Merge pull request #3 from elastic/main

Catching Up

etc/packages.yml

@@ -1,6 +1,6 @@
 ---
 package:
-  name: "7.13"
+  name: "7.14"
   release: true
   # exclude rules which have any of the following index <-> field pairs
   #  exclude_fields:

rules/cross-platform/impact_hosts_file_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ RHEL) and macOS systems.
 """
 from = "now-9m"
 index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Hosts File Modified"
 note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml."
@@ -23,28 +23,28 @@ rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:file and event.type:(change or creation) and file.path:("/private/etc/hosts" or "/etc/hosts" or "C:\Windows\System32\drivers\etc\hosts")
+file where event.type in ("change", "creation") and
+  file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") 
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1565"
-name = "Data Manipulation"
 reference = "https://attack.mitre.org/techniques/T1565/"
+name = "Data Manipulation"
 [[rule.threat.technique.subtechnique]]
 id = "T1565.001"
-name = "Stored Data Manipulation"
 reference = "https://attack.mitre.org/techniques/T1565/001/"
+name = "Stored Data Manipulation"
 
 
 
 [rule.threat.tactic]
 id = "TA0040"
-name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
+name = "Impact"

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ download arbitrary files as an alternative to certutil.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
 references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"]
@@ -20,25 +20,25 @@ rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and
-  process.args:/lockscreenurl\:http*
+process where event.type in ("start", "process_started") and
+  (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and
+  process.args : "/lockscreenurl:http*"
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-name = "Ingress Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1105/"
+name = "Ingress Tool Transfer"
 
 
 [rule.threat.tactic]
 id = "TA0011"
-name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+name = "Command and Control"
 

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via MpCmdRun"
 note = """### Investigating Remote File Download via MpCmdRun
@@ -22,25 +22,25 @@ rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and
-  process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path")
+process where event.type == "start" and
+  (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and
+   process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path"
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-name = "Ingress Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1105/"
+name = "Ingress Tool Transfer"
 
 
 [rule.threat.tactic]
 id = "TA0011"
-name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+name = "Command and Control"
 

rules/windows/command_and_control_sunburst_c2_activity_detected.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ post-exploitation command and control activity of the SUNBURST backdoor.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "SUNBURST Command and Control Activity"
 note = "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized."
@@ -23,59 +23,55 @@ rule_id = "22599847-5d13-48cb-8872-5796fee8692b"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:network and event.type:protocol and network.protocol:http and
-	process.name:(
-		ConfigurationWizard.exe or
-		NetFlowService.exe or
-		NetflowDatabaseMaintenance.exe or
-		SolarWinds.Administration.exe or
-		SolarWinds.BusinessLayerHost.exe or
-		SolarWinds.BusinessLayerHostx64.exe or
-		SolarWinds.Collector.Service.exe or
-		SolarwindsDiagnostics.exe) and
-  http.request.body.content:((
-    (*/swip/Upload.ashx* and (POST* or PUT*)) or
-    (*/swip/SystemDescription* and (GET* or HEAD*)) or
-    (*/swip/Events* and (GET* or HEAD*))) and not
-    *solarwinds.com*)
+network where event.type == "protocol" and network.protocol == "http" and
+  process.name : ("ConfigurationWizard.exe",
+                  "NetFlowService.exe",
+                  "NetflowDatabaseMaintenance.exe",
+                  "SolarWinds.Administration.exe",
+                  "SolarWinds.BusinessLayerHost.exe",
+                  "SolarWinds.BusinessLayerHostx64.exe",
+                  "SolarWinds.Collector.Service.exe",
+                  "SolarwindsDiagnostics.exe") and
+  (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
+  (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*")) and
+  not http.request.body.content : "*solarwinds.com*"
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1071"
-name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
+name = "Application Layer Protocol"
 [[rule.threat.technique.subtechnique]]
 id = "T1071.001"
-name = "Web Protocols"
 reference = "https://attack.mitre.org/techniques/T1071/001/"
+name = "Web Protocols"
 
 
 
 [rule.threat.tactic]
 id = "TA0011"
-name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+name = "Command and Control"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1195"
-name = "Supply Chain Compromise"
 reference = "https://attack.mitre.org/techniques/T1195/"
+name = "Supply Chain Compromise"
 [[rule.threat.technique.subtechnique]]
 id = "T1195.002"
-name = "Compromise Software Supply Chain"
 reference = "https://attack.mitre.org/techniques/T1195/002/"
+name = "Compromise Software Supply Chain"
 
 
 
 [rule.threat.tactic]
 id = "TA0001"
-name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
+name = "Initial Access"

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
 references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
@@ -17,25 +17,24 @@ rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:file and event.type:creation and
- process.name:TeamViewer.exe and
- file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)
+file where event.type == "creation" and process.name : "TeamViewer.exe" and
+  file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta")
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-name = "Ingress Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1105/"
+name = "Ingress Tool Transfer"
 
 
 [rule.threat.tactic]
 id = "TA0011"
-name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+name = "Command and Control"
 

rules/windows/credential_access_credential_dumping_msbuild.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -12,34 +12,33 @@ credential management. This technique is sometimes used for credential dumping.
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Loading Windows Credential Libraries"
 risk_score = 73
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:change and
-  (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or
-    dll.name:(vaultcli.dll or SAMLib.DLL)) and
-  process.name: MSBuild.exe
+sequence by process.entity_id
+ [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
+ [library where dll.name : ("vaultcli.dll", "SAMLib.DLL")]
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
-name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+name = "OS Credential Dumping"
 
 
 [rule.threat.tactic]
 id = "TA0006"
-name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+name = "Credential Access"