Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Detection Rules] Add 7.11 rules #85506

Merged
merged 2 commits into from
Dec 11, 2020
Merged

Conversation

brokensound77
Copy link
Contributor

Summary

Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.11

Checklist

@brokensound77 brokensound77 added release_note:skip Skip the PR/issue when compiling release notes Feature:Detection Rules Security Solution rules and Detection Engine labels Dec 10, 2020
@brokensound77 brokensound77 requested a review from a team as a code owner December 10, 2020 03:28
@brokensound77 brokensound77 added v7.11.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team labels Dec 10, 2020
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Distributable file count

id before after diff
default 46991 47886 +895

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Comment on lines +12 to +13
"name": "Enumeration of Administrator Accounts",
"query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No comments here, this one should work right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Broke it out to make precedence more readable

process where event.type in ("start", "process_started") and
  (
      (
          (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
            (
              (process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
                 not process.parent.name : "net.exe"
            )
      ) and
      process.args : ("group", "user", "localgroup") and
      process.args : ("admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and
      not process.args : "/add"
  )

   or

  (
      (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
      process.args : ("group", "useraccount")
  )

Query looks good to me. Based on the location of the error, looks like it could also be an issue with case insensitive compare of multiple args, though I got the same error as above in siem-dev via EQL API search. Thoughts @rw-access

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out, tested upgrade locally and all rules installed without issue! 🎉 Had to fetch the latest to avoid an SO migration error since #82969 got merged in-between the last build, but no other issues observed on upgrade.

There were some rule run failures which I commented on (and I'm sure you're tracking :), but just wanted to note as everything else looks 👍 for approval and we can tweak those in follow-ups like last time.

Great stuff here -- thanks for all your hard work @elastic/protections!!! To 451 and beyond!! 🚀 😀

Comment on lines +59 to +65
"subtechnique": [
{
"id": "T1087.002",
"name": "Domain Account",
"reference": "https://attack.mitre.org/techniques/T1087/002/"
}
]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look at those sub-techniques! 🙌 @dplumlee 🙌

@brokensound77
Copy link
Contributor Author

Thanks for testing these @spong! I created a few issues to track your findings and as @rw-access mentioned, we will need to see why the ES is having issues with the EQL searches.

I am going to merge this before too much changes in Kibana. We will be making a few more PRs for rule changes over the next few weeks, and we can include revisions from this as needed 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants