n - Revoke user refresh tokens via Microsoft Entra or PowerShell.\n - Investigate the user's session and alert them to possible phishing or OAuth consent abuse.\n- Review and restrict risky OAuth permissions in Conditional Access and App Governance policies.\n- Add known, trusted app IDs to a detection allowlist to reduce noise in the future.\n- Continue monitoring the app ID for additional usage across the tenant or from suspicious IPs.\n", + "query": "data_stream.dataset:azure.graphactivitylogs\n and azure.graphactivitylogs.properties.app_id:*\n and azure.graphactivitylogs.result_signature:200\n and azure.graphactivitylogs.properties.c_idtyp:user\n and azure.graphactivitylogs.properties.client_auth_method:0\n and http.request.method:(DELETE or GET or PATCH or POST or PUT)\n and (\n (\n url.path:(/v1.0/me/* or /v1.0/users/*)\n and (\n url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)\n or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)\n )\n )\n or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)\n )\n", + "references": [ + "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", + "https://github.com/dirkjanm/ROADtools", + "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/", + "https://pushsecurity.com/blog/consentfix" + ], + "related_integrations": [ + { + "integration": "graphactivitylogs", + "package": "azure", + "version": "^1.10.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.c_idtyp", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.client_auth_method", + "type": "integer" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.requestUri", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.scopes", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.result_signature", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "e882e934-2aaa-11f0-8272-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Azure", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "e882e934-2aaa-11f0-8272-f661ea17fbcc_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json deleted file mode 100644 index d5e9babd3fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects file creation and modification on the host system from the Windows Subsystem for Linux. Adversaries may enable and use WSL to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Host File System Changes via Windows Subsystem for Linux", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Host File System Changes via Windows Subsystem for Linux\n\nWindows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, facilitating seamless file access between systems. Adversaries may exploit WSL to modify host files stealthily, bypassing traditional security measures. The detection rule identifies suspicious file operations initiated by WSL processes, particularly those involving the Plan9FileSystem, to flag potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the process details for the \"dllhost.exe\" instance that triggered the alert, focusing on the command line arguments to confirm the presence of the Plan9FileSystem CLSID \"{DFB65C4C-B34F-435D-AFE9-A86218684AA8}\".\n- Examine the file paths involved in the alert to determine if any sensitive or critical files were accessed or modified outside of typical user directories, excluding the Downloads folder.\n- Investigate the parent process of \"dllhost.exe\" to understand the context of its execution and identify any potentially malicious parent processes.\n- Check the timeline of events leading up to and following the alert to identify any other suspicious activities or related alerts that may indicate a broader attack pattern.\n- Correlate the alert with user activity logs to determine if the actions were performed by a legitimate user or if there are signs of compromised credentials or unauthorized access.\n\n### False positive analysis\n\n- Routine file operations by legitimate applications using WSL may trigger alerts. Identify and whitelist these applications to prevent unnecessary alerts.\n- Development activities involving WSL, such as compiling code or running scripts, can generate false positives. Exclude specific development directories or processes from monitoring.\n- Automated backup or synchronization tools that interact with WSL might be flagged. Configure exceptions for these tools by specifying their process names or file paths.\n- System maintenance tasks that involve WSL, like updates or system checks, could be mistaken for suspicious activity. Schedule these tasks during known maintenance windows and adjust monitoring rules accordingly.\n- Frequent downloads or file transfers to directories outside the typical user download paths may appear suspicious. Define clear policies for acceptable file paths and exclude them from alerts.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes associated with \"dllhost.exe\" that are linked to the Plan9FileSystem CLSID to stop ongoing malicious activities.\n- Conduct a thorough review of recent file changes on the host system to identify and restore any unauthorized modifications or deletions.\n- Revoke any unauthorized access or permissions granted to WSL that may have been exploited by the adversary.\n- Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited.\n- Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving \"dllhost.exe\" and the Plan9FileSystem.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", - "query": "sequence by process.entity_id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n[file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\DLLHOST.exe-????????.pf\")]\n", - "references": [ - "https://github.com/microsoft/WSL" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^3.0.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", - "Data Source: SentinelOne" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 112 - }, - "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb8abab8-dea4-4903-a0ad-dfcb09224488_1.json b/packages/security_detection_engine/kibana/security_rule/eb8abab8-dea4-4903-a0ad-dfcb09224488_1.json new file mode 100644 index 00000000000..003133271cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb8abab8-dea4-4903-a0ad-dfcb09224488_1.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a potential privilege escalation sequence via a parent process relationship. This rule checks for non-root execution of a process executable in a user or world-writable directory followed by a UID change event to 0 (root). This sequence is indicative of a potential local privilege escalation exploit.", + "from": "now-6m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via a Parent Process Sequence", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privilege Escalation via a Parent Process Sequence\n\nThis alert flags a Linux process chain where a non-root program launched from a user- or world-writable location is quickly followed by the same lineage switching to root, a strong sign of local privilege escalation and full host compromise risk. A common pattern is an attacker dropping or compiling an exploit in /tmp or a home directory, executing it as an unprivileged user, and then spawning a root shell or privileged helper within seconds.\n\n### Possible investigation steps\n\n- Reconstruct the full process tree around the sequence to identify the originating user session, the exact binary or script launched from the writable location, and any immediate root-level child such as a shell, package tool, or file-modification utility.\n- Validate whether the executed file and its parent are expected by reviewing file ownership, permissions, hashes, and recent write or compile times to determine if a malicious binary was dropped, replaced, or staged locally.\n- Determine what the elevated process did next by examining follow-on root activity for signs of compromise such as interactive shells, edits to authentication files, SUID or capability changes, new services, cron jobs, or SSH key placement.\n- Review nearby host telemetry for exploit preparation or execution indicators, including compiler usage, archive extraction, access to kernel or polkit-related components, suspicious temporary files, or errors and crashes consistent with privilege escalation attempts.\n- Scope the incident by searching for the same user account, file hash, writable-path executable, or related lineage on other Linux systems, and contain the host quickly if the activity is not explained by approved administration or software deployment.\n\n### False positive analysis\n\n- Administrators or developers may run locally built installers, update scripts, or test binaries from `/tmp`, `/var/tmp`, or a home directory that legitimately invoke a setuid-root helper during maintenance; verify the file is owned by the expected user, matches a known change window, and that the resulting root process only performed the intended configuration or install actions.