diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 20ae7908a329..4f092e3fab07 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.13.1-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9284 - version: 8.12.5 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json new file mode 100644 index 000000000000..2d78d99c09eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json new file mode 100644 index 000000000000..c506239682e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json new file mode 100644 index 000000000000..c361e1bad706 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through Systemd-udevd", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "query": "host.os.type:\"linux\" and event.category:\"file\" and\nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "054db96b-fd34-43b3-9af2-587b3bd33964_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json new file mode 100644 index 000000000000..471abafa76b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json new file mode 100644 index 000000000000..58735bf34320 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json new file mode 100644 index 000000000000..4413414c00e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json new file mode 100644 index 000000000000..19c7eb5748ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json new file mode 100644 index 000000000000..8366016c5db2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json new file mode 100644 index 000000000000..17834dbdc1a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Clear Kernel Ring Buffer", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"dmesg\" and process.args == \"-c\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "2724808c-ba5d-48b2-86d2-0002103df753_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json new file mode 100644 index 000000000000..87b311350477 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json new file mode 100644 index 000000000000..c31a38149049 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json new file mode 100644 index 000000000000..3d399c3effd5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", + "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json new file mode 100644 index 000000000000..a36767fd8358 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json new file mode 100644 index 000000000000..ee021293cbf5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"touch\" and process.args == \"-r\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json new file mode 100644 index 000000000000..b2cc0f01bdcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 1, + "name": "Potential Suspicious File Edit", + "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "3728c08d-9b70-456b-b6b8-007c7d246128_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json new file mode 100644 index 000000000000..cc1921cc53d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load", + "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\")\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json new file mode 100644 index 000000000000..8c475b5aec56 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json new file mode 100644 index 000000000000..a8afcd5c5bc2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", + "false_positives": [ + "User using a new mail client." + ], + "from": "now-30m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "new_terms_fields": [ + "o365.audit.ClientAppId", + "user.id" + ], + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", + "references": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "48819484-9826-4083-9eba-1da74cd0eaf2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json new file mode 100644 index 000000000000..f12661665856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ProxyChains Activity", + "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\"\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json new file mode 100644 index 000000000000..3f5e28f19aa1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json new file mode 100644 index 000000000000..afeae3428517 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Out-Of-Tree Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"loading out-of-tree module taints kernel.\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "51a09737-80f7-4551-a3be-dac8ef5d181a", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "51a09737-80f7-4551-a3be-dac8ef5d181a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json new file mode 100644 index 000000000000..eb1228a0759d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json new file mode 100644 index 000000000000..bce414651e01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious which Enumeration", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "5b18eef4-842c-4b47-970f-f08d24004bde_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json new file mode 100644 index 000000000000..86b2e7fbd172 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json new file mode 100644 index 000000000000..5055889f5c42 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json new file mode 100644 index 000000000000..b197bbc4e8ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Process Hooking via GDB", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "66c058f3-99f4-4d18-952b-43348f2577a0_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json new file mode 100644 index 000000000000..eba65d4a0a3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json new file mode 100644 index 000000000000..32baae485fc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json new file mode 100644 index 000000000000..b94bc1c8ea45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Utility Launched via ProxyChains", + "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json new file mode 100644 index 000000000000..37813249c8f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json new file mode 100644 index 000000000000..cec0b69667c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json new file mode 100644 index 000000000000..3a39a12b6255 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json new file mode 100644 index 000000000000..db7337116420 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json new file mode 100644 index 000000000000..bc9010293dc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json new file mode 100644 index 000000000000..db941bc0f274 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Chisel Server", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "ac8805f6-1e08-406c-962e-3937057fa86f_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json new file mode 100644 index 000000000000..491886025167 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json new file mode 100644 index 000000000000..4224ff9b548a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json new file mode 100644 index 000000000000..06185193e598 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json new file mode 100644 index 000000000000..83d9bff20d9b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json new file mode 100644 index 000000000000..870c78f43884 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux init (PID 1) Secret Dump via GDB", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json new file mode 100644 index 000000000000..8562fce4d930 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json new file mode 100644 index 000000000000..48515d9b1289 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json new file mode 100644 index 000000000000..41515a591474 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json new file mode 100644 index 000000000000..6313be6e764b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and\nnot process.args in (\"--help\", \"--version\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json new file mode 100644 index 000000000000..9e12a3aa287e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Suspicious Process Started via tmux or screen", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json new file mode 100644 index 000000000000..fa9407afffdd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"setenforce\" and process.args == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json new file mode 100644 index 000000000000..36a8192039cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json new file mode 100644 index 000000000000..6f87626e3201 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Data Encryption via OpenSSL Utility", + "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", + "references": [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json new file mode 100644 index 000000000000..75343b30d69a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of AppArmor", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "fac52c69-2646-4e79-89c0-fd7653461010_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json new file mode 100644 index 000000000000..34730c505926 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 599495773892..a148028d0094 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -4,7 +4,7 @@ conditions: elastic: subscription: basic kibana: - version: ^8.12.0 + version: ^8.13.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -19,4 +19,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.12.5 +version: 8.13.1-beta.1