From d51f82ecc0e37e17c8626889293b84255a36aa49 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:36:09 +0000 Subject: [PATCH 1/2] Update latest docs --- ...tra-mfa-totp-brute-force-attempts.asciidoc | 175 +++++++++++++ ...-behavior-detected-elastic-defend.asciidoc | 135 ++++++++++ ...behavior-prevented-elastic-defend.asciidoc | 136 ++++++++++ ...ntication-module-or-configuration.asciidoc | 103 ++++++++ ...6-4-dynamic-linker-ld-so-creation.asciidoc | 124 +++++++++ ...-endpoint-security-elastic-defend.asciidoc | 80 ++++++ ...-16-4-kernel-object-file-creation.asciidoc | 111 ++++++++ ...odule-configuration-file-creation.asciidoc | 102 ++++++++ ...6-4-login-via-unusual-system-user.asciidoc | 117 +++++++++ ...ious-file-detected-elastic-defend.asciidoc | 159 ++++++++++++ ...ous-file-prevented-elastic-defend.asciidoc | 159 ++++++++++++ ...ry-threat-detected-elastic-defend.asciidoc | 168 ++++++++++++ ...y-threat-prevented-elastic-defend.asciidoc | 167 ++++++++++++ ...ssions-detected-for-a-single-user.asciidoc | 82 ++++++ ...rebuilt-rule-8-16-4-my-first-rule.asciidoc | 61 +++++ ...pam-creation-in-unusual-directory.asciidoc | 86 +++++++ ...cation-module-pam-source-download.asciidoc | 77 ++++++ ...tion-module-pam-version-discovery.asciidoc | 122 +++++++++ ...persistence-via-file-modification.asciidoc | 242 ++++++++++++++++++ ...ansomware-detected-elastic-defend.asciidoc | 146 +++++++++++ ...nsomware-prevented-elastic-defend.asciidoc | 147 +++++++++++ ...-attempts-from-aws-secretsmanager.asciidoc | 133 ++++++++++ ...-remote-execution-via-file-shares.asciidoc | 182 +++++++++++++ ...simple-http-web-server-connection.asciidoc | 125 +++++++++ ...4-simple-http-web-server-creation.asciidoc | 125 +++++++++ ...us-antimalware-scan-interface-dll.asciidoc | 171 +++++++++++++ ...us-wmi-event-subscription-created.asciidoc | 76 ++++++ ...ommon-registry-persistence-change.asciidoc | 160 ++++++++++++ ...onment-variable-process-execution.asciidoc | 126 +++++++++ ...8-16-4-unusual-sshd-child-process.asciidoc | 91 +++++++ .../prebuilt-rules-8-16-4-appendix.asciidoc | 36 +++ .../prebuilt-rules-8-16-4-summary.asciidoc | 72 ++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 62 ++++- .../prebuilt-rules/rule-desc-index.asciidoc | 22 +- ...tra-mfa-totp-brute-force-attempts.asciidoc | 175 +++++++++++++ .../behavior-detected-elastic-defend.asciidoc | 135 ++++++++++ ...behavior-prevented-elastic-defend.asciidoc | 136 ++++++++++ ...ntication-module-or-configuration.asciidoc | 20 +- .../dynamic-linker-ld-so-creation.asciidoc | 124 +++++++++ .../endpoint-security-elastic-defend.asciidoc | 80 ++++++ .../kernel-object-file-creation.asciidoc | 111 ++++++++ ...odule-configuration-file-creation.asciidoc | 102 ++++++++ .../login-via-unusual-system-user.asciidoc | 117 +++++++++ ...ious-file-detected-elastic-defend.asciidoc | 159 ++++++++++++ ...ous-file-prevented-elastic-defend.asciidoc | 159 ++++++++++++ ...ry-threat-detected-elastic-defend.asciidoc | 168 ++++++++++++ ...y-threat-prevented-elastic-defend.asciidoc | 167 ++++++++++++ ...ssions-detected-for-a-single-user.asciidoc | 10 +- .../rule-details/my-first-rule.asciidoc | 6 +- ...pam-creation-in-unusual-directory.asciidoc | 86 +++++++ ...cation-module-pam-source-download.asciidoc | 77 ++++++ ...tion-module-pam-version-discovery.asciidoc | 122 +++++++++ ...persistence-via-file-modification.asciidoc | 46 +++- ...ery-registry-using-built-in-tools.asciidoc | 4 +- ...ansomware-detected-elastic-defend.asciidoc | 146 +++++++++++ ...nsomware-prevented-elastic-defend.asciidoc | 147 +++++++++++ ...-attempts-from-aws-secretsmanager.asciidoc | 6 +- .../remote-execution-via-file-shares.asciidoc | 11 +- ...simple-http-web-server-connection.asciidoc | 125 +++++++++ .../simple-http-web-server-creation.asciidoc | 125 +++++++++ ...us-antimalware-scan-interface-dll.asciidoc | 10 +- ...us-wmi-event-subscription-created.asciidoc | 14 +- ...ommon-registry-persistence-change.asciidoc | 6 +- ...onment-variable-process-execution.asciidoc | 126 +++++++++ .../unusual-sshd-child-process.asciidoc | 91 +++++++ docs/index.asciidoc | 2 + 67 files changed, 6856 insertions(+), 42 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-endpoint-security-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-kernel-object-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-login-via-unusual-system-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-my-first-rule.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-potential-persistence-via-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-remote-execution-via-file-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-uncommon-registry-persistence-change.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-sshd-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-entra-mfa-totp-brute-force-attempts.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/behavior-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/behavior-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/dynamic-linker-ld-so-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/endpoint-security-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-object-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/loadable-kernel-module-configuration-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/login-via-unusual-system-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/malicious-file-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/malicious-file-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/memory-threat-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/memory-threat-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/pluggable-authentication-module-pam-source-download.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/pluggable-authentication-module-pam-version-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-defend.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/simple-http-web-server-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/simple-http-web-server-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-preload-environment-variable-process-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-sshd-child-process.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts.asciidoc new file mode 100644 index 0000000000..90c1457f55 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts.asciidoc @@ -0,0 +1,175 @@ +[[prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts]] +=== Azure Entra MFA TOTP Brute Force Attempts + +Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass +* https://learn.microsoft.com/en-us/entra/identity/ +* https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating Azure Entra MFA TOTP Brute Force Attempts* + + +This rule detects high-frequency failed TOTP code attempts for a single user in a short time span. Such behavior could indicate an adversary attempting to bypass multi-factor authentication (MFA) protections using valid credentials. Understanding the context of the user's typical behavior and identifying anomalies in the log data are critical to determining the nature of the activity. + + +*Possible Investigation Steps:* + + +**Review the Source IP Address**: + - Check the `source.ip` or `azure.signinlogs.caller_ip_address` field. + - Determine if the IP address is associated with the user’s typical login locations. + - Look for unusual geographic patterns or anomalous IP addresses (e.g., proxies, VPNs, or locations outside the user’s normal activity). + +**Analyze User Activity**: + - Identify the user from the `azure.signinlogs.properties.sign_in_identifier` field. + - Determine if the user is currently active from another device or session. Session hijacking could explain parallel activity with failed attempts. + - Review past logs for the user to determine whether MFA failures or other anomalies are consistent or new. + +**Inspect the Authentication Method**: + - Evaluate the `azure.signinlogs.properties.mfa_detail.auth_method` field: `OATH verification code`. + - Confirm if the user typically uses TOTP codes or another MFA method (e.g., push notifications). + - Verify if there are any recent changes to the user’s MFA settings that may explain multiple failed attempts. + +**Evaluate the User Agent**: + - Check the `user_agent.original` field. + - Identify if the user agent matches a typical browser or a potentially malicious script (e.g., Python-based). + - Look for deviations in operating system or browser versions from the user’s normal activity. + +**Analyze Conditional Access