\n- User login or session initialization scripts stored under `/home/*` or `/run/user/*` can legitimately launch privileged built-in utilities such as password-change or mount helpers, creating a brief non-root-to-root process chain; confirm the alert coincides with an interactive user action and that the elevated child process is an expected system binary with benign follow-on activity.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network immediately while keeping EDR and forensic access available so the attacker cannot use the new root context for lateral movement, data theft, or cleanup.\n- Terminate the malicious process tree and quarantine or remove the exploit binary, script, or archive from the writable path it launched from, then delete attacker persistence such as new systemd services, cron entries, modified `rc.local`, added `authorized_keys`, altered `sudoers` files, and any unexpected SUID bits or Linux capabilities.\n- Restore the host to a known-good state from a trusted image or snapshot instead of relying on in-place cleanup, and verify core system binaries, PAM modules, startup scripts, and package integrity before returning it to service.\n- Rotate all credentials and secrets exposed on the host, including local passwords, SSH keys, API tokens, and service account secrets, because a root-level compromise may have allowed the attacker to read `/etc/shadow`, shell histories, application configs, and private keys.\n- Escalate to incident response immediately if the root process spawned an interactive shell, modified `/etc/passwd` or `/etc/shadow`, installed a backdoor service, added an SSH key, or if the same user, binary hash, or writable-path execution pattern appears on more than one host.\n- Harden the environment by patching the exploited local privilege escalation vector, restricting or removing unnecessary setuid/setcap helpers, mounting temporary and user-writable directories with `noexec,nosuid,nodev` where feasible, and increasing monitoring for executions from writable paths followed by privileged child activity.\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=15s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n user.id != \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n (\n process.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/run/user/*\", \"/var/run/user/*\", \"/home/*/*\") or\n process.parent.executable like (\".*\", \"/tmp/*\", \"/dev/shm/*\", \"/var/tmp/*\", \"/home/*/*\", \"/run/user/*\", \"/var/run/user/*\")\n )]\n [process where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"uid_change\" and\n user.id == \"0\" and process.parent.user.id != \"0\" and process.parent.group.id != \"0\" and\n not process.executable in (\"/usr/bin/sudo\", \"/bin/sudo\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "eb8abab8-dea4-4903-a0ad-dfcb09224488", + "severity": "high", + "tags": [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "eb8abab8-dea4-4903-a0ad-dfcb09224488_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf493d1-20be-41a0-a010-c1b6a6f90e28_1.json b/packages/security_detection_engine/kibana/security_rule/ebf493d1-20be-41a0-a010-c1b6a6f90e28_1.json new file mode 100644 index 00000000000..d1a3ee63d94 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebf493d1-20be-41a0-a010-c1b6a6f90e28_1.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a process not commonly used to load shared objects, is executed with arguments that load a shared object file. This technique can load a malicious shared object into memory while attempting to evade detection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shared Object Load via LoLBin", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Shared Object Load via LoLBin\n\nThis alert flags a Linux program that normally is not used as a loader but is started with options that pull a shared object into memory, a common way to hide malicious code behind trusted tools. An attacker can launch `openssl -engine /tmp/libcrypto.so` or a short `python -c` snippet that calls `cdll.LoadLibrary(\"/tmp/libx.so\")` to execute a rogue library while blending in with legitimate system activity.\n\n### Possible investigation steps\n\n- Review the full command line, ancestor process chain, session context, and executing user to determine whether the shared object load aligns with a legitimate admin task, build workflow, or expected plugin behavior.\n- Identify the referenced `.so` file on disk and validate its package ownership, hash reputation, permissions, timestamps, and location, giving extra scrutiny to libraries in temporary, user-writable, hidden, or recently created paths.\n- Pivot on the same library path or hash across hosts and users to determine whether it is isolated to one system, newly introduced, or part of a broader sequence involving script execution, file drops, or repeated LoLBin abuse.\n- Examine activity immediately before and after the load for suspicious follow-on behavior such as outbound network connections, credential access attempts, unexpected child processes, privilege escalation, or persistence-related file changes.\n- If the library is not attributable to approved software, collect the binary and related artifacts for static or sandbox analysis and consider host containment or blocking the file hash and path if corroborating malicious evidence is present.\n\n### False positive analysis\n\n- Developers or build jobs may use `python -c`, `ruby -e`, or `openssl -engine` to validate a locally built `.so` during compilation or testing; confirm the parent process and working directory map to an expected build path or `make`-driven workflow and that the library resides in a project or package-managed location.\n- Administrators may intentionally load a legitimate shell builtin or application plugin through `bash -c`, `gdb`, or `vim` while troubleshooting or enabling features; verify the session is interactive and attributable to the user, then check that the referenced `.so` is package-owned or stored in a standard system library or plugin directory rather than a writable temporary path.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network, terminate the abusing LoLBin and any spawned processes, and quarantine the referenced `.so` and any copies found in writable locations such as `/tmp`, `/dev/shm`, user home directories, or hidden folders.\n- Remove attacker persistence by deleting unauthorized entries from `/etc/ld.so.preload`, shell startup files, cron jobs, systemd services or timers, and any wrapper scripts that relaunch `openssl -engine`, `python -c`, `ruby -e`, or shell commands to load the malicious library.\n- Reset credentials and revoke secrets used on the host, including SSH keys, API tokens, and service-account passwords, if the library executed under a privileged account or accessed authentication material, browser data, or configuration files with embedded secrets.\n- Restore the host to a known-good state by rebuilding from a trusted image or reinstalling verified packages, then validate that no unapproved libraries, altered loader settings, or attacker-added binaries remain on disk before returning the system to production.\n- Escalate to incident response immediately if the same library hash or path is present on multiple hosts, the load occurred as `root`, or the host showed follow-on behavior such as new persistence, remote command execution, or suspicious outbound network connections.\n- Harden the environment by restricting plugin and engine loads to approved library directories, enforcing package integrity checks, monitoring for changes to preload files and service definitions, and applying SELinux or AppArmor policies that prevent scripts and LoLBins from loading shared objects from user-writable paths.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\", \"start\", \"ProcessRollup2\") and\n?process.parent.executable != null and\n(\n (process.name == \"bash\" and process.args == \"-c\" and process.args like \"* enable *-f*.so*\") or\n (process.name == \"openssl\" and process.args == \"-engine\" and process.args like \"*.so*\") or\n (process.name like \"python*\" and process.args == \"-c\" and process.args like \"*cdll.LoadLibrary*.so*\") or\n (process.name like \"ruby*\" and process.args == \"-e\" and process.args like \"*Fiddle.dlopen*.so*\") or \n (process.name in (\"gdb\", \"gimp\", \"rview\", \"rvim\", \"view\", \"vim\", \"vimdiff\") and\n process.args like \"*cdll.LoadLibrary*.so*\") or\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\n process.args == \"-c\" and process.args like (\"*cdll.LoadLibrary*.so*\", \"*ruby*-e**Fiddle.dlopen*.so*\")\n )\n) and\nnot (\n ?process.parent.executable like (\n \"/root/.cache/bazel/_bazel_root/install/*\", \"/opt/Xilinx/PetaLinux/*\", \"/usr/bin/find\", \"/bin/find\", \n \"/opt/nessus_agent/sbin/nessus-agent-module\", \"/sw/eb/sw/Python/*/bin/python*\"\n ) or\n ?process.parent.name in (\"make\", \"process-wrapper\", \"bwrap\") or\n (process.name like \"python*\" and ?process.command_line like~ \"*import torch*torchinductor*\") or\n ?process.command_line like \"*https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE*\"\n)\n", + "references": [ + "https://gtfobins.github.io/#+library%20load" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebf493d1-20be-41a0-a010-c1b6a6f90e28", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Auditd Manager\n- CrowdStrike\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ebf493d1-20be-41a0-a010-c1b6a6f90e28_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef35b103-7fca-4af4-879d-a7e73c918659_1.json b/packages/security_detection_engine/kibana/security_rule/ef35b103-7fca-4af4-879d-a7e73c918659_1.json new file mode 100644 index 00000000000..df127d5cd62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef35b103-7fca-4af4-879d-a7e73c918659_1.