-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Rules] Add 7.11 rules #85506
Conversation
...lution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json
Show resolved
Hide resolved
.../detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json
Show resolved
Hide resolved
...r/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json
Show resolved
Hide resolved
.../server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json
Show resolved
Hide resolved
"name": "Enumeration of Administrator Accounts", | ||
"query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Broke it out to make precedence more readable
process where event.type in ("start", "process_started") and
(
(
(process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
(
(process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
not process.parent.name : "net.exe"
)
) and
process.args : ("group", "user", "localgroup") and
process.args : ("admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and
not process.args : "/add"
)
or
(
(process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
process.args : ("group", "useraccount")
)
Query looks good to me. Based on the location of the error, looks like it could also be an issue with case insensitive compare of multiple args, though I got the same error as above in siem-dev via EQL API search. Thoughts @rw-access
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested upgrade locally and all rules installed without issue! 🎉 Had to fetch the latest to avoid an SO migration error since #82969 got merged in-between the last build, but no other issues observed on upgrade.
There were some rule run failures which I commented on (and I'm sure you're tracking :), but just wanted to note as everything else looks 👍 for approval and we can tweak those in follow-ups like last time.
Great stuff here -- thanks for all your hard work @elastic/protections!!! To 451 and beyond!! 🚀 😀
"subtechnique": [ | ||
{ | ||
"id": "T1087.002", | ||
"name": "Domain Account", | ||
"reference": "https://attack.mitre.org/techniques/T1087/002/" | ||
} | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look at those sub-techniques! 🙌 @dplumlee 🙌
Thanks for testing these @spong! I created a few issues to track your findings and as @rw-access mentioned, we will need to see why the ES is having issues with the EQL searches. I am going to merge this before too much changes in Kibana. We will be making a few more PRs for rule changes over the next few weeks, and we can include revisions from this as needed 👍 |
Summary
Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.11
Checklist