Policies**: + - Review the `azure.signinlogs.properties.applied_conditional_access_policies` for enforced grant controls. + - Verify if MFA failures are tied to legitimate security policies (`display_name: Require multifactor authentication for admins`). + +**Correlate with Other Events**: + - Search for other authentication attempts involving the same `azure.signinlogs.caller_ip_address`, `user_principal_name`, or `azure.signinlogs.properties.app_id`. + - Look for suspicious activity patterns, such as password resets, privilege escalation, or account lockouts. + + + +*False Positive Analysis:* + + +- **Unintentional User Behavior**: + - Verify if the failed attempts could result from the user’s unfamiliarity with TOTP codes or issues with device synchronization. + - Check if the user recently switched MFA methods or devices, which could explain multiple failures. + - Determine if this is whitebox testing or a developer testing MFA integration. + +- **Administrative Actions**: + - Determine if the activity is related to legitimate administrative testing or configuration changes in the MFA system. + + +*Response and Remediation:* + + +- **Immediate Actions**: + - If proven malicious, lock the affected account temporarily to prevent further unauthorized attempts. + - Notify the user of suspicious activity and validate their access to the account. + - Reset passwords and MFA settings for the affected user to prevent unauthorized access while communicating with the user. + +- **Strengthen Authentication Policies**: + - Ensure conditional access policies are configured to monitor and restrict anomalous login behavior. + - Consider a different MFA method or additional security controls to prevent future bypass attempts. + +- **Monitor and Audit**: + - Implement additional monitoring to track high-frequency authentication failures across the environment. + - Audit historical logs for similar patterns involving other accounts to identify broader threats. + +- **Educate and Train Users**: + - Provide guidance on the secure use of MFA and the importance of recognizing and reporting suspicious activity. + + +==== Setup + + + +*Required Azure Entra Sign-In Logs* + +This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-azure.signinlogs* metadata _id, _version, _index +| where + // filter for Entra Sign-In Logs + event.dataset == "azure.signinlogs" + and azure.signinlogs.operation_name == "Sign-in activity" + + // filter for MFA attempts with OATH conditional access attempts or TOTP + and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication" + and azure.signinlogs.properties.mfa_detail.auth_method == "OATH verification code" + + // filter on failures only from brute-force attempts + and azure.signinlogs.properties.conditional_access_status == "failure" + and azure.signinlogs.result_description == "Authentication failed during strong authentication request." +| keep azure.signinlogs.properties.sign_in_identifier +| stats + // aggregate by the sign-in account or principal + failed_totp_code_attempts = count(*) by azure.signinlogs.properties.sign_in_identifier +| where + // filter on high frequency for a single user + failed_totp_code_attempts > 30 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-detected-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-detected-elastic-defend.asciidoc new file mode 100644 index 0000000000..c4d8b5e81d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-detected-elastic-defend.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-16-4-behavior-detected-elastic-defend]] +=== Behavior - Detected - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior detections only, and does not include prevention alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/behavior +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Behavior Alerts* + + +Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity. + + +*Possible investigation steps* + + +- Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts. +- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events). +- Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user). +- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time. +- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection. + + +*False positive analysis* + + +- Same alert observed on a high number of hosts with similar details. +- High count of the same alert on a specific host over a long period of time. + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : behavior and (event.type : allowed or (event.type: denied and event.outcome: failure)) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-prevented-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-prevented-elastic-defend.asciidoc new file mode 100644 index 0000000000..b25d4940ef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-behavior-prevented-elastic-defend.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-16-4-behavior-prevented-elastic-defend]] +=== Behavior - Prevented - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior preventions only, and does not include detection only alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/behavior +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Behavior Alerts* + + +Malicious behavior protection is a foundational feature which can be used to protect against all manner of attacks on the endpoint. For example, it provides coverage against phishing such as malicious macros, many malware families based on their activities, privilege escalation attacks such as user account control bypasses (UAC), credential theft, and much more. It works by consuming an unfiltered feed of all events that are captured on the system (process, file, registry, network, dns, etc). These events are processed against a routinely updated set of rules written by Elastic threat experts. From there, malicious behaviors are identified and offending processes are terminated. The protection operates on the event stream asynchronously, but has been designed to be extremely efficient and typically requires just milliseconds (under standard load) to stop malicious activity. + + +*Possible investigation steps* + + +- Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts. +- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events). +- Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user). +- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time. +- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection. + + + +*False positive analysis* + + +- Same alert observed on a high number of hosts with similar details. +- High count of the same alert on a specific host over a long period of time. + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : behavior and event.type : denied and event.outcome : success + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration.asciidoc new file mode 100644 index 0000000000..fb42d2cd11 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration]] +=== Creation or Modification of Pluggable Authentication Module or Configuration + +This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/zephrax/linux-pam-backdoor +* https://github.com/eurialo/pambd +* http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html +* https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("rename", "creation") and +process.executable != null and ( + (file.path like~ ( + "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", + "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*" + ) and file.extension == "so") or + (file.path like~ "/etc/pam.d/*" and file.extension == null) or + (file.path like~ "/etc/security/pam_*" or file.path == "/etc/pam.conf") +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update", + "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update" + ) or + file.path like ( + "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + ) or + (process.name == "sed" and file.name like~ "sed*") or + (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation.asciidoc new file mode 100644 index 0000000000..c8639feb38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation]] +=== Dynamic Linker (ld.so) Creation + +This rule detects the creation of the dynamic linker (ld.so) file. The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and process.executable != null and +file.path like~ ("/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*") and +not process.name in ("dockerd", "yum", "dnf", "microdnf", "pacman") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-endpoint-security-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-endpoint-security-elastic-defend.asciidoc new file mode 100644 index 0000000000..2139556829 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-endpoint-security-elastic-defend.