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects shell executions via Elastic Endpoint. Elastic Endpoint has a built-in response action console that can be used to execute shell commands on compromised systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Execution via Elastic Endpoint", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"start\") and\nprocess.parent.executable == \"/opt/Elastic/Endpoint/elastic-endpoint\" and\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nprocess.args in (\"-c\", \"-cl\", \"-lc\", \"--command\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ef35b103-7fca-4af4-879d-a7e73c918659", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ef35b103-7fca-4af4-879d-a7e73c918659_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_112.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_116.json similarity index 64% rename from packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_112.json rename to packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_116.json index b9f38682bef..8ae620c3116 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_112.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_116.json @@ -9,15 +9,13 @@ ], "from": "now-9m", "index": [ - "endgame-*", - "logs-endpoint.events.process*", - "logs-sentinel_one_cloud_funnel.*" + "logs-endpoint.events.process*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Child Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Suspicious Child Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.parent.executable != null and (\n process.parent.name like (\n \"apache\", \"nginx\", \"apache2\", \"httpd\", \"lighttpd\", \"caddy\", \"php-fpm*\", \"mongrel_rails\", \"haproxy\",\n \"gunicorn\", \"uwsgi\", \"openresty\", \"cherokee\", \"h2o\", \"resin\", \"puma\", \"unicorn\", \"traefik\", \"uvicorn\",\n \"tornado\", \"hypercorn\", \"daphne\", \"twistd\", \"yaws\", \"webfsd\", \"httpd.worker\", \"flask\", \"rails\", \"mongrel\",\n \"php-cgi\", \"php-fcgi\", \"php-cgi.cagefs\", \"catalina.sh\", \"hiawatha\", \"lswsctrl\"\n ) or\n user.name in (\"apache\", \"www-data\", \"httpd\", \"nginx\", \"lighttpd\", \"tomcat\", \"tomcat8\", \"tomcat9\") or\n user.id in (\"33\", \"498\", \"48\") or\n (process.name == \"java\" and ?process.working_directory like \"/u0?/*\")\n) and (\n process.executable like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"./*\", \"/run/*\", \"/var/run/*\", \"/boot/*\", \"/sys/*\", \"/lost+found/*\",\n \"/proc/*\", \"/var/mail/*\", \"/var/www/*\", \"/home/*\", \"/root/*\" \n ) or\n process.name like~ (\n // Hidden processes\n \".*\",\n // Suspicious file formats\n \"*.elf\", \"*.sh\", \"*.py\", \"*.rb\", \"*.pl\", \"*.lua*\", \"*.php*\", \".js\",\n // Scheduled tasks\n \"systemd\", \"cron\", \"crond\",\n // Network utilities often used for reverse shells\n \"nc\", \"netcat\", \"ncat\", \"telnet\", \"socat\", \"openssl\", \"nc.openbsd\", \"ngrok\", \"nc.traditional\",\n // Cloud CLI\n \"az\", \"gcloud\", \"aws\",\n // Misc. tools\n \"whoami\", \"ifconfig\", \"ip\", \"ss\", \"top\", \"htop\", \"df\", \"du\", \"lsblk\", \"lsof\", \"tcpdump\",\n \"strace\", \"ltrace\", \"curl\", \"wget\", \"dig\", \"nslookup\", \"host\", \"nmap\", \"arp\", \"traceroute\"\n ) \n)\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n process.parent.name in (\n \"nginx\", \"apache2\", \"httpd\", \"caddy\", \"mongrel_rails\", \"uwsgi\", \"daphne\", \"httpd.worker\", \"flask\",\n \"php-cgi\", \"php-fcgi\", \"php-cgi.cagefs\", \"lswsctrl\", \"varnishd\", \"uvicorn\", \"waitress-serve\", \"starman\",\n \"frankenphp\", \"zabbix_server\", \"asterisk\", \"sw-engine-fpm\"\n ) or\n process.parent.name like (\"php-fpm*\", \"gunicorn*\", \"*.cgi\", \"*.fcgi\") or\n (\n process.parent.name like \"ruby*\" and\n process.parent.command_line like~ (\"*puma*\", \"*rails*\", \"*passenger*\")\n ) or\n (\n process.parent.name like \"python*\" and\n process.parent.command_line like~ (\n \"*hypercorn*\", \"*flask*\", \"*uvicorn*\", \"*django*\", \"*app.py*\", \"*server.py*\", \"*wsgi.py*\", \"*asgi.py*\"\n )\n ) or\n (process.parent.name like \"perl*\" and process.parent.command_line like~ \"*plackup*\") or\n (\n process.parent.name == \"java\" and (\n process.parent.args like~ (\n /* Tomcat */\n \"org.apache.catalina.startup.Bootstrap\", \"-Dcatalina.base=*\",\n\n /* Jetty */\n \"org.eclipse.jetty.start.Main\", \"-Djetty.home=*\",\n\n /* WildFly / JBoss */\n \"org.jboss.modules.Main\", \"-Djboss.home.dir=*\",\n\n /* WebLogic */\n \"weblogic.Server\", \"-Dweblogic.Name=*\", \"*weblogic-launcher.jar*\",\n\n /* WebSphere traditional + Liberty */\n \"com.ibm.ws.runtime.WsServer\", \"com.ibm.ws.kernel.boot.cmdline.Bootstrap\",\n\n /* GlassFish */\n \"com.sun.enterprise.glassfish.bootstrap.ASMain\",\n\n /* Resin */\n \"com.caucho.server.resin.Resin\",\n\n /* Spring Boot */\n \"org.springframework.boot.loader.*\",\n\n /* Quarkus */\n \"*quarkus-run.jar*\", \"io.quarkus.runner.GeneratedMain\",\n\n /* Micronaut */\n \"io.micronaut.runtime.Micronaut\",\n\n /* Dropwizard */\n \"io.dropwizard.cli.ServerCommand\",\n\n /* Play */\n \"play.core.server.ProdServerStart\",\n\n /* Helidon */\n \"io.helidon.microprofile.server.Main\", \"io.helidon.webserver*\",\n\n /* Vert.x */\n \"io.vertx.core.Launcher\",\n\n /* Keycloak */\n \"org.keycloak*\",\n\n /* Apereo CAS */\n \"org.apereo.cas*\",\n\n /* Elasticsearch */\n \"org.elasticsearch.bootstrap.Elasticsearch\",\n\n /* Atlassian / Gerrit */\n \"com.atlassian.jira.startup.Launcher\", \"*BitbucketServerLauncher*\", \"com.google.gerrit.pgm.Daemon\",\n\n /* Solr */\n \"*-Dsolr.solr.home=*\",\n\n /* Jenkins */\n \"*jenkins.war*\"\n ) or\n ?process.working_directory like \"/u0?/*\"\n )\n )\n) and (\n process.executable like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"./*\", \"/run/*\", \"/var/run/*\", \"/boot/*\", \"/sys/*\", \"/lost+found/*\",\n \"/proc/*\", \"/var/mail/*\", \"/var/www/*\", \"/home/*/*\", \"/root/*\" \n ) or\n process.name like~ (\n // Hidden processes\n \".*\",\n\n // Suspicious file formats\n \"*.elf\", \"*.sh\", \"*.py\", \"*.rb\", \"*.pl\", \"*.lua*\", \"*.php*\", \".js\", \"*.bin\", \"*.jar\", \"*.mjs\",\n\n // Network utilities often used for reverse shells\n \"nc\", \"netcat\", \"ncat\", \"telnet\", \"socat\", \"openssl\", \"nc.openbsd\", \"ngrok\", \"nc.traditional\",\n\n // Cloud CLI\n \"az\", \"gcloud\", \"aws\", \"kubectl\", \"helm\", \"docker\", \"ctr\", \"crictl\",\n\n // Misc. tools\n \"whoami\", \"ifconfig\", \"ip\", \"ss\", \"top\", \"htop\", \"du\", \"lsblk\", \"lsof\", \"tcpdump\",\n \"strace\", \"ltrace\", \"curl\", \"wget\", \"dig\", \"nslookup\", \"host\", \"nmap\", \"arp\", \"traceroute\",\n \"cat\", \"touch\", \"mv\", \"rm\", \"mkdir\", \"ln\", \"chmod\", \"sudo\", \"xxd\", \"base64\", \"basez\",\n \"base64plain\", \"base64url\", \"base64mime\", \"base64pem\", \"basenc\", \"base32\", \"base16\", \"chpasswd\",\n \"passwd\"\n ) \n) and \nnot (\n (\n process.parent.name == \"java\" and\n process.executable like (\"/tmp/CVU_19_resource_*/exectask*\", \"/u01/app/*/grid/bin/crsctl.bin\", \"/u01/app/*/grid/bin/olsnodes.bin\")\n ) or\n process.working_directory like (\"/u01/app/*/sysman/emd\", \"/run/systemd/mount-rootfs\") or\n (\n process.parent.executable == \"/opt/morpheus/embedded/java/jre/bin/java\" and\n process.command_line like (\n \"chmod -R g+w /var/opt/morpheus/morpheus-local/repo/git/*\",\n \"sudo -S -u morpheus-local*\"\n )\n ) or\n (\n process.parent.command_line == \"/bin/sh /etc/init.d/nginx rotate\" and\n process.name == \"cat\"\n ) or\n (\n process.parent.name == \"asterisk\" and\n process.executable like (\n \"/var/www/html/dialapplet-web/agi/*.php\", \"/var/lib/asterisk/bin/faxnotify.php\"\n )\n ) or\n (\n process.parent.executable == \"/home/jiraContractor/jira.install/jre/bin/java\" and\n process.executable == \"/home/jiraContractor/jira.install/jre/lib/jspawnhelper\"\n ) or\n process.parent.args like \"/home/agent/Claude/*\" or\n (process.parent.executable == \"/usr/lib/jvm/java-21-openjdk/bin/java\" and process.name == \"ln\")\n)\n", "references": [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" @@ -26,13 +24,14 @@ { "package": "endpoint", "version": "^8.2.