From 7feceb29835d17bd456e9d5641ae96fa4939095a Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 9 Apr 2020 13:19:07 -0400 Subject: [PATCH 1/2] bc6 rule import april 9 Increased the lookback of the ML rules --- .../403_response_to_a_post.json | 46 +++--- .../405_response_method_not_allowed.json | 46 +++--- ..._security_adversary_behavior_detected.json | 38 ++--- ...dpoint_security_cred_dumping_detected.json | 38 ++--- ...point_security_cred_dumping_prevented.json | 38 ++--- ...t_security_cred_manipulation_detected.json | 38 ++--- ..._security_cred_manipulation_prevented.json | 38 ++--- ...ic_endpoint_security_exploit_detected.json | 38 ++--- ...c_endpoint_security_exploit_prevented.json | 38 ++--- ...ic_endpoint_security_malware_detected.json | 38 ++--- ...c_endpoint_security_malware_prevented.json | 38 ++--- ...nt_security_permission_theft_detected.json | 38 ++--- ...t_security_permission_theft_prevented.json | 38 ++--- ...t_security_process_injection_detected.json | 38 ++--- ..._security_process_injection_prevented.json | 38 ++--- ...endpoint_security_ransomware_detected.json | 38 ++--- ...ndpoint_security_ransomware_prevented.json | 38 ++--- ...den_file_attribute_with_via_attribexe.json | 98 ++++++------- .../eql_adobe_hijack_persistence.json | 68 ++++----- .../eql_clearing_windows_event_logs.json | 68 ++++----- ...delete_volume_usn_journal_with_fsutil.json | 68 ++++----- ...deleting_backup_catalogs_with_wbadmin.json | 68 ++++----- .../eql_direct_outbound_smb_connection.json | 68 ++++----- ...ble_windows_firewall_rules_with_netsh.json | 68 ++++----- ...coding_or_decoding_files_via_certutil.json | 68 ++++----- .../eql_local_scheduled_task_commands.json | 74 +++++----- .../eql_local_service_commands.json | 68 ++++----- ...ql_msbuild_making_network_connections.json | 68 ++++----- .../eql_mshta_making_network_connections.json | 74 +++++----- .../eql_psexec_lateral_movement_command.json | 104 +++++++------- ...ql_suspicious_ms_office_child_process.json | 68 ++++----- ...l_suspicious_ms_outlook_child_process.json | 68 ++++----- .../eql_system_shells_via_services.json | 68 ++++----- ...usual_network_connection_via_rundll32.json | 68 ++++----- .../eql_unusual_parentchild_relationship.json | 68 ++++----- ...ql_unusual_process_network_connection.json | 68 ++++----- .../eql_user_account_creation.json | 68 ++++----- ...ume_shadow_copy_deletion_via_vssadmin.json | 68 ++++----- ..._volume_shadow_copy_deletion_via_wmic.json | 68 ++++----- ...l_windows_script_executing_powershell.json | 68 ++++----- .../linux_anomalous_network_activity.json | 46 +++--- ...linux_anomalous_network_port_activity.json | 46 +++--- .../linux_anomalous_network_service.json | 46 +++--- .../linux_anomalous_network_url_activity.json | 46 +++--- .../linux_anomalous_process_all_hosts.json | 46 +++--- .../linux_anomalous_user_name.json | 46 +++--- .../linux_hping_activity.json | 46 +++--- .../linux_iodine_activity.json | 46 +++--- .../linux_kernel_module_activity.json | 80 +++++------ .../linux_mknod_activity.json | 46 +++--- .../linux_netcat_network_connection.json | 50 +++---- .../linux_nmap_activity.json | 46 +++--- .../linux_nping_activity.json | 46 +++--- ...nux_process_started_in_temp_directory.json | 40 +++--- .../linux_shell_activity_by_web_server.json | 80 +++++------ .../linux_socat_activity.json | 46 +++--- .../linux_strace_activity.json | 46 +++--- .../linux_tcpdump_activity.json | 104 +++++++------- .../linux_whoami_commmand.json | 74 +++++----- .../network_dns_directly_to_the_internet.json | 82 +++++------ ...fer_protocol_activity_to_the_internet.json | 104 +++++++------- ...hat_protocol_activity_to_the_internet.json | 104 +++++++------- .../network_nat_traversal_port_activity.json | 74 +++++----- .../network_port_26_activity.json | 112 +++++++-------- ...rk_port_8000_activity_to_the_internet.json | 74 +++++----- ..._to_point_tunneling_protocol_activity.json | 74 +++++----- ...k_proxy_port_activity_to_the_internet.json | 74 +++++----- ...te_desktop_protocol_from_the_internet.json | 134 +++++++++--------- ...mote_desktop_protocol_to_the_internet.json | 104 +++++++------- ...mote_procedure_call_from_the_internet.json | 68 ++++----- ...remote_procedure_call_to_the_internet.json | 68 ++++----- ...file_sharing_activity_to_the_internet.json | 98 ++++++------- .../network_smtp_to_the_internet.json | 104 +++++++------- ..._server_port_activity_to_the_internet.json | 74 +++++----- ...rk_ssh_secure_shell_from_the_internet.json | 134 +++++++++--------- ...work_ssh_secure_shell_to_the_internet.json | 74 +++++----- .../network_telnet_port_activity.json | 134 +++++++++--------- .../network_tor_activity_to_the_internet.json | 104 +++++++------- ...l_network_computing_from_the_internet.json | 104 +++++++------- ...ual_network_computing_to_the_internet.json | 74 +++++----- .../prepackaged_rules/null_user_agent.json | 82 +++++------ .../packetbeat_dns_tunneling.json | 46 +++--- .../packetbeat_rare_dns_question.json | 46 +++--- .../packetbeat_rare_server_domain.json | 46 +++--- .../packetbeat_rare_urls.json | 46 +++--- .../packetbeat_rare_user_agent.json | 46 +++--- .../rare_process_by_host_linux.json | 46 +++--- .../rare_process_by_host_windows.json | 46 +++--- .../prepackaged_rules/sqlmap_user_agent.json | 46 +++--- .../suspicious_login_activity.json | 46 +++--- .../windows_anomalous_network_activity.json | 46 +++--- .../windows_anomalous_path_activity.json | 46 +++--- .../windows_anomalous_process_all_hosts.json | 46 +++--- .../windows_anomalous_process_creation.json | 46 +++--- .../windows_anomalous_script.json | 46 +++--- .../windows_anomalous_service.json | 46 +++--- .../windows_anomalous_user_name.json | 46 +++--- .../windows_certutil_network_connection.json | 68 ++++----- ...and_prompt_connecting_to_the_internet.json | 104 +++++++------- ...s_command_shell_started_by_powershell.json | 98 ++++++------- ...dows_command_shell_started_by_svchost.json | 68 ++++----- .../windows_credential_dumping_msbuild.json | 74 +++++----- .../windows_cve_2020_0601.json | 68 ++++----- ...ws_defense_evasion_via_filter_manager.json | 68 ++++----- ...ecution_msbuild_started_by_office_app.json | 110 +++++++------- ...s_execution_msbuild_started_by_script.json | 104 +++++++------- ...ion_msbuild_started_by_system_process.json | 104 +++++++------- ...ows_execution_msbuild_started_renamed.json | 74 +++++----- ...cution_msbuild_started_unusal_process.json | 80 +++++------ ...dows_execution_via_compiled_html_file.json | 104 +++++++------- ...dows_execution_via_net_com_assemblies.json | 98 ++++++------- ...ution_via_trusted_developer_utilities.json | 104 +++++++------- ...le_program_connecting_to_the_internet.json | 98 ++++++------- .../windows_injection_msbuild.json | 104 +++++++------- ...isc_lolbin_connecting_to_the_internet.json | 98 ++++++------- .../windows_modification_of_boot_config.json | 68 ++++----- .../windows_msxsl_network.json | 68 ++++----- .../windows_net_command_system_account.json | 68 ++++----- ..._persistence_via_application_shimming.json | 98 ++++++------- ...escalation_via_accessibility_features.json | 98 ++++++------- ...rocess_discovery_via_tasklist_command.json | 74 +++++----- .../windows_rare_user_runas_event.json | 46 +++--- ...windows_rare_user_type10_remote_login.json | 46 +++--- ...er_program_connecting_to_the_internet.json | 104 +++++++------- .../windows_suspicious_pdf_reader.json | 68 ++++----- .../windows_uac_bypass_event_viewer.json | 68 ++++----- .../windows_whoami_command_activity.json | 74 +++++----- 127 files changed, 4313 insertions(+), 4313 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index d4118d0686b111..74a9764ea558e3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,24 +1,24 @@ -{ - "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: POST Request Declined", - "query": "http.response.status_code:403 and http.request.method:post", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_403" - ], - "risk_score": 47, - "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: POST Request Declined", + "query": "http.response.status_code:403 and http.request.method:post", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "risk_score": 47, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index da27f0a71d281b..fbbdd0f83e1f15 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,24 +1,24 @@ -{ - "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: Unauthorized Method", - "query": "http.response.status_code:405", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_405" - ], - "risk_score": 47, - "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: Unauthorized Method", + "query": "http.response.status_code:405", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "risk_score": 47, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json index cfc322788d4be9..7a62ef44838f5c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Adversary Behavior - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", - "risk_score": 47, - "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Adversary Behavior - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json index 0647fe9c9ce109..eaa86ea5eac22c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Dumping - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 73, - "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Dumping - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json index 036c88688d9bdd..5524f5f0864300 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Dumping - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 47, - "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Dumping - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json index 0fe610d5511527..776c800791996f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Manipulation - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 73, - "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Manipulation - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json index a317c77bcd90aa..084914b2a475c5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Manipulation - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 47, - "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Manipulation - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json index 97640c0cea9b22..782c9d5e299704 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Exploit - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 73, - "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Exploit - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json index 069687a5af00fd..f656155fa47500 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Exploit - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 47, - "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Exploit - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json index a7d3371190cedd..c6f536e1e7f555 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Malware - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 99, - "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", - "severity": "critical", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Malware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json index dd7bf72c34f900..71fec58740995b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Malware - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 73, - "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Malware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json index a8e102cc4619d1..6829f0f18526fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Permission Theft - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 73, - "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Permission Theft - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json index c97330f2349eb6..a8d3cb31f16a98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Permission Theft - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 47, - "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Permission Theft - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json index e644c0e8d66eb4..f8e35b845ae2b6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Process Injection - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 73, - "rule_id": "80c52164-c82a-402c-9964-852533d58be1", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Process Injection - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json index 61cbe267f9a465..176c71a1cfc701 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Process Injection - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 47, - "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Process Injection - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json index 0e88b26cb2c758..ee90b812a0156a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Ransomware - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 99, - "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", - "severity": "critical", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Ransomware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json index ba341f059f26d5..bf5d71c799a25a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Ransomware - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 73, - "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Ransomware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 25d2232d3f6dc5..19bfb78a04df78 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,50 +1,50 @@ -{ - "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Adding Hidden File Attribute via Attrib", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h", - "risk_score": 21, - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1158", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1158/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1158", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1158/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Adding Hidden File Attribute via Attrib", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h", + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 3b4d2bc0402179..2fb6d32ac097de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,35 +1,35 @@ -{ - "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Adobe Hijack Persistence", - "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe", - "risk_score": 21, - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1044", - "name": "File System Permissions Weakness", - "reference": "https://attack.mitre.org/techniques/T1044/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Adobe Hijack Persistence", + "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe", + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1044", + "name": "File System Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1044/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 1c73d6c276ce6c..e1307c6bdbc3cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Clearing Windows Event Logs", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog", - "risk_score": 21, - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Clearing Windows Event Logs", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog", + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 0bfa18398eada2..b42a847c9618c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Delete Volume USN Journal with Fsutil", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)", - "risk_score": 21, - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Delete Volume USN Journal with Fsutil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)", + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index e7293eda6390fd..8f77c0c937ced5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Deleting Backup Catalogs with Wbadmin", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)", - "risk_score": 21, - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Deleting Backup Catalogs with Wbadmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)", + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 2896d27e19112f..6e695fef9a75e6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Direct Outbound SMB Connection", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")", - "risk_score": 47, - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Direct Outbound SMB Connection", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")", + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 42fe51f4e03737..db0e9fbfbcb68f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Disable Windows Firewall Rules via Netsh", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", - "risk_score": 47, - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1089", - "name": "Disabling Security Tools", - "reference": "https://attack.mitre.org/techniques/T1089/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Disable Windows Firewall Rules via