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-16-4-endpoint-security-elastic-defend]] +=== Endpoint Security (Elastic Defend) + +Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts. + +If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately. + +Related rules: +- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:(endpoint and not endgame) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-kernel-object-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-kernel-object-file-creation.asciidoc new file mode 100644 index 0000000000..4061b00a51 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-kernel-object-file-creation.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-16-4-kernel-object-file-creation]] +=== Kernel Object File Creation + +This rule detects the creation of a Linux kernel object file (.ko) on a system. Threat actors may leverage Linux kernel object files to load a rootkit or other type of malware on a system providing them with complete control and the ability to hide from security products. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:linux and event.type:creation and file.extension:ko and not ( + file.path:/var/tmp/mkinitramfs_* or process.executable:/snap/* or process.name:cpio +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation.asciidoc new file mode 100644 index 0000000000..045996bc0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation]] +=== Loadable Kernel Module Configuration File Creation + +This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and +file.path like~ ( + "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*", + "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", + "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", "/usr/bin/prime-select" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/info/kmod.postinst", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", + "/usr/libexec/platform-python*" + ) or + process.executable == null or + process.name in ( + "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", + "jumpcloud-agent", "crio", "dnf_install", "utild" + ) or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-login-via-unusual-system-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-login-via-unusual-system-user.asciidoc new file mode 100644 index 0000000000..e740834c20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-login-via-unusual-system-user.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-16-4-login-via-unusual-system-user]] +=== Login via Unusual System User + +This rule identifies successful logins by system users that are uncommon to authenticate. These users have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-system.auth-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/ +* https://x.com/RFGroenewoud/status/1875112050218922010 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: System + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Filebeat. + + +*Filebeat Setup* + +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + + +*The following steps should be executed in order to add the Filebeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html[helper guide]. +- To run Filebeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html[helper guide]. +- To run Filebeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html[helper guide]. +- For quick start information for Filebeat refer to the https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html[helper guide]. +- For complete “Setup and Run Filebeat” information refer to the https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html[helper guide]. + + +*Rule Specific Setup Note* + +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and +user.name in ( + "deamon", "bin", "sys", "games", "man", "lp", "mail", "news", "uucp", "proxy", "www-data", "backup", + "list", "irc", "gnats", "nobody", "systemd-timesync", "systemd-network", "systemd-resolve", "messagebus", + "avahi", "sshd", "dnsmasq" +) and event.outcome == "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: SSH Authorized Keys +** ID: T1098.004 +** Reference URL: https://attack.mitre.org/techniques/T1098/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Users +** ID: T1564.002 +** Reference URL: https://attack.mitre.org/techniques/T1564/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend.asciidoc new file mode 100644 index 0000000000..83e325a8b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend]] +=== Malicious File - Detected - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/yara +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Malware Alerts* + + +Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with hand-written rules by our threat researchers. + +Files are scanned on write or deletion, process executables are scanned on executions and libraries are scanned on load. You can differentiate these types by looking at the `event.action` field in the alert. It can be execution, `load`, `creation`, `modification`, or `deletion`. Scanning files written to disk is best effort, while execution or load scanning is done ‘in-line’ for true prevention. + + +*Possible investigation steps* + + +- For machine learning (ML) malware alerts the `file.Ext.malware_classification.score` and `file.Ext.malware_classification.version` fields indicate which model version was used to classify the file and the classification score (0 to 1). +- For malware signature hits, `threat_name` is an important field which will guide the user on what malware family the sample belongs to. +- For Yara matches, Malware alerts do provide the specific binary content identified by the yara rule in the alert metadata (it is base64 encoded and stored in the `matches` field). +- A file can also hit on multiple Yara signatures. In the alert metadata, the `primary` signature (`malware_signature.primary`) will be whichever we determine to have the highest severity. +- Malicious file alerts for files in download directories or written by browsers, office applications, script interpreters or other lolbins are especially correlated with malicious activity. +- Particular attention should be paid to files located in suspicious directories like `Public` folder, `Downloads`, `Temp` and `ProgramData`. +- Verify if the file is signed or not using the `file.Ext.code_signature` field. Even if the file is signed with a valid certificate verify the global prevalance of that signed in your environment. +- Verify the malicious file timestamp metadata using `file.created`, `file.mtime` and `file.accessed` to asses exactly if it's an old or new infection. +- Investigate the activity of the process that created, modified or loaded the malicious file (parent process tree, process.command_line, child processes, network, registry and files events). +- Assess whether this file is prevalent in the environment by looking for similar occurrences across hosts by `file.hash.sha256` or by `file.name` patterns. +- Verify the activity of the `user.name` associated with Malware alert (local or remote actity, privileged or standard user). +- Verify if there are any other Alert types (Behavior or Memory Threat) associated with the same host or user or process within the same time. + +*False positive analysis* + + +- Other endpoint security vendors especially with their quarantine folders. +- Dynamically generated or compiled executables such as from csc.exe or other compilers. Due to the dynamic nature, each instance will likely have a unique hash and no signer + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : malicious_file and (event.type : allowed or (event.type: denied and event.outcome: failure)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend.asciidoc new file mode 100644 index 0000000000..cad184fb3f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend]] +=== Malicious File - Prevented - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/yara +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Malware Alerts* + + +Elastic Endpoint malware protection leverages a combination of supervised machine learning (ML) models (PE, MachO) and yara signatures. Our ML models are trained on hundreds of millions of executables and model updates are released approximately monthly. Our yara signatures are