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" } ], "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, { "ecs": true, "name": "event.type", @@ -43,6 +42,11 @@ "name": "host.os.type", "type": "keyword" }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, { "ecs": true, "name": "process.executable", @@ -55,27 +59,27 @@ }, { "ecs": true, - "name": "process.parent.executable", + "name": "process.parent.args", "type": "keyword" }, { "ecs": true, - "name": "process.parent.name", - "type": "keyword" + "name": "process.parent.command_line", + "type": "wildcard" }, { "ecs": true, - "name": "process.working_directory", + "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, - "name": "user.id", + "name": "process.parent.name", "type": "keyword" }, { "ecs": true, - "name": "user.name", + "name": "process.working_directory", "type": "keyword" } ], @@ -89,11 +93,9 @@ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", - "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: SentinelOne" + "Data Source: Elastic Defend" ], "threat": [ { @@ -132,12 +134,27 @@ "reference": "https://attack.mitre.org/techniques/T1190/" } ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 112 + "version": 116 }, - "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_112", + "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_116", "type": "security-rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2108687-553d-45ac-b8f0-d0efeac5d45f_1.json b/packages/security_detection_engine/kibana/security_rule/f2108687-553d-45ac-b8f0-d0efeac5d45f_1.json new file mode 100644 index 00000000000..b98e9977192 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2108687-553d-45ac-b8f0-d0efeac5d45f_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE pod create, update, or patch events that enable host PID namespace sharing. HostPID exposes host processes and can support privilege escalation, especially with ptrace or privileged containers. System identities and controller-owned workloads are excluded.", + "false_positives": [ + "Debug pods may legitimately use hostPID. Exclude trusted admin workflows after baselining." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Pod Created With HostPID", + "note": "## Triage and analysis\n\n### Investigating GKE Pod Created With HostPID\n\nHostPID visibility into host processes is high risk. Confirm whether the pod spec change was authorized.\n\n### Investigation steps\n\n- Review actor (`user.email`), target pod, and images in the audit request.\n- Correlate with exec, secret access, or RBAC changes from the same identity.\n\n### False positives\n\n- Break-glass troubleshooting; tune by user or namespace.", + "query": "data_stream.dataset:gcp.audit and\nevent.action:(\"io.k8s.core.v1.pods.create\" or \"io.k8s.core.v1.pods.update\" or \"io.k8s.core.v1.pods.patch\") and\ngcp.audit.request.spec.hostPID:true and not user.email:system\\:* and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\")\n", + "references": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.hostPID", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2108687-553d-45ac-b8f0-d0efeac5d45f", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f2108687-553d-45ac-b8f0-d0efeac5d45f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_213.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_213.json deleted file mode 100644 index aaae2db6b1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_213.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", - "false_positives": [ - "Updates to approved and trusted SSH executables can trigger this rule." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.file-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential OpenSSH Backdoor Logging Activity", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential OpenSSH Backdoor Logging Activity\n\nOpenSSH is a widely used protocol for secure remote administration and file transfers. Adversaries may exploit OpenSSH by modifying its binaries to log credentials or maintain unauthorized access. The detection rule identifies suspicious file changes linked to SSH processes, focusing on unusual file names, extensions, and paths indicative of backdoor activity, thus helping to uncover potential security breaches.\n\n### Possible investigation steps\n\n- Review the file change event details to identify the specific file name, extension, and path involved in the alert. Pay particular attention to unusual file names or extensions and paths listed in the query, such as \"/usr/lib/*.so.*\" or \"/private/etc/ssh/.sshd_auth\".\n- Examine the process executable that triggered the alert, either \"/usr/sbin/sshd\" or \"/usr/bin/ssh\", to determine if it has been modified or replaced. Check the integrity of these binaries using hash comparisons against known good versions.\n- Investigate the user account associated with the process that made the file change. Determine if the account has a history of suspicious activity or if it has been compromised.\n- Check for any recent or unusual login attempts or sessions related to the SSH service on the host. Look for patterns that might indicate unauthorized access or credential harvesting.\n- Analyze system logs, such as auth.log or secure.log, for any anomalies or entries that coincide with the time of the file change event. This can provide additional context or evidence of malicious activity.\n- If a backdoor is suspected, consider isolating the affected system from the network to prevent further unauthorized access and begin remediation efforts, such as restoring from a clean backup or reinstalling the affected services.\n\n### False positive analysis\n\n- Routine system updates or package installations may trigger file changes in SSH-related directories. Users can create exceptions for known update processes to prevent false alerts.\n- Custom scripts or administrative tasks that modify SSH configuration files for legitimate purposes might be flagged. Users should whitelist these scripts or processes if they are verified as non-malicious.\n- Backup or synchronization tools that create temporary files with unusual extensions or names in SSH directories can cause false positives. Exclude these tools from monitoring if they are part of regular operations.\n- Development or testing environments where SSH binaries are frequently modified for testing purposes may generate alerts. Implement exclusions for these environments to reduce noise.\n- Automated configuration management tools like Ansible or Puppet that modify SSH settings as part of their operations can be excluded if they are part of authorized workflows.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious SSH processes identified in the alert to halt potential backdoor activity.\n- Conduct a thorough review of the modified files and binaries, particularly those listed in the query, to assess the extent of the compromise and identify any malicious code or unauthorized changes.\n- Restore affected files and binaries from a known good backup to ensure system integrity and remove any backdoor modifications.\n- Change all SSH credentials and keys associated with the compromised system to prevent unauthorized access using potentially logged credentials.\n- Implement additional monitoring on the affected system and network for any signs of persistence or further malicious activity, focusing on the paths and file types highlighted in the detection query.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring a coordinated response to the threat.", - "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", - "references": [ - "https://github.com/eset/malware-ioc/tree/master/sshdoor", - "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "sentinel_one_cloud_funnel", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Host Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 213 - }, - "id": "f28e2be4-6eca-4349-bdd9-381573730c22_213", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_107.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_107.json deleted file mode 100644 index 39c768a9786..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_107.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", - "false_positives": [ - "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sudo Heap-Based Buffer Overflow Attempt", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Sudo Heap-Based Buffer Overflow Attempt\n\nSudo is a critical utility in Unix-like systems, allowing users to execute commands with elevated privileges. A heap-based buffer overflow in Sudo (CVE-2021-3156) can be exploited by attackers to gain root access. Adversaries may craft specific command-line arguments to trigger this vulnerability. The detection rule identifies suspicious Sudo or Sudoedit invocations with particular argument patterns, signaling potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of suspicious Sudo or Sudoedit invocations with the specific argument patterns: process.args containing a backslash followed by either \"-i\" or \"-s\".