rules part deux

cuts and metadata additions
elastic · Jan 22, 2020 · 8969a17 · 8969a17
1 parent 8f0c413
commit 8969a17
Show file tree

Hide file tree

Showing 199 changed files with 970 additions and 3,972 deletions.
diff --git a/...gine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/...gine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json
@@ -1,16 +1,51 @@
 {
-  "description": "EQL - Adding the Hidden File Attribute with via attrib.exe",
+  "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Adding the Hidden File Attribute with via attrib.exe",
+  "name": "Adding the Hidden File Attribute with via attrib.exe",
   "query": "    event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "techniques": [
+        {
+          "id": "T1158",
+          "name": "Hidden Files and Directories",
+          "reference": "https://attack.mitre.org/techniques/T1158/"
+        }
+      ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Persistence",
+        "reference": "https://attack.mitre.org/tactics/TA0003/"
+      },
+      "techniques": [
+        {
+          "id": "T1158",
+          "name": "Hidden Files and Directories",
+          "reference": "https://attack.mitre.org/techniques/T1158/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...iem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/...iem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Adobe Hijack Persistence",
+  "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Adobe Hijack Persistence",
+  "name": "Adobe Hijack Persistence",
   "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Persistence",
+        "reference": "https://attack.mitre.org/tactics/TA0003/"
+      },
+      "techniques": [
+        {
+          "id": "T1044",
+          "name": "File System Permissions Weakness",
+          "reference": "https://attack.mitre.org/techniques/T1044/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/...server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Audio Capture via PowerShell",
+  "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Audio Capture via PowerShell",
+  "name": "Audio Capture via PowerShell",
   "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Collection",
+        "reference": "https://attack.mitre.org/tactics/TA0009/"
+      },
+      "techniques": [
+        {
+          "id": "T1123",
+          "name": "Audio Capture",
+          "reference": "https://attack.mitre.org/techniques/T1123/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...ver/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/...ver/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Audio Capture via SoundRecorder",
+  "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Audio Capture via SoundRecorder",
+  "name": "Audio Capture via SoundRecorder",
   "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Collection",
+        "reference": "https://attack.mitre.org/tactics/TA0009/"
+      },
+      "techniques": [
+        {
+          "id": "T1123",
+          "name": "Audio Capture",
+          "reference": "https://attack.mitre.org/techniques/T1123/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/...siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL -Bypass UAC Event Viewer",
+  "description": "Identifies User Account Control (UAC) bypass via eventvwr.  Attackers bypass UAC to stealthily execute code with elevated permissions.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL -Bypass UAC Event Viewer",
+  "name": "Bypass UAC via Event Viewer",
   "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "techniques": [
+        {
+          "id": "T1088",
+          "name": "Bypass User Account Control",
+          "reference": "https://attack.mitre.org/techniques/T1088/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...ns/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/...ns/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Bypass UAC via CMSTP",
+  "description": "Identifies User Account Control (UAC) bypass via cmstp.  Attackers bypass UAC to stealthily execute code with elevated permissions.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Bypass UAC via CMSTP",
+  "name": "Bypass UAC via CMSTP",
   "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "techniques": [
+        {
+          "id": "T1088",
+          "name": "Bypass User Account Control",
+          "reference": "https://attack.mitre.org/techniques/T1088/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...ns/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/...ns/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL -Bypass UAC Via sdclt",
+  "description": "Identifies User Account Control (UAC) bypass via cmstp.  Attackers bypass UAC to stealthily execute code with elevated permissions.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL -Bypass UAC Via sdclt",
+  "name": "Bypass UAC via SDCLT",
   "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "techniques": [
+        {
+          "id": "T1088",
+          "name": "Bypass User Account Control",
+          "reference": "https://attack.mitre.org/techniques/T1088/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/.../server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/.../server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Clearing Windows Event Logs",
+  "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Clearing Windows Event Logs",
+  "name": "Clearing Windows Event Logs",
   "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "techniques": [
+        {
+          "id": "T1070",
+          "name": "Indicator Removal on Host",
+          "reference": "https://attack.mitre.org/techniques/T1070/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1

diff --git a/...b/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/...b/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json
@@ -1,16 +1,36 @@
 {
-  "description": "EQL - Delete Volume USN Journal with fsutil",
+  "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
   "enabled": false,
   "filters": [],
   "from": "now-6m",
   "immutable": true,
   "interval": "5m",
   "language": "kuery",
-  "name": "EQL - Delete Volume USN Journal with fsutil",
+  "name": "Delete Volume USN Journal with fsutil",
   "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and   process.name:\"fsutil.exe\" and    process.args:(\"usn\" and \"deletejournal\")",
-  "risk_score": 50,
+  "risk_score": 25,
   "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
   "severity": "low",
+  "tags": [
+    "EIA"
+  ],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "techniques": [
+        {
+          "id": "T1107",
+          "name": "File Deletion",
+          "reference": "https://attack.mitre.org/techniques/T1107/"
+        }
+      ]
+    }
+  ],
   "to": "now",
   "type": "query",
   "version": 1