created with automated signature creation technologies built in-house along with hand-written rules by our threat researchers. + +Files are scanned on write or deletion, process executables are scanned on executions and libraries are scanned on load. You can differentiate these types by looking at the `event.action` field in the alert. It can be execution, `load`, `creation`, `modification`, or `deletion`. Scanning files written to disk is best effort, while execution or load scanning is done ‘in-line’ for true prevention. + + +*Possible investigation steps* + + +- For machine learning (ML) malware alerts the `file.Ext.malware_classification.score` and `file.Ext.malware_classification.version` fields indicate which model version was used to classify the file and the classification score (0 to 1). +- For malware signature hits, `threat_name` is an important field which will guide the user on what malware family the sample belongs to. +- For Yara matches, Malware alerts do provide the specific binary content identified by the yara rule in the alert metadata (it is base64 encoded and stored in the `matches` field). +- A file can also hit on multiple Yara signatures. In the alert metadata, the `primary` signature (`malware_signature.primary`) will be whichever we determine to have the highest severity. +- Malicious file alerts for files in download directories or written by browsers, office applications, script interpreters or other lolbins are especially correlated with malicious activity. +- Particular attention should be paid to files located in suspicious directories like `Public` folder, `Downloads`, `Temp` and `ProgramData`. +- Verify if the file is signed or not using the `file.Ext.code_signature` field. Even if the file is signed with a valid certificate verify the global prevalance of that signed in your environment. +- Verify the malicious file timestamp metadata using `file.created`, `file.mtime` and `file.accessed` to asses exactly if it's an old or new infection. +- Investigate the activity of the process that created, modified or loaded the malicious file (parent process tree, process.command_line, child processes, network, registry and files events). +- Assess whether this file is prevalent in the environment by looking for similar occurrences across hosts by `file.hash.sha256` or by `file.name` patterns. +- Verify the activity of the `user.name` associated with Malware alert (local or remote actity, privileged or standard user). +- Verify if there are any other Alert types (Behavior or Memory Threat) associated with the same host or user or process within the same time. + +*False positive analysis* + + +- Other endpoint security vendors especially with their quarantine folders. +- Dynamically generated or compiled executables such as from csc.exe or other compilers. Due to the dynamic nature, each instance will likely have a unique hash and no signer + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : malicious_file and event.type : denied and event.outcome : success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend.asciidoc new file mode 100644 index 0000000000..4ed4dfc568 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend]] +=== Memory Threat - Detected - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/yara +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Memory Threat Alerts* + + +Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection. + +The first category is referred to as memory signatures and is available on all supported OS. It operates by periodically scanning process executable memory regions based on their activity to identify and terminate known bad malware. + +The second category is referred to as shellcode thread and is unique to Windows endpoints today. A common technique of in-memory malware is to load the payload in a memory region not backed by a file on disk and create a thread to execute it. + + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts : + - For shellcode alerts, the key for bucketing alerts is stored in the `Memory_protection.unique_key_v1` field. + - For Memory signature alerts, bucket based on the signatures which match `rule.name`. +- Examine the following fields if there are any matches on known Yara signatures: + - `process.Ext.memory_region.malware_signature.all_names` + - `Target.process.Ext.memory_region.malware_signature.all_names` + - `process.Ext.memory_region.malware_signature.primary.signature.name` +- Review the memory region strings for any suspicious or unique keywords captured in `process.Ext.memory_region.strings` and `Target.process.Ext.memory_region.strings`. +- For signature matches review the `process.Ext.memory_region.malware_signature.primary.matches` and `process.Ext.memory_region.malware_signature.secondary.matches` to understand which keywords or byte sequences matched on the memory Yara signature. +- For shellcode alerts, check the field `Memory_protection.self_injection` value, if it's false it means it's a remote shellcode injection and you need to review the Target process details like `Target.process.executable` fields. +- Even if the acting process is signed, review any unsigned or suspicious loaded libraries (adversaries may use `DLL Side-Loading`) captured in: + - `process.thread.Ext.call_stack.module_path` + - `process.Ext.dll.path and process.Ext.dll.hash.sha256` + - `Target.process.Ext.dll.hash.sha256` + - `Target.process.Ext.dll.path` +- If you have access to VirusTotal of similar services, you can also perform vGrep searches to look for files with bytes matching on `process.thread.Ext.start_address_bytes` or `Target.process.thread.Ext.start_address_bytes`. +- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + + +*False positive analysis* + + +- False positives may include Yara signature matches on generic keywords or some third party softwares performing code injection (often all involved files are signed and by the same vendor). + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : (memory_signature or shellcode_thread) and (event.type : allowed or (event.type: denied and event.outcome: failure)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend.asciidoc new file mode 100644 index 0000000000..2cd47a93c6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend.asciidoc @@ -0,0 +1,167 @@ +[[prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend]] +=== Memory Threat - Prevented- Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/yara +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Memory Threat Alerts* + + +Elastic Endpoint’s memory threat protection adds a layer of coverage for advanced attacks which avoid the traditional approach of writing payloads to disk. Instead, the malicious code runs only in-memory, an effective technique for evading legacy security products. There are currently two sub-categories of memory threat protection. + +The first category is referred to as memory signatures and is available on all supported OS. It operates by periodically scanning process executable memory regions based on their activity to identify and terminate known bad malware. + +The second category is referred to as shellcode thread and is unique to Windows endpoints today. A common technique of in-memory malware is to load the payload in a memory region not backed by a file on disk and create a thread to execute it. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts : + - For shellcode alerts, the key for bucketing alerts is stored in the `Memory_protection.unique_key_v1` field. + - For Memory signature alerts, bucket based on the signatures which match `rule.name`. +- Examine the following fields if there are any matches on known Yara signatures: + - `process.Ext.memory_region.malware_signature.all_names` + - `Target.process.Ext.memory_region.malware_signature.all_names` + - `process.Ext.memory_region.malware_signature.primary.signature.name` +- Review the memory region strings for any suspicious or unique keywords captured in `process.Ext.memory_region.strings` and `Target.process.Ext.memory_region.strings`. +- For signature matches review the `process.Ext.memory_region.malware_signature.primary.matches` and `process.Ext.memory_region.malware_signature.secondary.matches` to understand which keywords or byte sequences matched on the memory Yara signature. +- For shellcode alerts, check the field `Memory_protection.self_injection` value, if it's false it means it's a remote shellcode injection and you need to review the Target process details like `Target.process.executable` fields. +- Even if the acting process is signed, review any unsigned or suspicious loaded libraries (adversaries may use `DLL Side-Loading`) captured in: + - `process.thread.Ext.call_stack.module_path` + - `process.Ext.dll.path and process.Ext.dll.hash.sha256` + - `Target.process.Ext.dll.hash.sha256` + - `Target.process.Ext.dll.path` +- If you have access to VirusTotal of similar services, you can also perform vGrep searches to look for files with bytes matching on `process.thread.Ext.start_address_bytes` or `Target.process.thread.Ext.start_address_bytes`. +- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + + +*False positive analysis* + + +- False positives may include Yara signature matches on generic keywords or some third party software performing code injection (often all involved files are signed and by the same vendor). + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment. + - Contain the affected system by isolating it from the network to prevent further spread of the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : (memory_signature or shellcode_thread) and event.type : denied and event.outcome : success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user.asciidoc new file mode 100644 index 0000000000..b2194e5e0c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user]] +=== Multiple Okta Sessions Detected for a Single User + +Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 30m + +*Searches indices from*: now-35m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security +* https://www.elastic.co/security-labs/starter-guide-to-understanding-okta + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Lateral Movement + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +==== Setup + + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system + and okta.event_type:user.session.start + and okta.authentication_context.external_session_id:* + and not (okta.actor.id: okta* or okta.actor.display_name: okta*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Web Session Cookie +** ID: T1550.004 +** Reference URL: https://attack.mitre.org/techniques/T1550/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-my-first-rule.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-my-first-rule.asciidoc new file mode 100644 index 0000000000..cefee09886 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-my-first-rule.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-16-4-my-first-rule]] +=== My First Rule + +This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. + +*Rule type*: threshold + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* logs-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 30m + +*Searches indices from*: now-35m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-rules.html + +*Tags*: + +* Use Case: Guided Onboarding + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +This is a test alert. + +This alert does not show threat activity. Elastic created this alert to help you understand how alerts work. + +For normal rules, the Investigation Guide will help analysts investigate alerts. + +This alert will show once every 24 hours for each host. It is safe to disable this rule. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:event + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc new file mode 100644 index 0000000000..ce930ffa30 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory]] +=== Pluggable Authentication Module (PAM) Creation in Unusual Directory + +This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories. Attackers may compile PAM shared object files in temporary directories, to move them to system directories later, potentially allowing them to maintain persistence on a compromised system, or harvest account credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/zephrax/linux-pam-backdoor +* https://github.com/eurialo/pambd +* http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html +* https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and file.name like "pam_*.so" and not file.path like ( + "/lib/security/*", + "/lib64/security/*", + "/lib/x86_64-linux-gnu/security/*", + "/usr/lib/security/*", + "/usr/lib64/security/*", + "/usr/lib/x86_64-linux-gnu/security/*" +) and not ( + process.name in ("dockerd", "containerd", "steam", "buildkitd", "unsquashfs", "pacman") or + file.path like ( + "/build/rootImage/nix/store/*", "/home/*/.local/share/containers/*", "/nix/store/*", "/var/lib/containerd/*", + "/var/snap/*", "/usr/share/nix/nix/store/*", "/tmp/cura/squashfs-root/*", "/home/*/docker/*", "/tmp/containerd*" + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download.asciidoc new file mode 100644 index 0000000000..190802ee02 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download]] +=== Pluggable Authentication Module (PAM) Source Download + +This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/zephrax/linux-pam-backdoor +* https://github.com/eurialo/pambd +* http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html +* https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name in ("curl", "wget") and +process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery.asciidoc new file mode 100644 index 0000000000..89e151dfef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery]] +=== Pluggable Authentication Module (PAM) Version Discovery + +This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an attacker attempting to backdoor the authentication process through malicious PAM modules. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.group-ib.com/blog/pluggable-authentication-module/ +* https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Persistence +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( + (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or + (process.name == "rpm" and process.args == "pam") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-potential-persistence-via-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-potential-persistence-via-file-modification.asciidoc new file mode 100644 index 0000000000..31084cdcf1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-potential-persistence-via-file-modification.asciidoc @@ -0,0 +1,242 @@ +[[prebuilt-rule-8-16-4-potential-persistence-via-file-modification]] +=== Potential Persistence via File Modification + +This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app. + +*Rule type*: eql + +*Rule indices*: + +* logs-fim.event-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/primer-on-persistence-mechanisms +* https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: File Integrity Monitoring + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration. + + +*Elastic FIM Integration Setup* + +To configure the Elastic FIM integration, follow these steps: + +1. Install and configure the Elastic Agent on your Linux system. You can refer to the https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html[Elastic Agent documentation] for detailed instructions. +2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana. +3. In the Kibana home page, click on "Integrations" in the left sidebar. +4. Search for "File Integrity Monitoring" in the search bar and select the integration. +5. Provide a name and optional description for the integration. +6. Select the appropriate agent policy for your Linux system or create a new one. +7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor. +8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications. + +For more details on configuring the Elastic FIM integration, you can refer to the https://docs.elastic.co/integrations/fim[Elastic FIM documentation]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and +file.path : ( + // cron, anacron & at + "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*", + "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow", + "/etc/cron.deny", "/var/spool/anacron/*", "/var/spool/cron/atjobs/*", + + // systemd services & timers + "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*", + "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", + "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*", + + // LD_PRELOAD + "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf", + + // Dynamic linker + "/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*", + + // message-of-the-day (MOTD) + "/etc/update-motd.d/*", + + // SSH + "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*", + + // system-wide shell configurations + "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc", + "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc", + + // root and user shell configurations + "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout", + "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout", + "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc", + "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout", + "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", + "/home/*/.kshrc", "/root/.kshrc", + + // runtime control + "/etc/rc.common", "/etc/rc.local", + + // System V init/Upstart + "/etc/init.d/*", "/etc/init/*", + + // passwd/sudoers/shadow + "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*", + + // Systemd udevd + "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", "/usr/local/lib/udev/rules.d/*", + + // XDG/KDE autostart entries + "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + + // LKM configuration files + "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*", + "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*", + + // PAM modules & configuration files + "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", + "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*", + "/etc/pam.d/*", "/etc/security/pam_*", "/etc/pam.conf", + + // Misc. + "/etc/shells" + +) and not ( + file.path : ( + "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*" + ) or + file.extension in ("dpkg-new", "dpkg-remove", "SEQ") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-detected-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-detected-elastic-defend.asciidoc new file mode 100644 index 0000000000..3987edd34f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-detected-elastic-defend.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-16-4-ransomware-detected-elastic-defend]] +=== Ransomware - Detected - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/ransomware +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Ransomware Alerts* + + +Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack. + +Generally, our ransomware protection is tuned to have extremely low false positives rates. We understand how alarming and disruptive ransomware false positives can be which has factored into its design goals. More likely than not, if this protection fires, it is a true positive. However, certain categories of software do behave similarly to ransomware from the perspective of this protection. That includes installers and backup software, which can make a large number of modifications to documents (especially during a restore operation). Further, encryption or system utilities which modify the system’s MBR may also trigger our MBR protection. + + +*Possible investigation steps* + + +- The `Ransomware.files` field provides details about files modifications (paths, entropy, extension and file headers). +- Investigate the metadata and the activity of the process or processes that triggered the alert. +- Assess whether this activity prevalent in the environment by looking for similar occurrences across hosts. +- Some Ransomware attacks tend to execute the operation on multiple hosts at the same time for maximum impact. +- Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user). +- Quickly identifying the compromised credentials is critical to remediate Ransomware attacks. +- Verify if there are any other alert types (Behavior or Memory Threat) associated with the same host or user or process within the same time. + + +*False positive analysis* + + +- Installers and backup software, which can make a large number of modifications to documents (especially during a restore operation). +- Encryption or system utilities which modify the system’s MBR may also trigger our MBR protection. + +*Response and Remediation* + + +- Immediate Isolation and Containment: Quickly disconnect affected systems from the network, including both wired and wireless connections, to prevent the ransomware from spreading. This includes disabling network cards and removing network cables if necessary, while keeping the systems powered on for forensic purposes. +- Activate Incident Response Team and Plan: Assemble your incident response team and implement your incident response plan. Contact necessary stakeholders including IT security, legal counsel, and executive management. Document all actions taken from the moment of detection. +Initial Assessment and Evidence Preservation: Identify the scope of the infection and the type of ransomware. +- Take screenshots of ransom messages and create disk images of affected systems. Record all observable indicators of compromise (IOCs) before any remediation begins. +- Business Impact Analysis: Evaluate which critical business operations are affected and establish priority systems for recovery. Determine regulatory reporting requirements based on the type of data potentially compromised. +- Secure Backup Verification: Identify and verify the integrity of your latest clean backups. Check backup systems for potential compromise and ensure they were disconnected during the attack to prevent encryption of backup data. +- System Recovery Preparation: Build a clean environment for recovery operations, including secured networks and validated clean systems. Prepare tools and resources needed for system restoration. +- Malware Eradication: Remove the ransomware from infected systems using appropriate security tools. This may involve complete system rebuilds from known clean sources rather than attempting to clean infected systems. +- Data Restoration: Begin restoring systems from verified clean backups, starting with the most critical business operations. Implement additional security controls and monitoring during the restoration process. +- Security Posture Strengthening: Update all security systems including firewalls, antivirus, and endpoint protection. Reset all credentials across the organization and implement additional access controls like multi-factor authentication where needed. +- Post-Incident Activities: Conduct a detailed post-incident analysis to identify how the ransomware entered the environment. Update security policies and incident response plans based on lessons learned, and provide additional security awareness training to staff. + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : ransomware and (event.type : allowed or (event.type: denied and event.outcome: failure)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend.asciidoc new file mode 100644 index 0000000000..e4fb36002f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend]] +=== Ransomware - Prevented - Elastic Defend + +Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/ransomware +* https://docs.elastic.co/en/integrations/endpoint + +*Tags*: + +* Data Source: Elastic Defend +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Ransomware Alerts* + + +Ransomware protection adds a dedicated layer of detection and prevention against ransomware attacks. Our Ransomware protection consists of 3 subtypes: `behavioral`, `canary files`, and `MBR`. Our behavioral ransomware protection monitors the low level file system activity of all processes on the system to identify generic file encryption techniques. We include signals such as file header information, entropy calculations, known and suspicious extensions, and more to make verdicts. Canary files serve as a high confidence short-cut to other behavior techniques. Our endpoint places hidden files in select directories on the system and will trigger on any process attempting to tamper with the files. Finally, we protect the Master Boot Record (MBR) with our kernel minifilter driver to prevent this type of ransomware attack. + +Generally, our ransomware protection is tuned to have extremely low false positives rates. We understand how alarming and disruptive ransomware false positives can be which has factored into its design goals. More likely than not, if this protection fires, it is a true positive. However, certain categories of software do behave similarly to ransomware from the perspective of this protection. That includes installers and backup software, which can make a large number of modifications to documents (especially during a restore operation). Further, encryption or system utilities which modify the system’s MBR may also trigger our MBR protection. + + +*Possible investigation steps* + + +- The `Ransomware.files` field provides details about files modification (paths, entropy, extension and file headers). +- Investigate