\n- Examine the process execution context by gathering additional details such as the user account associated with the process, the parent process, and the command line used.\n- Check the system logs for any other unusual or unauthorized activities around the time of the alert to identify potential lateral movement or further exploitation attempts.\n- Investigate the history of the user account involved to determine if there have been any previous suspicious activities or privilege escalation attempts.\n- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, modified files, or unexpected network connections.\n- Verify the current version of Sudo installed on the system to determine if it is vulnerable to CVE-2021-3156 and consider applying patches or updates if necessary.\n\n### False positive analysis\n\n- Routine administrative tasks using sudo or sudoedit with interactive or shell options may trigger the rule. Review the context of these commands and consider excluding specific user accounts or scripts that are known to perform legitimate administrative functions.\n- Automated scripts or cron jobs that use sudo with the -i or -s options for legitimate purposes can be flagged. Identify these scripts and add them to an exception list to prevent unnecessary alerts.\n- Development or testing environments where users frequently test commands with elevated privileges might generate false positives. Implement a separate monitoring policy for these environments or exclude known test accounts.\n- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Ensure these tools are recognized and excluded from triggering alerts by adding them to an exception list.\n- Users with legitimate reasons to frequently switch to root using sudo -i or sudo -s should be identified, and their activities should be monitored separately to avoid false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker.\n- Terminate any suspicious sudo or sudoedit processes identified by the detection rule to halt ongoing exploitation attempts.\n- Apply the latest security patches and updates to the Sudo utility on all affected systems to remediate the vulnerability (CVE-2021-3156).\n- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or privilege escalation activities.\n- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential compromise.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the scope of the breach.\n- Implement enhanced monitoring and alerting for sudo and sudoedit command executions across the network to detect similar exploitation attempts in the future.", - "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", - "https://www.sudo.ws/alerts/unescape_overflow.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "threshold": { - "field": [ - "host.hostname" - ], - "value": 100 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 107 - }, - "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_107", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_108.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_108.json deleted file mode 100644 index ecc12e18e3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_108.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", - "false_positives": [ - "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Sudo Heap-Based Buffer Overflow Attempt\n\nSudo is a critical utility in Unix-like systems, allowing users to execute commands with elevated privileges. A heap-based buffer overflow in Sudo (CVE-2021-3156) can be exploited by attackers to gain root access. Adversaries may craft specific command-line arguments to trigger this vulnerability. The detection rule identifies suspicious Sudo or Sudoedit invocations with particular argument patterns, signaling potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of suspicious Sudo or Sudoedit invocations with the specific argument patterns: process.args containing a backslash followed by either \"-i\" or \"-s\".\n- Examine the process execution context by gathering additional details such as the user account associated with the process, the parent process, and the command line used.\n- Check the system logs for any other unusual or unauthorized activities around the time of the alert to identify potential lateral movement or further exploitation attempts.\n- Investigate the history of the user account involved to determine if there have been any previous suspicious activities or privilege escalation attempts.\n- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, modified files, or unexpected network connections.\n- Verify the current version of Sudo installed on the system to determine if it is vulnerable to CVE-2021-3156 and consider applying patches or updates if necessary.\n\n### False positive analysis\n\n- Routine administrative tasks using sudo or sudoedit with interactive or shell options may trigger the rule. Review the context of these commands and consider excluding specific user accounts or scripts that are known to perform legitimate administrative functions.\n- Automated scripts or cron jobs that use sudo with the -i or -s options for legitimate purposes can be flagged. Identify these scripts and add them to an exception list to prevent unnecessary alerts.\n- Development or testing environments where users frequently test commands with elevated privileges might generate false positives. Implement a separate monitoring policy for these environments or exclude known test accounts.\n- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Ensure these tools are recognized and excluded from triggering alerts by adding them to an exception list.\n- Users with legitimate reasons to frequently switch to root using sudo -i or sudo -s should be identified, and their activities should be monitored separately to avoid false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker.\n- Terminate any suspicious sudo or sudoedit processes identified by the detection rule to halt ongoing exploitation attempts.\n- Apply the latest security patches and updates to the Sudo utility on all affected systems to remediate the vulnerability (CVE-2021-3156).\n- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or privilege escalation activities.\n- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential compromise.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the scope of the breach.\n- Implement enhanced monitoring and alerting for sudo and sudoedit command executions across the network to detect similar exploitation attempts in the future.", - "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", - "https://www.sudo.ws/alerts/unescape_overflow.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "threshold": { - "field": [ - "host.hostname" - ], - "value": 100 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 108 - }, - "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_109.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_109.json deleted file mode 100644 index fff990fb5f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_109.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", - "false_positives": [ - "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Sudo Heap-Based Buffer Overflow Attempt\n\nSudo is a critical utility in Unix-like systems, allowing users to execute commands with elevated privileges. A heap-based buffer overflow in Sudo (CVE-2021-3156) can be exploited by attackers to gain root access. Adversaries may craft specific command-line arguments to trigger this vulnerability. The detection rule identifies suspicious Sudo or Sudoedit invocations with particular argument patterns, signaling potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of suspicious Sudo or Sudoedit invocations with the specific argument patterns: process.args containing a backslash followed by either \"-i\" or \"-s\".\n- Examine the process execution context by gathering additional details such as the user account associated with the process, the parent process, and the command line used.\n- Check the system logs for any other unusual or unauthorized activities around the time of the alert to identify potential lateral movement or further exploitation attempts.\n- Investigate the history of the user account involved to determine if there have been any previous suspicious activities or privilege escalation attempts.\n- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, modified files, or unexpected network connections.\n- Verify the current version of Sudo installed on the system to determine if it is vulnerable to CVE-2021-3156 and consider applying patches or updates if necessary.\n\n### False positive analysis\n\n- Routine administrative tasks using sudo or sudoedit with interactive or shell options may trigger the rule. Review the context of these commands and consider excluding specific user accounts or scripts that are known to perform legitimate administrative functions.