Netsh", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index eef112503da5bc..e51e78e95c248d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Encoding or Decoding Files via CertUtil", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", - "risk_score": 47, - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Encoding or Decoding Files via CertUtil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index dbacb2537e60f3..bfc33787347722 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,38 +1,38 @@ -{ - "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Local Scheduled Task Commands", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", - "risk_score": 21, - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Local Scheduled Task Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 648e83b4a5267f..cb79c1c8f523db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Local Service Commands", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)", - "risk_score": 21, - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Local Service Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)", + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 5e8b260d44b55c..5c5b8bd0a434a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "MsBuild Making Network Connections", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")", - "risk_score": 47, - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "MsBuild Making Network Connections", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")", + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 88bd248e258d88..dea469babeaa93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,38 +1,38 @@ -{ - "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Mshta", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:mshta.exe", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], - "risk_score": 47, - "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1170", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1170/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Mshta", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:mshta.exe", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ], + "risk_score": 47, + "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1170", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1170/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index f763d2aa033630..4c7942622aca3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", - "false_positives": [ - "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "PsExec Network Connection", - "query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", - "risk_score": 21, - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1035", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1035/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1035", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1035/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "PsExec Network Connection", + "query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 95c9c6b72f8f4f..31416486f3331d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious MS Office Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious MS Office Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 7f6c9257fabfde..647e48d60e2ef6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious MS Outlook Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious MS Outlook Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index f1b1879fc2652c..fbe264ff6aba49 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,35 +1,35 @@ -{ - "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "System Shells via Services", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", - "risk_score": 47, - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1050", - "name": "New Service", - "reference": "https://attack.mitre.org/techniques/T1050/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "System Shells via Services", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1050", + "name": "New Service", + "reference": "https://attack.mitre.org/techniques/T1050/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 2a7960c939d01b..a56838c06126fe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Network Connection via RunDLL32", - "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1085", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1085/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Network Connection via RunDLL32", + "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1085", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1085/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 9a28c87c77089c..f1f9d2fec379a2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Parent-Child Relationship", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))", - "risk_score": 47, - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1093", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1093/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Parent-Child Relationship", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))", + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1093", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1093/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 43a3d6f6af0b25..2d16906e4d1497 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Process Network Connection", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Process Network Connection", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 7054e7f67c3582..efcbd2f8e0f818 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "User Account Creation", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", - "risk_score": 21, - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "User Account Creation", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 24f1cb72504f38..cc7343deaa9646 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)", - "risk_score": 73, - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Volume Shadow Copy Deletion via VssAdmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)", + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index bad3c65024e42c..f36b9280986aac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Volume Shadow Copy Deletion via WMIC", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)", - "risk_score": 73, - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Volume Shadow Copy Deletion via WMIC", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)", + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 52323b169cb223..0497f007b6253e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Script Executing PowerShell", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", - "risk_score": 21, - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Windows Script Executing PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json index 1123c1161c4ced..02ddbfffc75fee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_activity_ecs", - "name": "Unusual Linux Network Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_activity_ecs", + "name": "Unusual Linux Network Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json index 19dd643945b176..785683bd328ec8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", - "name": "Unusual Linux Network Port Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json index e2e5803618d061..f1dc8d9cb34b3a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_service", - "name": "Unusual Linux Network Service", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_service", + "name": "Unusual Linux Network Service", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json index 40dd2e76c7214c..8fba1f1fb1b4e2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", - "name": "Unusual Linux Web Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", + "name": "Unusual Linux Web Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json index 6bac2f25fd7dee..3ffcdf6a2ce4c1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Linux Population", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Linux Population", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json index 8b7e6c89482f73..b9749afbf9eaf2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_user_name_ecs", - "name": "Unusual Linux Username", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_user_name_ecs", + "name": "Unusual Linux Username", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 04a56241ea6f66..09a1c34c5cb067 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", - "false_positives": [ - "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Hping Process Activity", - "query": "process.name:(hping or hping2 or hping3) and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Hping" - ], - "risk_score": 73, - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "severity": "high", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Hping Process Activity", + "query": "process.name:(hping or hping2 or hping3) and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "risk_score": 73, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 80358cc775e3b4..d2fc5fc03c1ecc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", - "false_positives": [ - "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Potential DNS Tunneling via Iodine", - "query": "process.name:(iodine or iodined) and event.action:executed", - "references": [ - "https://code.kryo.se/iodine/" - ], - "risk_score": 73, - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "severity": "high", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", + "false_positives": [ + "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Potential DNS Tunneling via Iodine", + "query": "process.name:(iodine or iodined) and event.action:executed", + "references": [ + "https://code.kryo.se/iodine/" + ], + "risk_score": 73, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index b50fcc4c9980bb..00396816824b54 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,41 +1,41 @@ -{ - "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Persistence via Kernel Module Modification", - "query": "process.name:(insmod or kmod or modprobe or rmod) and event.action:executed", - "references": [ - "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" - ], - "risk_score": 21, - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/techniques/TA0003/" - }, - "technique": [ - { - "id": "T1215", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1215/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Persistence via Kernel Module Modification", + "query": "process.name:(insmod or kmod or modprobe or rmod) and event.action:executed", + "references": [ + "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" + ], + "risk_score": 21, + "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "technique": [ + { + "id": "T1215", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1215/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index d65440e95ff17a..58d830fbf05b2d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,24 +1,24 @@ -{ - "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", - "false_positives": [ - "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Mknod Process Activity", - "query": "process.name:mknod and event.action:executed", - "references": [ - "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" - ], - "risk_score": 21, - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", + "false_positives": [ + "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Mknod Process Activity", + "query": "process.name:mknod and event.action:executed", + "references": [ + "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" + ], + "risk_score": 21, + "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index df8e46be7a1c3e..f431cd6103e777 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,26 +1,26 @@ -{ - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", - "false_positives": [ - "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Netcat Network Activity", - "query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)", - "references": [ - "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat" - ], - "risk_score": 47, - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Netcat Network Activity", + "query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat" + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 2e5c899ebc6255..3fd1e355adf785 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", - "false_positives": [ - "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Nmap Process Activity", - "query": "process.name:nmap", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 21, - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", + "false_positives": [ + "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Nmap Process Activity", + "query": "process.name:nmap", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 21, + "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index 168b30121c4bb3..7c6db258320575 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", - "false_positives": [ - "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Nping Process Activity", - "query": "process.name:nping and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 47, - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Nping Process Activity", + "query": "process.name:nping and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 0865ac6c70cb26..267bdd151872c7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,21 +1,21 @@ -{ - "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "false_positives": [ - "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Unusual Process Execution - Temp", - "query": "process.working_directory:/tmp and event.action:executed", - "risk_score": 47, - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", + "false_positives": [ + "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Unusual Process Execution - Temp", + "query": "process.working_directory:/tmp and event.action:executed", + "risk_score": 47, + "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index e9c4c95bb92849..87e1583af9ebf4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,41 +1,41 @@ -{ - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ - "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Potential Shell via Web Server", - "query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed", - "references": [ - "https://pentestlab.blog/tag/web-shell/" - ], - "risk_score": 47, - "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/techniques/TA0003/" - }, - "technique": [ - { - "id": "T1100", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1100/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Potential Shell via Web Server", + "query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed", + "references": [ + "https://pentestlab.blog/tag/web-shell/" + ], + "risk_score": 47, + "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "technique": [ + { + "id": "T1100", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1100/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 404fea63aff946..8d8b897665fd86 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,24 +1,24 @@ -{ - "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", - "false_positives": [ - "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Socat Process Activity", - "query": "process.name:socat and not process.args:-V and event.action:executed", - "references": [ - "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" - ], - "risk_score": 47, - "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", + "false_positives": [ + "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Socat Process Activity", + "query": "process.name:socat and not process.args:-V and event.action:executed", + "references": [ + "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" + ], + "risk_score": 47, + "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index fbdfa9e66682d7..62ff74e4ddf490 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", - "false_positives": [ - "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Strace Process Activity", - "query": "process.name:strace and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Strace" - ], - "risk_score": 21, - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", + "false_positives": [ + "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Strace Process Activity", + "query": "process.name:strace and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Strace" + ], + "risk_score": 21, + "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 82771074e7c29d..e29650f02ed875 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,53 +1,53 @@ -{ - "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", - "false_positives": [ - "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Network Sniffing via Tcpdump", - "query": "process.name:tcpdump and event.action:executed", - "risk_score": 21, - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", + "false_positives": [ + "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Network Sniffing via Tcpdump", + "query": "process.name:tcpdump and event.action:executed", + "risk_score": 21, + "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 7e7f041581eb07..8e762e89e42d07 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,38 +1,38 @@ -{ - "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "User Discovery via Whoami", - "query": "process.name:whoami and event.action:executed", - "risk_score": 21, - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", + "false_positives": [ + "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "User Discovery via Whoami", + "query": "process.name:whoami and event.action:executed", + "risk_score": 21, + "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index e08d681d144635..3c69078ec4f373 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,42 +1,42 @@ -{ - "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", - "false_positives": [ - "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "DNS Activity to the Internet", - "query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")", - "references": [ - "https://www.us-cert.gov/ncas/alerts/TA15-240A", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" - ], - "risk_score": 47, - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", + "false_positives": [ + "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "DNS Activity to the Internet", + "query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")", + "references": [ + "https://www.us-cert.gov/ncas/alerts/TA15-240A", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" + ], + "risk_score": 47, + "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 24c3bad8172273..2a39ca23f7fca5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", - "false_positives": [ - "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "FTP (File Transfer Protocol) Activity to the Internet", - "query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", + "false_positives": [ + "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "FTP (File Transfer Protocol) Activity to the Internet", + "query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index bf286d4cab5069..455f7b84cfefff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", - "false_positives": [ - "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", + "false_positives": [ + "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 61c1e3d47cf7a1..e86ebc64ebdc11 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", - "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "IPSEC NAT Traversal Port Activity", - "query": "network.transport:udp and destination.port:4500", - "risk_score": 21, - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "IPSEC NAT Traversal Port Activity", + "query": "network.transport:udp and destination.port:4500", + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index a9a39b61884c50..cbd6cb26ade832 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,57 +1,57 @@ -{ - "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", - "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMTP on Port 26/TCP", - "query": "network.transport:tcp and destination.port:26", - "references": [ - "https://unit42.paloaltonetworks.com/unit42-badpatch/", - "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" - ], - "risk_score": 21, - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMTP on Port 26/TCP", + "query": "network.transport:tcp and destination.port:26", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 2f1390411f97b4..7e3fbe92bb7e32 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", - "false_positives": [ - "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "TCP Port 8000 Activity to the Internet", - "query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", + "false_positives": [ + "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "TCP Port 8000 Activity to the Internet", + "query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index f7170d8d33a516..f1689d3fd11708 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", - "false_positives": [ - "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "PPTP (Point to Point Tunneling Protocol) Activity", - "query": "network.transport:tcp and destination.port:1723", - "risk_score": 21, - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "false_positives": [ + "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "PPTP (Point to Point Tunneling Protocol) Activity", + "query": "network.transport:tcp and destination.port:1723", + "risk_score": 21, + "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index da4319cf15307c..854a303e66af97 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", - "false_positives": [ - "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Proxy Port Activity to the Internet", - "query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", + "false_positives": [ + "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Proxy Port Activity to the Internet", + "query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index d3b65a36f084bf..dc2650c63d26da 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RDP (Remote Desktop Protocol) from the Internet", - "query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 79618a867c73f4..47a1addb925bba 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RDP (Remote Desktop Protocol) to the Internet", - "query": "network.transport:tcp and destination.port:3389 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RDP (Remote Desktop Protocol) to the Internet", + "query": "network.transport:tcp and destination.port:3389 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index da1e46750f3bd1..15c2e504c033f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,35 +1,35 @@ -{ - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RPC (Remote Procedure Call) from the Internet", - "query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RPC (Remote Procedure Call) from the Internet", + "query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index d07d19b8fffee9..6e5c552045afb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,35 +1,35 @@ -{ - "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RPC (Remote Procedure Call) to the Internet", - "query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 73, - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RPC (Remote Procedure Call) to the Internet", + "query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 93a4b0ebbbd8e4..073f7d7a58c2bd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMB (Windows File Sharing) Activity to the Internet", - "query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 73, - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 73, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index ca287605490efb..4023e63df0ab9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", - "false_positives": [ - "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMTP to the Internet", - "query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", + "false_positives": [ + "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMTP to the Internet", + "query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 3a5bd5bff98f53..6bec24199b3eb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", - "false_positives": [ - "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SQL Traffic to the Internet", - "query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", + "false_positives": [ + "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SQL Traffic to the Internet", + "query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 429a91183e88a0..7c7aab3da16c98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SSH (Secure Shell) from the Internet", - "query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 47, - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SSH (Secure Shell) from the Internet", + "query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 47, + "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index a260245b4dadef..aa5afd1dcb1774 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SSH (Secure Shell) to the Internet", - "query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SSH (Secure Shell) to the Internet", + "query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 4cfe15683c8255..9d9dc31f28320c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", - "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Telnet Port Activity", - "query": "network.transport:tcp and destination.port:23", - "risk_score": 47, - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Telnet Port Activity", + "query": "network.transport:tcp and destination.port:23", + "risk_score": 47, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 8c8bb809c9fec9..57e8dd9e35bdd7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", - "false_positives": [ - "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Tor Activity to the Internet", - "query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1188", - "name": "Multi-hop Proxy", - "reference": "https://attack.mitre.org/techniques/T1188/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", + "false_positives": [ + "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Tor Activity to the Internet", + "query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1188", + "name": "Multi-hop Proxy", + "reference": "https://attack.mitre.org/techniques/T1188/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 4204a4fe62e884..18c65dcae6b3dc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "VNC (Virtual Network Computing) from the Internet", - "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 73, - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "VNC (Virtual Network Computing) from the Internet", + "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 898282e36df192..3c155d672bb505 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "VNC (Virtual Network Computing) to the Internet", - "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "VNC (Virtual Network Computing) to the Internet", + "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 01246de5595e93..fc5edbc8105307 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,42 +1,42 @@ -{ - "description": "A request to a web application server contained no identifying user agent string.", - "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "filters": [ - { - "$state": { - "store": "appState" - }, - "exists": { - "field": "user_agent.original" - }, - "meta": { - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "user_agent.original", - "negate": true, - "type": "exists", - "value": "exists" - } - } - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: No User Agent", - "query": "url.path:*", - "references": [ - "https://en.wikipedia.org/wiki/User_agent" - ], - "risk_score": 47, - "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A request to a web application server contained no identifying user agent string.", + "false_positives": [ + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "filters": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "user_agent.original" + }, + "meta": { + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "user_agent.original", + "negate": true, + "type": "exists", + "value": "exists" + } + } + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: No User Agent", + "query": "url.path:*", + "references": [ + "https://en.wikipedia.org/wiki/User_agent" + ], + "risk_score": 47, + "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json index c70725dcb645a3..ba2f06108b83ff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", - "false_positives": [ - "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this signal and such parent domains can be excluded." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_dns_tunneling", - "name": "DNS Tunneling", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this signal and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json index 3ed40ddf278645..22de14c244a3d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_dns_question", - "name": "Unusual DNS Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json index c49bc95be75d20..b625bde25c3e9e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_server_domain", - "name": "Unusual Network Destination Domain Name", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json index 02a4a5f729a163..dda007b8883d86 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_urls", - "name": "Unusual Web Request", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json index 76ed6b263a704f..12bd8747ff3c2d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", - "false_positives": [ - "Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or rarely used program that calls web services may trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_user_agent", - "name": "Unusual Web User Agent", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or rarely used program that calls web services may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json index 048f93e170656e..79631ae2a88e32 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "rare_process_by_host_linux_ecs", - "name": "Unusual Process For a Linux Host", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "rare_process_by_host_linux_ecs", + "name": "Unusual Process For a Linux Host", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json index 7bc46cdc04dd26..5bac93445143df 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "rare_process_by_host_windows_ecs", - "name": "Unusual Process For a Windows Host", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "rare_process_by_host_windows_ecs", + "name": "Unusual Process For a Windows Host", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 10412c19da1b1e..4f1efa5ada0638 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,24 +1,24 @@ -{ - "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", - "false_positives": [ - "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: sqlmap User Agent", - "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "references": [ - "http://sqlmap.org/" - ], - "risk_score": 47, - "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", + "false_positives": [ + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: sqlmap User Agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", + "references": [ + "http://sqlmap.org/" + ], + "risk_score": 47, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json index 915bc1bcfc051a..55689c99c93f1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies an unusually high number of authentication attempts.", - "false_positives": [ - "Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "suspicious_login_activity_ecs", - "name": "Unusual Login Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "suspicious_login_activity_ecs", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json index 72671760c9c8d1..019249716e1023 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_network_activity_ecs", - "name": "Unusual Windows Network Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_network_activity_ecs", + "name": "Unusual Windows Network Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json index 082fce438ca9e9..77646c60729674 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_path_activity_ecs", - "name": "Unusual Windows Path Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_path_activity_ecs", + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json index 93469b5a062232..242b344a4dd9da 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Windows Population", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Windows Population", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json index 1b80e443baae6b..631c868b081cd8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", - "false_positives": [ - "Users running scripts in the course of technical support operations of software upgrades could trigger this signal. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_process_creation", - "name": "Anomalous Windows Process Creation", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this signal. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_process_creation", + "name": "Anomalous Windows Process Creation", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json index 4de5443bcaf3fc..551e421c86c314 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", - "false_positives": [ - "Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_script", - "name": "Suspicious Powershell Script", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_script", + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json index 7e0641fee68c22..862fe71d7082c4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_service", - "name": "Unusual Windows Service", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_service", + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json index 217404b6eb4744..78966be38d5a5d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_user_name_ecs", - "name": "Unusual Windows Username", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_user_name_ecs", + "name": "Unusual Windows Username", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json index 52a373e3aeb77e..db75515684155c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Certutil", - "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Remote File Copy", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Certutil", + "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 2bee265a74e11c..f8b8bcf64d5b75 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", - "false_positives": [ - "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Command Prompt Network Connection", - "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Remote File Copy", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Command Prompt Network Connection", + "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index d8f91dba7dd890..fac5bf924c86e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,50 +1,50 @@ -{ - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "PowerShell spawning Cmd", - "query": "process.parent.name:powershell.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1086", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1086/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "PowerShell spawning Cmd", + "query": "process.parent.name:powershell.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1086", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1086/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 6fd194ee2fa22b..5c6a7f9f996e35 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Svchost spawning Cmd", - "query": "process.parent.name:svchost.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Svchost spawning Cmd", + "query": "process.parent.name:svchost.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json index 43050e2769a241..bf5a89b2e1a685 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json @@ -1,38 +1,38 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Loading Windows Credential Libraries", - "query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"", - "risk_score": 73, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Loading Windows Credential Libraries", + "query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"", + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json index f5eb37c70d268a..878494b9027365 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json @@ -1,35 +1,35 @@ -{ - "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", - "risk_score": 21, - "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1116", - "name": "Code Signing", - "reference": "https://attack.mitre.org/techniques/T1116/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1116", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1116/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 0e8c5a5f2f631a..d15bc671599f82 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,35 +1,35 @@ -{ - "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Evasion via Filter Manager", - "query": "event.code:1 and process.name:fltMC.exe", - "risk_score": 21, - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Evasion via Filter Manager", + "query": "event.code:1 and process.name:fltMC.exe", + "risk_score": 21, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json index 72e02f8718d039..1c7426ebbf9e16 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json @@ -1,56 +1,56 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by an Office Application", - "query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 73, - "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by an Office Application", + "query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json index ad519f1516aa65..7a390b45a9918b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by a Script Process", - "query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by a Script Process", + "query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json index 1bbce904f25184..47ef24a888f6d8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by a System Process", - "query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 47, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by a System Process", + "query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json index eea4b3b4efe10d..c14f134d1365a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json @@ -1,38 +1,38 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Using an Alternate Name", - "query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Using an Alternate Name", + "query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json index 81ea14e2653887..920a991e9ed579 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json @@ -1,41 +1,41 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started an Unusual Process", - "query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1500", - "name": "Compile After Delivery", - "reference": "https://attack.mitre.org/techniques/T1500/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started an Unusual Process", + "query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1500", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1500/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 7755ff0233f7ce..9c03844194af4c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,53 +1,53 @@ -{ - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "false_positives": [ - "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Activity via Compiled HTML File", - "query": "event.code:1 and process.name:hh.exe", - "risk_score": 21, - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Activity via Compiled HTML File", + "query": "event.code:1 and process.name:hh.exe", + "risk_score": 21, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index d6acb81c10e3fa..ddc9c47a4dbb57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,50 +1,50 @@ -{ - "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Execution via Regsvcs/Regasm", - "query": "process.name:(RegAsm.exe or RegSvcs.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Execution via Regsvcs/Regasm", + "query": "process.name:(RegAsm.exe or RegSvcs.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1121", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1121/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1121", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1121/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 87e38febb07433..f0fd1b49a261e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", - "false_positives": [ - "These programs may be used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Trusted Developer Application Usage", - "query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", + "false_positives": [ + "These programs may be used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Trusted Developer Application Usage", + "query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 6c8cd0673256ac..cfc5af3dc82d4a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Compiled HTML File", - "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Compiled HTML File", + "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json index c6310c12ed974b..9f6946c46a2c9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Injection by the Microsoft Build Engine", - "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index a0e311d8eb1543..131c7708493e24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Signed Binary", - "query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Signed Binary", + "query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json index 045a9789b12609..98eb3ca8dfb809 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Modification of Boot Configuration", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", - "risk_score": 21, - "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Modification of Boot Configuration", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json index e80dcde1e398db..633ac503b13ec3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via MsXsl", - "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via MsXsl", + "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json index c2379142df002a..d538ec7c4d2b76 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Net command via SYSTEM account", - "query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Net command via SYSTEM account", + "query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 2f44727f9e6f05..c6cfa6d9738eaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,50 +1,50 @@ -{ - "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Application Shimming via Sdbinst", - "query": "event.code:1 and process.name:sdbinst.exe", - "risk_score": 21, - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1138", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1138/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1138", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1138/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Application Shimming via Sdbinst", + "query": "event.code:1 and process.name:sdbinst.exe", + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index aeff071ed4514e..3982c57303ab81 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,50 +1,50 @@ -{ - "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Modification of Accessibility Binaries", - "query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)", - "risk_score": 21, - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1015", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1015/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1015", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1015/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Modification of Accessibility Binaries", + "query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)", + "risk_score": 21, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 3a883fa51b763b..2b5338a7167815 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,38 +1,38 @@ -{ - "description": "Adversaries may attempt to get information about running processes on a system.", - "false_positives": [ - "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Discovery via Tasklist", - "query": "event.code:1 and process.name:tasklist.exe", - "risk_score": 21, - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Adversaries may attempt to get information about running processes on a system.", + "false_positives": [ + "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Discovery via Tasklist", + "query": "event.code:1 and process.name:tasklist.exe", + "risk_score": 21, + "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json index 3dca119b5a28ee..6da11e04ae535f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", - "false_positives": [ - "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_rare_user_runas_event", - "name": "Unusual Windows User Privilege Elevation Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_rare_user_runas_event", + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json index 09ff2a0cedf41c..330f160472726d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", - "false_positives": [ - "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-16m", - "interval": "15m", - "machine_learning_job_id": "windows_rare_user_type10_remote_login", - "name": "Unusual Windows Remote User", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_rare_user_type10_remote_login", + "name": "Unusual Windows Remote User", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 1e061f2ef9463c..bdf51b4538692b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.", - "false_positives": [ - "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Regsvr", - "query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1117", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1117/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1117", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1117/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Regsvr", + "query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json index 9d4c2438acfb9f..cac51f6a50c072 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious PDF Reader Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", - "risk_score": 21, - "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious PDF Reader Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json index df7a6fe1285d1c..0796c5904e44e6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Bypass UAC via Event Viewer", - "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", - "risk_score": 21, - "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Bypass UAC via Event Viewer", + "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", + "risk_score": 21, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index 93ce1f83dd64ec..b5cff435d4b75c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,38 +1,38 @@ -{ - "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", - "false_positives": [ - "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Whoami Process Activity", - "query": "process.name:whoami.exe and event.code:1", - "risk_score": 21, - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Whoami Process Activity", + "query": "process.name:whoami.exe and event.code:1", + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file From 6f2d48e3d4f92a2deb1fd75fa172a1816b9a95c7 Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 9 Apr 2020 15:16:06 -0400 Subject: [PATCH 2/2] re-import with LF chars --- .../403_response_to_a_post.json | 46 +++--- .../405_response_method_not_allowed.json | 46 +++--- ..._security_adversary_behavior_detected.json | 38 ++--- ...dpoint_security_cred_dumping_detected.json | 38 ++--- ...point_security_cred_dumping_prevented.json | 38 ++--- ...t_security_cred_manipulation_detected.json | 38 ++--- ..._security_cred_manipulation_prevented.json | 38 ++--- ...ic_endpoint_security_exploit_detected.json | 38 ++--- ...c_endpoint_security_exploit_prevented.json | 38 ++--- ...ic_endpoint_security_malware_detected.json | 38 ++--- ...c_endpoint_security_malware_prevented.json | 38 ++--- ...nt_security_permission_theft_detected.json | 38 ++--- ...t_security_permission_theft_prevented.json | 38 ++--- ...t_security_process_injection_detected.json | 38 ++--- ..._security_process_injection_prevented.json | 38 ++--- ...endpoint_security_ransomware_detected.json | 38 ++--- ...ndpoint_security_ransomware_prevented.json | 38 ++--- ...den_file_attribute_with_via_attribexe.json | 98 ++++++------- .../eql_adobe_hijack_persistence.json | 68 ++++----- .../eql_clearing_windows_event_logs.json | 68 ++++----- ...delete_volume_usn_journal_with_fsutil.json | 68 ++++----- ...deleting_backup_catalogs_with_wbadmin.json | 68 ++++----- .../eql_direct_outbound_smb_connection.json | 68 ++++----- ...ble_windows_firewall_rules_with_netsh.json | 68 ++++----- ...coding_or_decoding_files_via_certutil.json | 68 ++++----- .../eql_local_scheduled_task_commands.json | 74 +++++----- .../eql_local_service_commands.json | 68 ++++----- ...ql_msbuild_making_network_connections.json | 68 ++++----- .../eql_mshta_making_network_connections.json | 74 +++++----- .../eql_psexec_lateral_movement_command.json | 104 +++++++------- ...ql_suspicious_ms_office_child_process.json | 68 ++++----- ...l_suspicious_ms_outlook_child_process.json | 68 ++++----- .../eql_system_shells_via_services.json | 68 ++++----- ...usual_network_connection_via_rundll32.json | 68 ++++----- .../eql_unusual_parentchild_relationship.json | 68 ++++----- ...ql_unusual_process_network_connection.json | 68 ++++----- .../eql_user_account_creation.json | 68 ++++----- ...ume_shadow_copy_deletion_via_vssadmin.json | 68 ++++----- ..._volume_shadow_copy_deletion_via_wmic.json | 68 ++++----- ...l_windows_script_executing_powershell.json | 68 ++++----- .../linux_anomalous_network_activity.json | 46 +++--- ...linux_anomalous_network_port_activity.json | 46 +++--- .../linux_anomalous_network_service.json | 46 +++--- .../linux_anomalous_network_url_activity.json | 46 +++--- .../linux_anomalous_process_all_hosts.json | 46 +++--- .../linux_anomalous_user_name.json | 46 +++--- .../linux_hping_activity.json | 46 +++--- .../linux_iodine_activity.json | 46 +++--- .../linux_kernel_module_activity.json | 80 +++++------ .../linux_mknod_activity.json | 46 +++--- .../linux_netcat_network_connection.json | 50 +++---- .../linux_nmap_activity.json | 46 +++--- .../linux_nping_activity.json | 46 +++--- ...nux_process_started_in_temp_directory.json | 40 +++--- .../linux_shell_activity_by_web_server.json | 80 +++++------ .../linux_socat_activity.json | 46 +++--- .../linux_strace_activity.json | 46 +++--- .../linux_tcpdump_activity.json | 104 +++++++------- .../linux_whoami_commmand.json | 74 +++++----- .../network_dns_directly_to_the_internet.json | 82 +++++------ ...fer_protocol_activity_to_the_internet.json | 104 +++++++------- ...hat_protocol_activity_to_the_internet.json | 104 +++++++------- .../network_nat_traversal_port_activity.json | 74 +++++----- .../network_port_26_activity.json | 112 +++++++-------- ...rk_port_8000_activity_to_the_internet.json | 74 +++++----- ..._to_point_tunneling_protocol_activity.json | 74 +++++----- ...k_proxy_port_activity_to_the_internet.json | 74 +++++----- ...te_desktop_protocol_from_the_internet.json | 134 +++++++++--------- ...mote_desktop_protocol_to_the_internet.json | 104 +++++++------- ...mote_procedure_call_from_the_internet.json | 68 ++++----- ...remote_procedure_call_to_the_internet.json | 68 ++++----- ...file_sharing_activity_to_the_internet.json | 98 ++++++------- .../network_smtp_to_the_internet.json | 104 +++++++------- ..._server_port_activity_to_the_internet.json | 74 +++++----- ...rk_ssh_secure_shell_from_the_internet.json | 134 +++++++++--------- ...work_ssh_secure_shell_to_the_internet.json | 74 +++++----- .../network_telnet_port_activity.json | 134 +++++++++--------- .../network_tor_activity_to_the_internet.json | 104 +++++++------- ...l_network_computing_from_the_internet.json | 104 +++++++------- ...ual_network_computing_to_the_internet.json | 74 +++++----- .../prepackaged_rules/null_user_agent.json | 82 +++++------ .../packetbeat_dns_tunneling.json | 46 +++--- .../packetbeat_rare_dns_question.json | 46 +++--- .../packetbeat_rare_server_domain.json | 46 +++--- .../packetbeat_rare_urls.json | 46 +++--- .../packetbeat_rare_user_agent.json | 46 +++--- .../rare_process_by_host_linux.json | 46 +++--- .../rare_process_by_host_windows.json | 46 +++--- .../prepackaged_rules/sqlmap_user_agent.json | 46 +++--- .../suspicious_login_activity.json | 46 +++--- .../windows_anomalous_network_activity.json | 46 +++--- .../windows_anomalous_path_activity.json | 46 +++--- .../windows_anomalous_process_all_hosts.json | 46 +++--- .../windows_anomalous_process_creation.json | 46 +++--- .../windows_anomalous_script.json | 46 +++--- .../windows_anomalous_service.json | 46 +++--- .../windows_anomalous_user_name.json | 46 +++--- .../windows_certutil_network_connection.json | 68 ++++----- ...and_prompt_connecting_to_the_internet.json | 104 +++++++------- ...s_command_shell_started_by_powershell.json | 98 ++++++------- ...dows_command_shell_started_by_svchost.json | 68 ++++----- .../windows_credential_dumping_msbuild.json | 74 +++++----- .../windows_cve_2020_0601.json | 68 ++++----- ...ws_defense_evasion_via_filter_manager.json | 68 ++++----- ...ecution_msbuild_started_by_office_app.json | 110 +++++++------- ...s_execution_msbuild_started_by_script.json | 104 +++++++------- ...ion_msbuild_started_by_system_process.json | 104 +++++++------- ...ows_execution_msbuild_started_renamed.json | 74 +++++----- ...cution_msbuild_started_unusal_process.json | 80 +++++------ ...dows_execution_via_compiled_html_file.json | 104 +++++++------- ...dows_execution_via_net_com_assemblies.json | 98 ++++++------- ...ution_via_trusted_developer_utilities.json | 104 +++++++------- ...le_program_connecting_to_the_internet.json | 98 ++++++------- .../windows_injection_msbuild.json | 104 +++++++------- ...isc_lolbin_connecting_to_the_internet.json | 98 ++++++------- .../windows_modification_of_boot_config.json | 68 ++++----- .../windows_msxsl_network.json | 68 ++++----- .../windows_net_command_system_account.json | 68 ++++----- ..._persistence_via_application_shimming.json | 98 ++++++------- ...escalation_via_accessibility_features.json | 98 ++++++------- ...rocess_discovery_via_tasklist_command.json | 74 +++++----- .../windows_rare_user_runas_event.json | 46 +++--- ...windows_rare_user_type10_remote_login.json | 46 +++--- ...er_program_connecting_to_the_internet.json | 104 +++++++------- .../windows_suspicious_pdf_reader.json | 68 ++++----- .../windows_uac_bypass_event_viewer.json | 68 ++++----- .../windows_whoami_command_activity.json | 74 +++++----- 127 files changed, 4313 insertions(+), 4313 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index 74a9764ea558e3..d4118d0686b111 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,24 +1,24 @@ -{ - "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: POST Request Declined", - "query": "http.response.status_code:403 and http.request.method:post", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_403" - ], - "risk_score": 47, - "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: POST Request Declined", + "query": "http.response.status_code:403 and http.request.method:post", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "risk_score": 47, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index fbbdd0f83e1f15..da27f0a71d281b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,24 +1,24 @@ -{ - "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: Unauthorized Method", - "query": "http.response.status_code:405", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_405" - ], - "risk_score": 47, - "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: Unauthorized Method", + "query": "http.response.status_code:405", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "risk_score": 47, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json index 7a62ef44838f5c..cfc322788d4be9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Adversary Behavior - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", - "risk_score": 47, - "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Adversary Behavior - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json index eaa86ea5eac22c..0647fe9c9ce109 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Dumping - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 73, - "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Dumping - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json index 5524f5f0864300..036c88688d9bdd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Dumping - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "risk_score": 47, - "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Dumping - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json index 776c800791996f..0fe610d5511527 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Manipulation - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 73, - "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Manipulation - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json index 084914b2a475c5..a317c77bcd90aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Credential Manipulation - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "risk_score": 47, - "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Credential Manipulation - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json index 782c9d5e299704..97640c0cea9b22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Exploit - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 73, - "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Exploit - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json index f656155fa47500..069687a5af00fd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Exploit - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "risk_score": 47, - "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Exploit - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json index c6f536e1e7f555..a7d3371190cedd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Malware - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 99, - "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", - "severity": "critical", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Malware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json index 71fec58740995b..dd7bf72c34f900 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Malware - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "risk_score": 73, - "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Malware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json index 6829f0f18526fc..a8e102cc4619d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Permission Theft - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 73, - "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Permission Theft - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json index a8d3cb31f16a98..c97330f2349eb6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Permission Theft - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "risk_score": 47, - "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Permission Theft - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json index f8e35b845ae2b6..e644c0e8d66eb4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Process Injection - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 73, - "rule_id": "80c52164-c82a-402c-9964-852533d58be1", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Process Injection - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json index 176c71a1cfc701..61cbe267f9a465 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Process Injection - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "risk_score": 47, - "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "severity": "medium", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Process Injection - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json index ee90b812a0156a..0e88b26cb2c758 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Ransomware - Detected - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 99, - "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", - "severity": "critical", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Ransomware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json index bf5d71c799a25a..ba341f059f26d5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json @@ -1,20 +1,20 @@ -{ - "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", - "from": "now-660s", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "name": "Ransomware - Prevented - Elastic Endpoint", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "risk_score": 73, - "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", - "severity": "high", - "tags": [ - "Elastic", - "Endpoint" - ], - "type": "query", - "version": 2 +{ + "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "name": "Ransomware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 19bfb78a04df78..25d2232d3f6dc5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,50 +1,50 @@ -{ - "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Adding Hidden File Attribute via Attrib", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h", - "risk_score": 21, - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1158", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1158/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1158", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1158/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Adding Hidden File Attribute via Attrib", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h", + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 2fb6d32ac097de..3b4d2bc0402179 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,35 +1,35 @@ -{ - "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Adobe Hijack Persistence", - "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe", - "risk_score": 21, - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1044", - "name": "File System Permissions Weakness", - "reference": "https://attack.mitre.org/techniques/T1044/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Adobe Hijack Persistence", + "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe", + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1044", + "name": "File System Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1044/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index e1307c6bdbc3cf..1c73d6c276ce6c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Clearing Windows Event Logs", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog", - "risk_score": 21, - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal on Host", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Clearing Windows Event Logs", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog", + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index b42a847c9618c0..0bfa18398eada2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Delete Volume USN Journal with Fsutil", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)", - "risk_score": 21, - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Delete Volume USN Journal with Fsutil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)", + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 8f77c0c937ced5..e7293eda6390fd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Deleting Backup Catalogs with Wbadmin", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)", - "risk_score": 21, - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Deleting Backup Catalogs with Wbadmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)", + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 6e695fef9a75e6..2896d27e19112f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Direct Outbound SMB Connection", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")", - "risk_score": 47, - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Direct Outbound SMB Connection", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")", + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index db0e9fbfbcb68f..42fe51f4e03737 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Disable Windows Firewall Rules via Netsh", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", - "risk_score": 47, - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1089", - "name": "Disabling Security Tools", - "reference": "https://attack.mitre.org/techniques/T1089/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Disable Windows Firewall Rules via Netsh", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)", + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index e51e78e95c248d..eef112503da5bc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Encoding or Decoding Files via CertUtil", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", - "risk_score": 47, - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Encoding or Decoding Files via CertUtil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)", + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index bfc33787347722..dbacb2537e60f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,38 +1,38 @@ -{ - "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Local Scheduled Task Commands", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", - "risk_score": 21, - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Local Scheduled Task Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)", + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index cb79c1c8f523db..648e83b4a5267f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Local Service Commands", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)", - "risk_score": 21, - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Local Service Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)", + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 5c5b8bd0a434a1..5e8b260d44b55c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "MsBuild Making Network Connections", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")", - "risk_score": 47, - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "MsBuild Making Network Connections", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")", + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index dea469babeaa93..88bd248e258d88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,38 +1,38 @@ -{ - "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Mshta", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:mshta.exe", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], - "risk_score": 47, - "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1170", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1170/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Mshta", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:mshta.exe", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ], + "risk_score": 47, + "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1170", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1170/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index 4c7942622aca3b..f763d2aa033630 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", - "false_positives": [ - "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "PsExec Network Connection", - "query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", - "risk_score": 21, - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1035", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1035/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1035", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1035/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "PsExec Network Connection", + "query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 31416486f3331d..95c9c6b72f8f4f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious MS Office Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious MS Office Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 647e48d60e2ef6..7f6c9257fabfde 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious MS Outlook Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious MS Outlook Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index fbe264ff6aba49..f1b1879fc2652c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,35 +1,35 @@ -{ - "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "System Shells via Services", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", - "risk_score": 47, - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1050", - "name": "New Service", - "reference": "https://attack.mitre.org/techniques/T1050/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "System Shells via Services", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)", + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1050", + "name": "New Service", + "reference": "https://attack.mitre.org/techniques/T1050/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index a56838c06126fe..2a7960c939d01b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Network Connection via RunDLL32", - "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1085", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1085/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Network Connection via RunDLL32", + "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1085", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1085/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index f1f9d2fec379a2..9a28c87c77089c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Parent-Child Relationship", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))", - "risk_score": 47, - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1093", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1093/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Parent-Child Relationship", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))", + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1093", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1093/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 2d16906e4d1497..43a3d6f6af0b25 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Unusual Process Network Connection", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "risk_score": 21, - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Unusual Process Network Connection", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index efcbd2f8e0f818..7054e7f67c3582 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "User Account Creation", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", - "risk_score": 21, - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "User Account Creation", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))", + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index cc7343deaa9646..24f1cb72504f38 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)", - "risk_score": 73, - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Volume Shadow Copy Deletion via VssAdmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)", + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index f36b9280986aac..bad3c65024e42c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Volume Shadow Copy Deletion via WMIC", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)", - "risk_score": 73, - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Volume Shadow Copy Deletion via WMIC", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)", + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 0497f007b6253e..52323b169cb223 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Script Executing PowerShell", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", - "risk_score": 21, - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Windows Script Executing PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe", + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json index 02ddbfffc75fee..fe248a6c1e23ea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_activity_ecs", - "name": "Unusual Linux Network Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_activity_ecs", + "name": "Unusual Linux Network Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json index 785683bd328ec8..d435d4c10f05c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", - "name": "Unusual Linux Network Port Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs", + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json index f1dc8d9cb34b3a..0b82ce99d0b7ff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_service", - "name": "Unusual Linux Network Service", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_service", + "name": "Unusual Linux Network Service", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json index 8fba1f1fb1b4e2..26af34e18a4c80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", - "name": "Unusual Linux Web Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs", + "name": "Unusual Linux Web Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json index 3ffcdf6a2ce4c1..d15c4fc7943782 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Linux Population", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Linux Population", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json index b9749afbf9eaf2..2f33948b0a93e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "linux_anomalous_user_name_ecs", - "name": "Unusual Linux Username", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "linux_anomalous_user_name_ecs", + "name": "Unusual Linux Username", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 09a1c34c5cb067..04a56241ea6f66 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", - "false_positives": [ - "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Hping Process Activity", - "query": "process.name:(hping or hping2 or hping3) and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Hping" - ], - "risk_score": 73, - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "severity": "high", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Hping Process Activity", + "query": "process.name:(hping or hping2 or hping3) and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "risk_score": 73, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index d2fc5fc03c1ecc..80358cc775e3b4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", - "false_positives": [ - "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Potential DNS Tunneling via Iodine", - "query": "process.name:(iodine or iodined) and event.action:executed", - "references": [ - "https://code.kryo.se/iodine/" - ], - "risk_score": 73, - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "severity": "high", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", + "false_positives": [ + "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Potential DNS Tunneling via Iodine", + "query": "process.name:(iodine or iodined) and event.action:executed", + "references": [ + "https://code.kryo.se/iodine/" + ], + "risk_score": 73, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 00396816824b54..b50fcc4c9980bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,41 +1,41 @@ -{ - "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Persistence via Kernel Module Modification", - "query": "process.name:(insmod or kmod or modprobe or rmod) and event.action:executed", - "references": [ - "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" - ], - "risk_score": 21, - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/techniques/TA0003/" - }, - "technique": [ - { - "id": "T1215", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1215/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Persistence via Kernel Module Modification", + "query": "process.name:(insmod or kmod or modprobe or rmod) and event.action:executed", + "references": [ + "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" + ], + "risk_score": 21, + "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "technique": [ + { + "id": "T1215", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1215/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 58d830fbf05b2d..d65440e95ff17a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,24 +1,24 @@ -{ - "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", - "false_positives": [ - "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Mknod Process Activity", - "query": "process.name:mknod and event.action:executed", - "references": [ - "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" - ], - "risk_score": 21, - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", + "false_positives": [ + "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Mknod Process Activity", + "query": "process.name:mknod and event.action:executed", + "references": [ + "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" + ], + "risk_score": 21, + "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index f431cd6103e777..df8e46be7a1c3e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,26 +1,26 @@ -{ - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", - "false_positives": [ - "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Netcat Network Activity", - "query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)", - "references": [ - "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat" - ], - "risk_score": 47, - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Netcat Network Activity", + "query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat" + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 3fd1e355adf785..2e5c899ebc6255 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", - "false_positives": [ - "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Nmap Process Activity", - "query": "process.name:nmap", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 21, - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", + "false_positives": [ + "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Nmap Process Activity", + "query": "process.name:nmap", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 21, + "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index 7c6db258320575..168b30121c4bb3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", - "false_positives": [ - "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Nping Process Activity", - "query": "process.name:nping and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "risk_score": 47, - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Nping Process Activity", + "query": "process.name:nping and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 267bdd151872c7..0865ac6c70cb26 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,21 +1,21 @@ -{ - "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "false_positives": [ - "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Unusual Process Execution - Temp", - "query": "process.working_directory:/tmp and event.action:executed", - "risk_score": 47, - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", + "false_positives": [ + "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Unusual Process Execution - Temp", + "query": "process.working_directory:/tmp and event.action:executed", + "risk_score": 47, + "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 87e1583af9ebf4..e9c4c95bb92849 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,41 +1,41 @@ -{ - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ - "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Potential Shell via Web Server", - "query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed", - "references": [ - "https://pentestlab.blog/tag/web-shell/" - ], - "risk_score": 47, - "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/techniques/TA0003/" - }, - "technique": [ - { - "id": "T1100", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1100/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Potential Shell via Web Server", + "query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed", + "references": [ + "https://pentestlab.blog/tag/web-shell/" + ], + "risk_score": 47, + "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "technique": [ + { + "id": "T1100", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1100/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 8d8b897665fd86..404fea63aff946 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,24 +1,24 @@ -{ - "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", - "false_positives": [ - "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Socat Process Activity", - "query": "process.name:socat and not process.args:-V and event.action:executed", - "references": [ - "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" - ], - "risk_score": 47, - "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", + "false_positives": [ + "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Socat Process Activity", + "query": "process.name:socat and not process.args:-V and event.action:executed", + "references": [ + "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" + ], + "risk_score": 47, + "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 62ff74e4ddf490..fbdfa9e66682d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,24 +1,24 @@ -{ - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", - "false_positives": [ - "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Strace Process Activity", - "query": "process.name:strace and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Strace" - ], - "risk_score": 21, - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 2 +{ + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", + "false_positives": [ + "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Strace Process Activity", + "query": "process.name:strace and event.action:executed", + "references": [ + "https://en.wikipedia.org/wiki/Strace" + ], + "risk_score": 21, + "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index e29650f02ed875..82771074e7c29d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,53 +1,53 @@ -{ - "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", - "false_positives": [ - "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "Network Sniffing via Tcpdump", - "query": "process.name:tcpdump and event.action:executed", - "risk_score": 21, - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", + "false_positives": [ + "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Network Sniffing via Tcpdump", + "query": "process.name:tcpdump and event.action:executed", + "risk_score": 21, + "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 8e762e89e42d07..7e7f041581eb07 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,38 +1,38 @@ -{ - "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "name": "User Discovery via Whoami", - "query": "process.name:whoami and event.action:executed", - "risk_score": 21, - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", + "false_positives": [ + "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "User Discovery via Whoami", + "query": "process.name:whoami and event.action:executed", + "risk_score": 21, + "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 3c69078ec4f373..e08d681d144635 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,42 +1,42 @@ -{ - "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", - "false_positives": [ - "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "DNS Activity to the Internet", - "query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")", - "references": [ - "https://www.us-cert.gov/ncas/alerts/TA15-240A", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" - ], - "risk_score": 47, - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.", + "false_positives": [ + "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "DNS Activity to the Internet", + "query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")", + "references": [ + "https://www.us-cert.gov/ncas/alerts/TA15-240A", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" + ], + "risk_score": 47, + "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 2a39ca23f7fca5..24c3bad8172273 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", - "false_positives": [ - "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "FTP (File Transfer Protocol) Activity to the Internet", - "query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.", + "false_positives": [ + "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "FTP (File Transfer Protocol) Activity to the Internet", + "query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 455f7b84cfefff..bf286d4cab5069 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", - "false_positives": [ - "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.", + "false_positives": [ + "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index e86ebc64ebdc11..61c1e3d47cf7a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", - "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "IPSEC NAT Traversal Port Activity", - "query": "network.transport:udp and destination.port:4500", - "risk_score": 21, - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "IPSEC NAT Traversal Port Activity", + "query": "network.transport:udp and destination.port:4500", + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index cbd6cb26ade832..a9a39b61884c50 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,57 +1,57 @@ -{ - "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", - "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMTP on Port 26/TCP", - "query": "network.transport:tcp and destination.port:26", - "references": [ - "https://unit42.paloaltonetworks.com/unit42-badpatch/", - "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" - ], - "risk_score": 21, - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMTP on Port 26/TCP", + "query": "network.transport:tcp and destination.port:26", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 7e3fbe92bb7e32..2f1390411f97b4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", - "false_positives": [ - "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "TCP Port 8000 Activity to the Internet", - "query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.", + "false_positives": [ + "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "TCP Port 8000 Activity to the Internet", + "query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index f1689d3fd11708..f7170d8d33a516 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", - "false_positives": [ - "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "PPTP (Point to Point Tunneling Protocol) Activity", - "query": "network.transport:tcp and destination.port:1723", - "risk_score": 21, - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "false_positives": [ + "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "PPTP (Point to Point Tunneling Protocol) Activity", + "query": "network.transport:tcp and destination.port:1723", + "risk_score": 21, + "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 854a303e66af97..da4319cf15307c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", - "false_positives": [ - "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Proxy Port Activity to the Internet", - "query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.", + "false_positives": [ + "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Proxy Port Activity to the Internet", + "query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index dc2650c63d26da..d3b65a36f084bf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RDP (Remote Desktop Protocol) from the Internet", - "query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 47a1addb925bba..79618a867c73f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RDP (Remote Desktop Protocol) to the Internet", - "query": "network.transport:tcp and destination.port:3389 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RDP (Remote Desktop Protocol) to the Internet", + "query": "network.transport:tcp and destination.port:3389 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 15c2e504c033f4..da1e46750f3bd1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,35 +1,35 @@ -{ - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RPC (Remote Procedure Call) from the Internet", - "query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RPC (Remote Procedure Call) from the Internet", + "query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 6e5c552045afb2..d07d19b8fffee9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,35 +1,35 @@ -{ - "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "RPC (Remote Procedure Call) to the Internet", - "query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 73, - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "RPC (Remote Procedure Call) to the Internet", + "query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 073f7d7a58c2bd..93a4b0ebbbd8e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMB (Windows File Sharing) Activity to the Internet", - "query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 73, - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 73, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index 4023e63df0ab9b..ca287605490efb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", - "false_positives": [ - "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SMTP to the Internet", - "query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.", + "false_positives": [ + "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SMTP to the Internet", + "query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 6bec24199b3eb2..3a5bd5bff98f53 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", - "false_positives": [ - "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SQL Traffic to the Internet", - "query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.", + "false_positives": [ + "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SQL Traffic to the Internet", + "query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 7c7aab3da16c98..429a91183e88a0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SSH (Secure Shell) from the Internet", - "query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 47, - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SSH (Secure Shell) from the Internet", + "query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 47, + "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index aa5afd1dcb1774..a260245b4dadef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "SSH (Secure Shell) to the Internet", - "query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 21, - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "severity": "low", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "SSH (Secure Shell) to the Internet", + "query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 21, + "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", + "severity": "low", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 9d9dc31f28320c..4cfe15683c8255 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,68 +1,68 @@ -{ - "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", - "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Telnet Port Activity", - "query": "network.transport:tcp and destination.port:23", - "risk_score": 47, - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Telnet Port Activity", + "query": "network.transport:tcp and destination.port:23", + "risk_score": 47, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 57e8dd9e35bdd7..8c8bb809c9fec9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", - "false_positives": [ - "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "Tor Activity to the Internet", - "query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1188", - "name": "Multi-hop Proxy", - "reference": "https://attack.mitre.org/techniques/T1188/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.", + "false_positives": [ + "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "Tor Activity to the Internet", + "query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1188", + "name": "Multi-hop Proxy", + "reference": "https://attack.mitre.org/techniques/T1188/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 18c65dcae6b3dc..4204a4fe62e884 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "VNC (Virtual Network Computing) from the Internet", - "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 73, - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "high", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "VNC (Virtual Network Computing) from the Internet", + "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 3c155d672bb505..898282e36df192 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,38 +1,38 @@ -{ - "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", - "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "index": [ - "filebeat-*" - ], - "language": "kuery", - "name": "VNC (Virtual Network Computing) to the Internet", - "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", - "risk_score": 47, - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "medium", - "tags": [ - "Elastic", - "Network" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "type": "query", - "version": 3 +{ + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "index": [ + "filebeat-*" + ], + "language": "kuery", + "name": "VNC (Virtual Network Computing) to the Internet", + "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")", + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Elastic", + "Network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "type": "query", + "version": 3 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index fc5edbc8105307..01246de5595e93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,42 +1,42 @@ -{ - "description": "A request to a web application server contained no identifying user agent string.", - "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "filters": [ - { - "$state": { - "store": "appState" - }, - "exists": { - "field": "user_agent.original" - }, - "meta": { - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "user_agent.original", - "negate": true, - "type": "exists", - "value": "exists" - } - } - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: No User Agent", - "query": "url.path:*", - "references": [ - "https://en.wikipedia.org/wiki/User_agent" - ], - "risk_score": 47, - "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "A request to a web application server contained no identifying user agent string.", + "false_positives": [ + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "filters": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "user_agent.original" + }, + "meta": { + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "user_agent.original", + "negate": true, + "type": "exists", + "value": "exists" + } + } + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: No User Agent", + "query": "url.path:*", + "references": [ + "https://en.wikipedia.org/wiki/User_agent" + ], + "risk_score": 47, + "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json index ba2f06108b83ff..765515ffda27ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", - "false_positives": [ - "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this signal and such parent domains can be excluded." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_dns_tunneling", - "name": "DNS Tunneling", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this signal and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json index 22de14c244a3d1..79c30c5b38378e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_dns_question", - "name": "Unusual DNS Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json index b625bde25c3e9e..7b14ad62f6c93f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_server_domain", - "name": "Unusual Network Destination Domain Name", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json index dda007b8883d86..76767545e794a0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_urls", - "name": "Unusual Web Request", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json index 12bd8747ff3c2d..1dc49203f31c12 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", - "false_positives": [ - "Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or rarely used program that calls web services may trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "packetbeat_rare_user_agent", - "name": "Unusual Web User Agent", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Packetbeat" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or rarely used program that calls web services may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Packetbeat" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json index 79631ae2a88e32..f071677ae8d330 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "rare_process_by_host_linux_ecs", - "name": "Unusual Process For a Linux Host", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "rare_process_by_host_linux_ecs", + "name": "Unusual Process For a Linux Host", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json index 5bac93445143df..5e0050c6c25ec9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "rare_process_by_host_windows_ecs", - "name": "Unusual Process For a Windows Host", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "rare_process_by_host_windows_ecs", + "name": "Unusual Process For a Windows Host", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 4f1efa5ada0638..10412c19da1b1e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,24 +1,24 @@ -{ - "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", - "false_positives": [ - "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*" - ], - "language": "kuery", - "name": "Web Application Suspicious Activity: sqlmap User Agent", - "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "references": [ - "http://sqlmap.org/" - ], - "risk_score": 47, - "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "severity": "medium", - "tags": [ - "APM", - "Elastic" - ], - "type": "query", - "version": 2 +{ + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", + "false_positives": [ + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*" + ], + "language": "kuery", + "name": "Web Application Suspicious Activity: sqlmap User Agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", + "references": [ + "http://sqlmap.org/" + ], + "risk_score": 47, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "medium", + "tags": [ + "APM", + "Elastic" + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json index 55689c99c93f1a..4b94fdc6da1470 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies an unusually high number of authentication attempts.", - "false_positives": [ - "Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "suspicious_login_activity_ecs", - "name": "Unusual Login Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", - "severity": "low", - "tags": [ - "Elastic", - "Linux", - "ML" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "suspicious_login_activity_ecs", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "severity": "low", + "tags": [ + "Elastic", + "Linux", + "ML" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json index 019249716e1023..ca18fe95b1fc1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_network_activity_ecs", - "name": "Unusual Windows Network Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_network_activity_ecs", + "name": "Unusual Windows Network Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json index 77646c60729674..8a88607b9d5c9d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_path_activity_ecs", - "name": "Unusual Windows Path Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this signal. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_path_activity_ecs", + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json index 242b344a4dd9da..1229c4a52b97d8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", - "name": "Anomalous Process For a Windows Population", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", + "name": "Anomalous Process For a Windows Population", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json index 631c868b081cd8..98a078ccea4a46 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", - "false_positives": [ - "Users running scripts in the course of technical support operations of software upgrades could trigger this signal. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_process_creation", - "name": "Anomalous Windows Process Creation", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this signal. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_process_creation", + "name": "Anomalous Windows Process Creation", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json index 551e421c86c314..564ca1782526f1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", - "false_positives": [ - "Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_script", - "name": "Suspicious Powershell Script", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_script", + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json index 862fe71d7082c4..afef569f4ebb4a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_service", - "name": "Unusual Windows Service", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this signal." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_service", + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json index 78966be38d5a5d..703dc1a1dc6338 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_anomalous_user_name_ecs", - "name": "Unusual Windows Username", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_anomalous_user_name_ecs", + "name": "Unusual Windows Username", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json index db75515684155c..52a373e3aeb77e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Certutil", - "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Remote File Copy", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Certutil", + "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index f8b8bcf64d5b75..2bee265a74e11c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", - "false_positives": [ - "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Command Prompt Network Connection", - "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Remote File Copy", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Command Prompt Network Connection", + "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index fac5bf924c86e4..d8f91dba7dd890 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,50 +1,50 @@ -{ - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "PowerShell spawning Cmd", - "query": "process.parent.name:powershell.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1086", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1086/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "PowerShell spawning Cmd", + "query": "process.parent.name:powershell.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1086", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1086/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 5c6a7f9f996e35..6fd194ee2fa22b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Svchost spawning Cmd", - "query": "process.parent.name:svchost.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Svchost spawning Cmd", + "query": "process.parent.name:svchost.exe and process.name:cmd.exe", + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json index bf5a89b2e1a685..43050e2769a241 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json @@ -1,38 +1,38 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Loading Windows Credential Libraries", - "query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"", - "risk_score": 73, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Loading Windows Credential Libraries", + "query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"", + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json index 878494b9027365..f5eb37c70d268a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json @@ -1,35 +1,35 @@ -{ - "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", - "risk_score": 21, - "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1116", - "name": "Code Signing", - "reference": "https://attack.mitre.org/techniques/T1116/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1116", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1116/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index d15bc671599f82..0e8c5a5f2f631a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,35 +1,35 @@ -{ - "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Evasion via Filter Manager", - "query": "event.code:1 and process.name:fltMC.exe", - "risk_score": 21, - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Evasion via Filter Manager", + "query": "event.code:1 and process.name:fltMC.exe", + "risk_score": 21, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json index 1c7426ebbf9e16..72e02f8718d039 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json @@ -1,56 +1,56 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by an Office Application", - "query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 73, - "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by an Office Application", + "query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "severity": "high", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json index 7a390b45a9918b..ad519f1516aa65 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by a Script Process", - "query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by a Script Process", + "query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json index 47ef24a888f6d8..1bbce904f25184 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started by a System Process", - "query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 47, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started by a System Process", + "query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "severity": "medium", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json index c14f134d1365a1..eea4b3b4efe10d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json @@ -1,38 +1,38 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Using an Alternate Name", - "query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Using an Alternate Name", + "query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json index 920a991e9ed579..81ea14e2653887 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json @@ -1,41 +1,41 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Microsoft Build Engine Started an Unusual Process", - "query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1500", - "name": "Compile After Delivery", - "reference": "https://attack.mitre.org/techniques/T1500/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Microsoft Build Engine Started an Unusual Process", + "query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1500", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1500/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 9c03844194af4c..7755ff0233f7ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,53 +1,53 @@ -{ - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "false_positives": [ - "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Activity via Compiled HTML File", - "query": "event.code:1 and process.name:hh.exe", - "risk_score": 21, - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Activity via Compiled HTML File", + "query": "event.code:1 and process.name:hh.exe", + "risk_score": 21, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index ddc9c47a4dbb57..d6acb81c10e3fa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,50 +1,50 @@ -{ - "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Execution via Regsvcs/Regasm", - "query": "process.name:(RegAsm.exe or RegSvcs.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Execution via Regsvcs/Regasm", + "query": "process.name:(RegAsm.exe or RegSvcs.exe) and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1121", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1121/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1121", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1121/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index f0fd1b49a261e8..87e38febb07433 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", - "false_positives": [ - "These programs may be used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Trusted Developer Application Usage", - "query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", + "false_positives": [ + "These programs may be used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Trusted Developer Application Usage", + "query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index cfc5af3dc82d4a..6c8cd0673256ac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Compiled HTML File", - "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1223", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1223/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Compiled HTML File", + "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json index 9f6946c46a2c9c..c6310c12ed974b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json @@ -1,53 +1,53 @@ -{ - "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Injection by the Microsoft Build Engine", - "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index 131c7708493e24..a0e311d8eb1543 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,50 +1,50 @@ -{ - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Signed Binary", - "query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Signed Binary", + "query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json index 98eb3ca8dfb809..045a9789b12609 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Modification of Boot Configuration", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", - "risk_score": 21, - "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Modification of Boot Configuration", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))", + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json index 633ac503b13ec3..e80dcde1e398db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via MsXsl", - "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via MsXsl", + "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json index d538ec7c4d2b76..c2379142df002a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Net command via SYSTEM account", - "query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"", - "risk_score": 21, - "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Net command via SYSTEM account", + "query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"", + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index c6cfa6d9738eaf..2f44727f9e6f05 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,50 +1,50 @@ -{ - "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Application Shimming via Sdbinst", - "query": "event.code:1 and process.name:sdbinst.exe", - "risk_score": 21, - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1138", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1138/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1138", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1138/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Application Shimming via Sdbinst", + "query": "event.code:1 and process.name:sdbinst.exe", + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 3982c57303ab81..aeff071ed4514e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,50 +1,50 @@ -{ - "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Potential Modification of Accessibility Binaries", - "query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)", - "risk_score": 21, - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1015", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1015/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1015", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1015/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Potential Modification of Accessibility Binaries", + "query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)", + "risk_score": 21, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 2b5338a7167815..3a883fa51b763b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,38 +1,38 @@ -{ - "description": "Adversaries may attempt to get information about running processes on a system.", - "false_positives": [ - "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process Discovery via Tasklist", - "query": "event.code:1 and process.name:tasklist.exe", - "risk_score": 21, - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Adversaries may attempt to get information about running processes on a system.", + "false_positives": [ + "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Process Discovery via Tasklist", + "query": "event.code:1 and process.name:tasklist.exe", + "risk_score": 21, + "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json index 6da11e04ae535f..febaa57443f76c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", - "false_positives": [ - "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_rare_user_runas_event", - "name": "Unusual Windows User Privilege Elevation Activity", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_rare_user_runas_event", + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json index 330f160472726d..946cdb95b8e702 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json @@ -1,24 +1,24 @@ -{ - "anomaly_threshold": 50, - "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", - "false_positives": [ - "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "machine_learning_job_id": "windows_rare_user_type10_remote_login", - "name": "Unusual Windows Remote User", - "references": [ - "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", - "severity": "low", - "tags": [ - "Elastic", - "ML", - "Windows" - ], - "type": "machine_learning", - "version": 1 +{ + "anomaly_threshold": 50, + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "machine_learning_job_id": "windows_rare_user_type10_remote_login", + "name": "Unusual Windows Remote User", + "references": [ + "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "severity": "low", + "tags": [ + "Elastic", + "ML", + "Windows" + ], + "type": "machine_learning", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index bdf51b4538692b..1e061f2ef9463c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,53 +1,53 @@ -{ - "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.", - "false_positives": [ - "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network Connection via Regsvr", - "query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)", - "risk_score": 21, - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1117", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1117/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1117", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1117/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Network Connection via Regsvr", + "query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)", + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json index cac51f6a50c072..9d4c2438acfb9f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Suspicious PDF Reader Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", - "risk_score": 21, - "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Suspicious PDF Reader Child Process", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)", + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json index 0796c5904e44e6..df7a6fe1285d1c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json @@ -1,35 +1,35 @@ -{ - "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Bypass UAC via Event Viewer", - "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", - "risk_score": 21, - "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 +{ + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Bypass UAC via Event Viewer", + "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")", + "risk_score": 21, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], + "type": "query", + "version": 1 } \ No newline at end of file diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index b5cff435d4b75c..93ce1f83dd64ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,38 +1,38 @@ -{ - "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", - "false_positives": [ - "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "name": "Whoami Process Activity", - "query": "process.name:whoami.exe and event.code:1", - "risk_score": 21, - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "query", - "version": 2 +{ + "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "index": [ + "winlogbeat-*" + ], + "language": "kuery", + "name": "Whoami Process Activity", + "query": "process.name:whoami.exe and event.code:1", + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "severity": "low", + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "query", + "version": 2 } \ No newline at end of file