the metadata and the activity of the process or processes that triggered the alert. +- Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts. +- Some Ransomware attacks tend to execute the operation on multiple hosts at the same time for maximum impact. +- Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user). +- Quickly identifying the compromised credentials is critical to remediate Ransomware attacks. +- Verify if there are any other alert types (Behavior or Memory Threat) associated with the same host or user or process within the same time. + + +*False positive analysis* + + +- Installers and backup software, which can make a large number of modifications to documents (especially during a restore operation). +- Encryption or system utilities which modify the system’s MBR may also trigger our MBR protection. + + +*Response and Remediation* + + +- Immediate Isolation and Containment: Quickly disconnect affected systems from the network, including both wired and wireless connections, to prevent the ransomware from spreading. This includes disabling network cards and removing network cables if necessary, while keeping the systems powered on for forensic purposes. +- Activate Incident Response Team and Plan: Assemble your incident response team and implement your incident response plan. Contact necessary stakeholders including IT security, legal counsel, and executive management. Document all actions taken from the moment of detection. +Initial Assessment and Evidence Preservation: Identify the scope of the infection and the type of ransomware. +- Take screenshots of ransom messages and create disk images of affected systems. Record all observable indicators of compromise (IOCs) before any remediation begins. +- Business Impact Analysis: Evaluate which critical business operations are affected and establish priority systems for recovery. Determine regulatory reporting requirements based on the type of data potentially compromised. +- Secure Backup Verification: Identify and verify the integrity of your latest clean backups. Check backup systems for potential compromise and ensure they were disconnected during the attack to prevent encryption of backup data. +- System Recovery Preparation: Build a clean environment for recovery operations, including secured networks and validated clean systems. Prepare tools and resources needed for system restoration. +- Malware Eradication: Remove the ransomware from infected systems using appropriate security tools. This may involve complete system rebuilds from known clean sources rather than attempting to clean infected systems. +- Data Restoration: Begin restoring systems from verified clean backups, starting with the most critical business operations. Implement additional security controls and monitoring during the restoration process. +- Security Posture Strengthening: Update all security systems including firewalls, antivirus, and endpoint protection. Reset all credentials across the organization and implement additional access controls like multi-factor authentication where needed. +- Post-Incident Activities: Conduct a detailed post-incident analysis to identify how the ransomware entered the environment. Update security policies and incident response plans based on lessons learned, and provide additional security awareness training to staff. + + +==== Setup + + + +*Setup* + + + +*Elastic Defend Alerts* + +This rule is designed to capture specific alerts generated by Elastic Defend. + +To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules: + +Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). + + +*Additional notes* + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind : alert and event.code : ransomware and event.type : denied and event.outcome : success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager.asciidoc new file mode 100644 index 0000000000..2e1a4a647a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager]] +=== Rapid Secret Retrieval Attempts from AWS SecretsManager + +This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html +* https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/ +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum +* https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS Secrets Manager +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Rapid Secret Retrieval Attempts from AWS SecretsManager* + + +AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. + +This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule[Threshold] rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. + + +*Possible investigation steps* + + +- Identify the account and its role in the environment, and inspect the related policy. +- Identify the applications that should use this account. +- Investigate other alerts associated with the user account during the past 48 hours. +- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Review IAM permission policies for the user identity and specific secrets accessed. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and + event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and + not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Cloud Secrets Management Stores +** ID: T1555.006 +** Reference URL: https://attack.mitre.org/techniques/T1555/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..07f25c1a83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,182 @@ +[[prebuilt-rule-8-16-4-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html +* https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 115 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote Execution via File Shares* + + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start" and + not ( + /* Veeam related processes */ + ( + process.name : ( + "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint20??.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH" + ) or + /* PDQ related processes */ + ( + process.name : ( + "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", + "PDQInventoryWakeCommand-?.exe", "PDQDeployRunner-?.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation" + ) or + /* CrowdStrike related processes */ + ( + (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or + (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher") + ) or + /* MS related processes */ + ( + process.executable == "System" or + (process.executable : "?:\\Windows\\ccmsetup\\ccmsetup.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Corporation") + ) or + /* CyberArk processes */ + ( + process.executable : "?:\\Windows\\CAInvokerService.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "CyberArk Software Ltd." + ) or + /* Sophos processes */ + ( + process.executable : "?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate1.dir\\SophosUpdate.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "Sophos Ltd" + ) or + /* Elastic processes */ + ( + process.executable : ( + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\previous\\elastic-endpoint.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\elastic-agent.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe" + ) and + process.code_signature.trusted == true and process.code_signature.subject_name : "Elasticsearch, Inc." + ) + ) + ] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-connection.asciidoc new file mode 100644 index 0000000000..1e2b3cebc9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-connection.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-16-4-simple-http-web-server-connection]] +=== Simple HTTP Web Server Connection + +This rule detects connections accepted by a simple HTTP web server in Python and PHP built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. This event may occur when an attacker requests the server to execute a command or script via a potential backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.network* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and ( + (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.command_line like "*-S*") or + (process.name like "python*" and process.command_line like ("*--cgi*", "*CGIHTTPServer*")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-creation.asciidoc new file mode 100644 index 0000000000..6e547b672c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-simple-http-web-server-creation.