\n- Automated scripts or cron jobs that use sudo with the -i or -s options for legitimate purposes can be flagged. Identify these scripts and add them to an exception list to prevent unnecessary alerts.\n- Development or testing environments where users frequently test commands with elevated privileges might generate false positives. Implement a separate monitoring policy for these environments or exclude known test accounts.\n- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Ensure these tools are recognized and excluded from triggering alerts by adding them to an exception list.\n- Users with legitimate reasons to frequently switch to root using sudo -i or sudo -s should be identified, and their activities should be monitored separately to avoid false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker.\n- Terminate any suspicious sudo or sudoedit processes identified by the detection rule to halt ongoing exploitation attempts.\n- Apply the latest security patches and updates to the Sudo utility on all affected systems to remediate the vulnerability (CVE-2021-3156).\n- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or privilege escalation activities.\n- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential compromise.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the scope of the breach.\n- Implement enhanced monitoring and alerting for sudo and sudoedit command executions across the network to detect similar exploitation attempts in the future.", - "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", - "https://www.sudo.ws/alerts/unescape_overflow.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - }, - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "threshold": { - "field": [ - "host.hostname" - ], - "value": 100 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 109 - }, - "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1.json b/packages/security_detection_engine/kibana/security_rule/f4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1.json new file mode 100644 index 00000000000..f5281346b32 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies creation or modification of a console login profile for an AWS IAM user via CreateLoginProfile or UpdateLoginProfile. A login profile enables password-based console sign-in for an IAM user. Adversaries who obtain programmatic credentials may create a login profile to add persistent interactive console access, or update an existing profile to reset another user's password and take over the account, even after the original access keys are rotated. Because console access for IAM users is increasingly provisioned through federation or IAM Identity Center, direct use of these APIs by an unexpected principal warrants review. This rule targets IAM users (the userName parameter is present); creation of a login profile for the account root user is covered by a separate rule.", + "false_positives": [ + "Administrators and identity teams may legitimately create or reset console login profiles during user onboarding, password resets, or break-glass procedures. Verify the principal in \"aws.cloudtrail.user_identity.arn\", the target user in \"aws.cloudtrail.request_parameters\", and whether the change aligns with an approved request. Known administration roles and provisioning automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Login Profile Created or Modified for an IAM User", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Login Profile Created or Modified for an IAM User\n\nA login profile enables password-based AWS console access for an IAM user. \"CreateLoginProfile\" adds a console password to a user that did not have one, and \"UpdateLoginProfile\" changes the password of an existing profile. An adversary operating with stolen programmatic credentials can use \"CreateLoginProfile\" to establish persistent interactive access, or \"UpdateLoginProfile\" to reset a privileged user's password and hijack the account, retaining access even if the compromised access keys are later disabled.\n\nBecause IAM-user console access is commonly provisioned through federation or IAM Identity Center rather than these APIs directly, unexpected use is a meaningful signal. Note that a user changing their own password uses ChangePassword, not UpdateLoginProfile, so UpdateLoginProfile typically reflects an administrative (or adversarial) reset of another user.\n\n### Possible investigation steps\n\n- Identify the actor in \"aws.cloudtrail.user_identity.arn\", \"aws.cloudtrail.user_identity.type\", and \"aws.cloudtrail.user_identity.session_context.session_issuer.arn\", and review \"source.ip\", \"source.as.organization.name\", and \"user_agent.original\" to determine whether the action came from an expected network path or automation platform.\n- Identify the target user in \"aws.cloudtrail.request_parameters\" and determine whether that user normally has console access and how privileged it is.\n- Check \"aws.cloudtrail.request_parameters\" for \"passwordResetRequired\"; a value of false (or omitted) may indicate the actor set a password they intend to reuse.\n- Correlate with surrounding activity by the same principal, such as CreateAccessKey, AttachUserPolicy, PutUserPolicy, virtual MFA registration, or a subsequent ConsoleLogin for the target user, which may indicate persistence or account takeover.\n\n### False positive analysis\n\n- Onboarding, password resets, and break-glass procedures legitimately use these APIs. Confirm the change is expected and exclude known administration roles or provisioning automation on \"aws.cloudtrail.user_identity.arn\" after validation.\n\n### Response and remediation\n\n- If the change is unauthorized, delete the login profile or reset the affected user's password, and revoke active console sessions for that user.\n- Rotate or restrict credentials for the acting principal if compromise is suspected, and review any IAM permission changes or access keys created by the same session.\n- Restrict \"iam:CreateLoginProfile\" and \"iam:UpdateLoginProfile\" to a small set of trusted administrators, and prefer federation or IAM Identity Center for console access.\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"iam.amazonaws.com\"\n and event.action: (\"CreateLoginProfile\" or \"UpdateLoginProfile\")\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n and not user_agent.original: (*terraform* or *pulumi* or *ansible*)\n and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)\n and not source.as.organization.name: (Amazon* or AMAZON* or Google*)\n and not source.address: (\"cloudformation.amazonaws.com\" or \"servicecatalog.amazonaws.com\")\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f4dc90eb-e77e-4f0e-b18b-eb50da9e827e", + "setup": "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f4dc90eb-e77e-4f0e-b18b-eb50da9e827e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f6fee40d-8a5e-4cc8-9f73-8688419c6d68_1.json b/packages/security_detection_engine/kibana/security_rule/f6fee40d-8a5e-4cc8-9f73-8688419c6d68_1.json new file mode 100644 index 00000000000..685398f98d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f6fee40d-8a5e-4cc8-9f73-8688419c6d68_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies deletion of imported key material from an AWS KMS customer managed key via DeleteImportedKeyMaterial. Keys created with an external key material origin (BYOK) rely on key material that the customer imports. Deleting that material immediately makes the key unusable and renders all data encrypted under it inaccessible, with no recovery window. Unlike ScheduleKeyDeletion, which enforces a pending deletion period of 7 to 30 days, this action takes effect instantly, making it an attractive primitive for cloud ransomware and data-destruction attacks. Because this operation only applies to external-origin keys and is rare in normal operations, its use by an unexpected principal warrants prompt review.", + "false_positives": [ + "Encryption or platform teams that operate keys with imported key material (BYOK/HYOK) may delete and re-import material during key rotation, migration, or decommissioning. Verify the principal in \"aws.cloudtrail.user_identity.arn\", confirm the change aligns with a planned key lifecycle activity, and check whether material was re-imported shortly after. Known administration roles and automation can be excluded after validation." + ], + "from": "now-6m", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS KMS Imported Key Material Deleted", + "note": "## Triage and analysis\n\n### Investigating AWS KMS Imported Key Material Deleted\n\nAWS KMS keys can be created with an external key material origin (BYOK), where the customer imports the cryptographic material rather than having KMS generate it. \"DeleteImportedKeyMaterial\" removes that material, immediately transitioning the key to a \"PendingImport\" state where it can no longer encrypt or decrypt. All data protected by the key becomes inaccessible until the exact same material is re-imported. Unlike \"ScheduleKeyDeletion\", there is no pending window, so the impact is instant and, for an adversary who controls and withholds the original material, effectively irreversible.\n\nBecause this action only applies to external-origin keys and is uncommon in normal operations, it should be treated as a high-risk, destructive action when performed unexpectedly. Adversaries may delete imported key material to sabotage recovery, destroy data, or hold encrypted resources for ransom.\n\n### Possible investigation steps\n\n- Identify the actor and authentication context in \"aws.cloudtrail.user_identity.arn\", \"aws.cloudtrail.user_identity.access_key_id\", and \"aws.cloudtrail.user_identity.type\", and review \"source.ip\" and \"user_agent.original\" to determine whether the action came from an expected network path or automation platform.\n- Identify the affected key from \"aws.cloudtrail.resources.arn\" or the \"keyId\" in \"aws.cloudtrail.request_parameters\", and determine which services and data depend on it (S3, EBS, RDS, Secrets Manager, etc.).\n- Determine whether the same material was re-imported shortly after (\"ImportKeyMaterial\") or whether the key was left unusable.\n- Correlate with surrounding activity by the same principal, such as KMS key policy changes, scheduled key deletions, S3 or EBS destructive actions, or credential changes that may indicate a broader sabotage or ransom attempt.\n\n### False positive analysis\n\n- Organizations with BYOK/HYOK requirements may delete and re-import key material during planned rotation, migration, or decommissioning. Confirm the change is expected and exclude known administration roles or automation on \"aws.cloudtrail.user_identity.arn\" after validation.\n\n### Response and remediation\n\n- If the deletion is unauthorized, re-import the original key material if it is securely retained, and restore access to affected services.\n- Treat any encrypted data whose key material cannot be re-imported as potentially unrecoverable, and engage incident response and data owners to assess impact.\n- Rotate or restrict credentials for the principal if compromise is suspected, and constrain \"kms:DeleteImportedKeyMaterial\" and \"kms:ImportKeyMaterial\" to a small set of trusted administrators.\n- Use AWS Organizations SCPs to limit who can manage imported key material in production accounts.\n\n### Additional information\n\n- [DeleteImportedKeyMaterial API](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html)\n- [Importing key material into AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)\n", + "query": "data_stream.dataset: \"aws.cloudtrail\"\n and event.provider: \"kms.amazonaws.com\"\n and event.action: \"DeleteImportedKeyMaterial\"\n and event.outcome: \"success\"\n and not aws.cloudtrail.user_identity.type: \"AWSService\"\n", + "references": [ + "https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html", + "https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f6fee40d-8a5e-4cc8-9f73-8688419c6d68", + "setup": "This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS KMS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/", + "subtechnique": [ + { + "id": "T1485.001", + "name": "Lifecycle-Triggered Deletion", + "reference": "https://attack.mitre.org/techniques/T1485/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f6fee40d-8a5e-4cc8-9f73-8688419c6d68_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3.json b/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3.json new file mode 100644 index 00000000000..c1e816f1865 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kubernetes audit identities for kubelet (`system:node:*`) and workloads (`system:serviceaccount:*`) are meant to operate with tight, predictable API usage. Direct `get` or `list` on the Secrets API from those principals is often a sign of credential access. Attackers who stole a pod service-account token or node credentials sweep Secret objects for tokens, registry credentials, TLS keys, or application configuration. Even denied attempts still reveal intent to reach sensitive material. Legitimate controllers do read secrets they mount or manage, so this signal is most valuable when paired with triage (namespace scope, user agent, RBAC, and whether the identity should touch those secret names at all).", + "false_positives": [ + "In-cluster operators, CSI drivers, GitOps agents, and some platform controllers legitimately list or get Secrets in namespaces they manage; exclude known service accounts, namespaces, or user agents after baselining.", + "Rare kubelet or node maintenance tooling may touch Secret APIs; validate against change windows and approved node management paths." + ], + "index": [ + "logs-kubernetes.audit_logs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Secret get or list from Node or Pod Service Account", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Secret get or list from Node or Pod Service Account\n\nThis rule fires on Kubernetes audit events where the authenticated user is a node (`system:node:`) or a\npod service account (`system:serviceaccount::`) and the verb maps to read-style access\n(`get`, `list`) on the **secrets** resource. Treat node-originated secret reads as high priority: kubelet should\nnot broadly enumerate cluster secrets. For service accounts, prioritize cross-namespace access, access to\nhigh-value secret names, and clients that do not match the workload\u2019s normal user agent or deployment.\n\n### Possible investigation steps\n\n- Resolve `user.name` (or `kubernetes.audit.user.username` if present) to the node or workload and review RBAC\n RoleBindings and ClusterRoleBindings for secret `get`/`list` scope.\n- Inspect `kubernetes.audit.objectRef.namespace`, `kubernetes.audit.objectRef.name`, source IP, and\n `user_agent.original` for automation you recognize versus anomalous scripts or generic HTTP clients.\n- Review `kubernetes.audit.annotations.authorization_k8s_io/decision` for successful reads versus probing denials.\n- Correlate with pod exec, token creation, RoleBinding changes, or secret modification in the same time window.\n\n### False positive analysis\n\n- Controllers that reconcile Secrets (e.g. cert-manager, external-secrets, sealed-secrets) may match; allowlist their\n service accounts if behavior is expected and scoped.\n- Helm and package managers can list release secrets during deploys; correlate with pipelines and chart releases.\n\n### Response and remediation\n\n- If malicious, revoke the token or node credentials, cordon or isolate the host or workload, rotate exposed secrets, and\n tighten RBAC to least privilege for the affected identity.\n", + "query": "data_stream.dataset:\"kubernetes.audit_logs\" and\nevent.action:(get or list) and\nkubernetes.audit.objectRef.resource:\"secrets\" and\nuser.name:(system\\:serviceaccount\\:* or system\\:node\\:*) and source.ip:(* and not \"127.0.0.1\") and \nnot kubernetes.audit.user.groups:(\n \"system:serviceaccounts:flux-system\"\n or \"system:serviceaccounts:kyverno\"\n or \"system:serviceaccounts:ibm-csi\"\n or \"system:serviceaccounts:harvester-system\"\n or \"system:serviceaccounts:cattle-system\"\n or \"system:serviceaccounts:cattle-monitoring-system\"\n or system\\:serviceaccounts\\:cluster-fleet-local-local-*\n or \"system:serviceaccounts:rabbitmq-system\"\n or \"system:serviceaccounts:cattle-fleet-system\"\n) and \nnot (kubernetes.audit.user.username:\"system:serviceaccount:security:trivy-operator\" and kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name :trivy-operator-*) and \nnot (kubernetes.audit.user.username:\"system:serviceaccount:cert-manager:cert-manager-cainjector\" and kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name:cert-manager-cainjector-*) and \nnot (kubernetes.audit.user.username:\"system:serviceaccount:monitoring:plat-central-monitoring-pr-operator\" and kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name:plat-central-monitoring-pr-operator*) and \nnot (kubernetes.audit.user.username:\"system:serviceaccount:cert-manager:cert-manager\" and kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name:cert-manager-*)\n", + "references": [ + "https://attack.mitre.org/techniques/T1552/007/", + "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.7.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.groups", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_108.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_108.json deleted file mode 100644 index 7af3e099cb2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_108.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.library-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Masquerading as System32 DLL", - "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"icsvc.dll\" and dll.code_signature.subject_name in (\"Dell Inc\", \"Dell Technologies Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : \"offreg.dll\" and dll.code_signature.subject_name == \"Malwarebytes Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"AppMgr.dll\" and dll.code_signature.subject_name == \"Autodesk, Inc\" and dll.code_signature.trusted == true) or\n (dll.name : (\"SsShim.dll\", \"Msi.dll\", \"wdscore.dll\") and process.name : \"DismHost.exe\" and dll.path : \"C:\\\\Windows\\\\Temp\\\\*\") or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\LINE\\\\bin\\\\current\\\\dbghelp.dll\"\n )\n )\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "dll.Ext.relative_file_creation_time", - "type": "unknown" - }, - { - "ecs": true, - "name": "dll.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.001", - "name": "Invalid Code Signature", - "reference": "https://attack.mitre.org/techniques/T1036/001/" - }, - { - "id": "T1036.005", - "name": "Match Legitimate Resource Name or Location", - "reference": "https://attack.mitre.org/techniques/T1036/005/" - } - ] - }, - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.001", - "name": "DLL", - "reference": "https://attack.mitre.org/techniques/T1574/001/" - }, - { - "id": "T1574.002", - "name": "DLL Side-Loading", - "reference": "https://attack.mitre.org/techniques/T1574/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Host Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb935960-d132-4bb5-853d-62f86cccc250_1.json b/packages/security_detection_engine/kibana/security_rule/fb935960-d132-4bb5-853d-62f86cccc250_1.json new file mode 100644 index 00000000000..79d1d5380d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb935960-d132-4bb5-853d-62f86cccc250_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Azure AD Graph (graph.windows.net) requests originating from network sources outside the major public-cloud and Microsoft ASNs that legitimate first-party callers normally come from. Adversary tooling typically rides on commodity hosting (residential ISPs, VPS providers, anonymisers) which produces an ASN distribution very different from the Microsoft / AWS / GCP / Akamai / Cloudflare ranges that dominate legitimate AAD Graph traffic.", + "false_positives": [ + "Users calling AAD Graph from corporate office networks or home ISPs with custom tooling. Tune the excluded ASN organisation list to your environment.", + "Cloud-hosted internal automation running outside the major providers (smaller cloud or colo). Add exceptions on the calling user or app ID after validation." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.aadgraphactivitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "user.id", + "source.ip", + "source.as.number", + "source.as.organization.name", + "source.geo.country_name", + "source.geo.city_name", + "user_agent.original", + "azure.aadgraphactivitylogs.properties.app_id", + "azure.aadgraphactivitylogs.properties.api_version", + "azure.tenant_id" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure AD Graph Access with Unusual User and ASN", + "new_terms_fields": [ + "user.id", + "source.as.number" + ], + "note": "## Triage and analysis\n\n### Investigating Azure AD Graph Access with Unusual User and ASN\n\nLegitimate AAD Graph callers in most tenants come from a small set of ASNs: Microsoft itself, the major\nhyperscalers (AWS, GCP), and a handful of CDN / edge -networks that proxy first-party traffic. AAD Graph\ntraffic originating from outside that set, especially from residential ISPs, generic VPS providers, or\nanonymising networks, is a signal worth a closer look. This rule excludes the common Microsoft / AWS /\nGCP / Akamai / Cloudflare ASN organisations and surfaces everything else.\n\n### Possible investigation steps\n\n- Identify the ASN and the geographic context.\n - `source.as.organization.name`, `source.as.number`, `source.geo.country_name`, `source.geo.city_name`.\n- Identify the user and whether the source matches normal behavior.\n - `user.id` and recent legitimate sign-in geo / network for the same user.\n- Cross-check user-agent and calling client for known offensive tooling fingerprints.\n - `user_agent.original` (`aiohttp`, `AADInternals`, `curl`, etc.) and `azure.aadgraphactivitylogs.properties.app_id` (FOCI / first-party client IDs).\n- Pivot to sign-in logs (`logs-azure.signinlogs-*`) for the same user / source IP to understand how the calling token was obtained.\n- Check tenant-wide blast radius.\n - Are other users in the tenant calling from the same ASN within the window? If so, treat as a systematic intrusion rather than a single account compromise.\n- Confirm the activity is not attributable to authorized testing (red team engagement, penetration test, internal tooling validation) before treating as malicious.\n\n### Response and remediation\n\n- Revoke refresh tokens and active sessions for the calling user.\n - `POST /v1.0/users/{id}/revokeSignInSessions`.\n- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.\n - `PATCH /v1.0/users/{id}` with body `{\"accountEnabled\": false}`.\n- Check for device registrations created by the user during or around the burst window and remove rogue devices.\n - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.\n - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.\n- Apply Conditional Access requiring compliant device or trusted network for AAD Graph access for the affected user population.\n- If the ASN belongs to known abusive infrastructure, add it to a tenant block list (Named Locations / CA policy).\n", + "query": "data_stream.dataset:azure.aadgraphactivitylogs and\n user.id:* and source.as.number:(* and\n not (\n 3598 or 7224 or 8068 or 8069 or 8070 or\n 8071 or 8072 or 8073 or 8074 or 8075 or\n 8987 or 12076 or 14618 or 15169 or 16509 or\n 19527 or 36040 or 36384 or 36385 or 36492 or\n 39111 or 394089 or 396982\n )\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview", + "https://github.com/dirkjanm/ROADtools" + ], + "related_integrations": [], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "source.as.number", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fb935960-d132-4bb5-853d-62f86cccc250", + "setup": "#### Azure AD Graph Activity Logs\nRequires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure\nintegration. Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID. ASN enrichment\ndepends on the geoip / ASN ingest pipelines applied during integration ingestion.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure AD Graph", + "Data Source: Azure AD Graph Activity Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "fb935960-d132-4bb5-853d-62f86cccc250_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1.json b/packages/security_detection_engine/kibana/security_rule/fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1.json new file mode 100644 index 00000000000..6d955a6f087 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.", + "false_positives": [ + "Administrators may enable hostIPC for legitimate debugging. Exclude trusted users or namespaces after baselining." + ], + "index": [ + "logs-gcp.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GKE Pod Created With HostIPC", + "note": "## Triage and analysis\n\n### Investigating GKE Pod Created With HostIPC\n\nHost IPC lets a pod interact with host IPC facilities. Review the pod spec, actor, and whether the change was expected.\n\n### Investigation steps\n\n- Confirm `gcp.audit.request.spec.hostIPC` and targeted namespace or pod.\n- Review `user.email` and correlate with other risky pod modifications.\n\n### False positives\n\n- Break-glass debugging on nodes; allowlist known admin identities.", + "query": "data_stream.dataset:gcp.audit and event.outcome:success and\nevent.action:(\"io.k8s.core.v1.pods.create\" or \"io.k8s.core.v1.pods.update\" or \"io.k8s.core.v1.pods.patch\") and\ngcp.audit.request.spec.hostIPC:true and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\")\n", + "references": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.request.metadata.ownerReferences.kind", + "type": "unknown" + }, + { + "ecs": false, + "name": "gcp.audit.request.spec.hostIPC", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4", + "setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Kubernetes", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 0e43ce16c80..1ec87d98b37 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.19.26 +version: 8.19.27-beta.1 From 74ab64f4ce2898f455439595faa8c2b1a532be01 Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Tue, 7 Jul 2026 07:42:16 +0000 Subject: [PATCH 2/2] Add changelog entry for 8.19.27-beta.1 --- packages/security_detection_engine/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 5eafbe9cc01..bad6b2cbef2 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -4,7 +4,7 @@ changes: - description: Release security rules update type: enhancement - link: https://github.com/elastic/integrations/pulls/0000 + link: https://github.com/elastic/integrations/pull/20006 - version: 8.19.26 changes: - description: Release security rules update