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-16-4-simple-http-web-server-creation]] +=== Simple HTTP Web Server Creation + +This rule detects the creation of a simple HTTP web server using PHP or Python built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or + (process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll.asciidoc new file mode 100644 index 0000000000..14154d0e94 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll.asciidoc @@ -0,0 +1,171 @@ +[[prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll]] +=== Suspicious Antimalware Scan Interface DLL + +Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* +* logs-m365_defender.event-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint + +*Version*: 314 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Antimalware Scan Interface DLL* + + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Attackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the process that created the DLL and which account was used. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Investigate other processes launched from the directory that the DLL was created. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + + +*False positive analysis* + + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and file.path != null and + file.name : ("amsi.dll", "amsi") and + not file.path : ( + "?:\\$SysReset\\CloudImage\\Package_for_RollupFix*", + "?:\\Windows\\system32\\amsi.dll", + "?:\\Windows\\Syswow64\\amsi.dll", + "?:\\$WINDOWS.~BT\\DUImageSandbox\\*", + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", + "?:\\$WINDOWS.~BT\\Work\\*\\*", + "?:\\$WINDOWS.~BT\\Store\\Offline\\File\\C$\\Windows\\SoftwareDistribution\\Download.bak\\*", + "?:\\Windows\\CbsTemp\\*\\f\\amsi.dll", + "?:\\Windows\\SoftwareDistribution\\Download\\*", + "?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll" + ) and + not + ( + process.executable : "C:\\Windows\\System32\\wbengine.exe" and + file.path : ( + "\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll", + "\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll", + "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created.asciidoc new file mode 100644 index 0000000000..9b9b36945f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created]] +=== Suspicious WMI Event Subscription Created + +Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.sysmon_operational-* +* logs-endpoint.events.api-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf +* https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Sysmon +* Data Source: Elastic Defend + +*Version*: 306 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where + ( + (event.dataset == "windows.sysmon_operational" and event.code == "21" and + winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and + process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Windows Management Instrumentation Event Subscription +** ID: T1546.003 +** Reference URL: https://attack.mitre.org/techniques/T1546/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-uncommon-registry-persistence-change.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-uncommon-registry-persistence-change.asciidoc new file mode 100644 index 0000000000..d68c452d3e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-uncommon-registry-persistence-change.asciidoc @@ -0,0 +1,160 @@ +[[prebuilt-rule-8-16-4-uncommon-registry-persistence-change]] +=== Uncommon Registry Persistence Change + +Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 +* https://github.com/rad9800/BootExecuteEDR + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + length(registry.data.strings) > 0 and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent", + "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync", + "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync", + "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun", + "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName", + "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecuteNoPnpSync", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecuteNoPnpSync", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\PlatformExecute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand", + "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension", + "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath", + "HKLM\\SYSTEM\\Setup\\CmdLine", + "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and + + not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe", + "C:\\Program Files\\*.exe") and + not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", + "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe") and + not (process.name : ("TiWorker.exe", "poqexec.exe") and registry.value : "SetupExecute" and + registry.data.strings : ( + "C:\\windows\\System32\\poqexec.exe /display_progress \\SystemRoot\\WinSxS\\pending.xml", + "C:\\Windows\\System32\\poqexec.exe /skip_critical_poq /display_progress \\SystemRoot\\WinSxS\\pending.xml" + ) + ) and + not (process.name : "svchost.exe" and registry.value : "SCRNSAVE.EXE" and + registry.data.strings : ( + "%windir%\\system32\\rundll32.exe user32.dll,LockWorkStation", + "scrnsave.scr", + "%windir%\\system32\\Ribbons.scr" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution.asciidoc new file mode 100644 index 0000000000..987596c34d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution]] +=== Unusual Preload Environment Variable Process Execution + +This rule detects processes that are executed with environment variables that are not commonly used. This could indicate an attacker is attempting to hijack the execution flow of a process by loading malicious libraries or binaries into the process memory space. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + +Elastic Defend integration does not collect environment variable logging by default. +In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. + #### To set up environment variable capture for an Elastic Agent policy: +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. +- For this rule the linux.advanced.capture_env_vars variable should be set to "LD_PRELOAD,LD_LIBRARY_PATH". +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the https://www.elastic.co/guide/en/security/current/environment-variable-capture.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-sshd-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-sshd-child-process.asciidoc new file mode 100644 index 0000000000..cd1e829a41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rule-8-16-4-unusual-sshd-child-process.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-16-4-unusual-sshd-child-process]] +=== Unusual SSHD Child Process + +This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hadess.io/the-art-of-linux-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and event.action:exec and +process.parent.name:(ssh or sshd) and process.args_count:2 and +not process.command_line:(-bash or -zsh or -sh) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Unix Shell Configuration Modification +** ID: T1546.004 +** Reference URL: https://attack.mitre.org/techniques/T1546/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-appendix.asciidoc new file mode 100644 index 0000000000..39c1d750fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-appendix.asciidoc @@ -0,0 +1,36 @@ +["appendix",role="exclude",id="prebuilt-rule-8-16-4-prebuilt-rules-8-16-4-appendix"] += Downloadable rule update v8.16.4 + +This section lists all updates associated with version 8.16.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-16-4-azure-entra-mfa-totp-brute-force-attempts.asciidoc[] +include::prebuilt-rule-8-16-4-memory-threat-detected-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-memory-threat-prevented-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-behavior-detected-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-behavior-prevented-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-malicious-file-detected-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-malicious-file-prevented-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-ransomware-detected-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-ransomware-prevented-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-dynamic-linker-ld-so-creation.asciidoc[] +include::prebuilt-rule-8-16-4-unusual-preload-environment-variable-process-execution.asciidoc[] +include::prebuilt-rule-8-16-4-pluggable-authentication-module-pam-version-discovery.asciidoc[] +include::prebuilt-rule-8-16-4-kernel-object-file-creation.asciidoc[] +include::prebuilt-rule-8-16-4-loadable-kernel-module-configuration-file-creation.asciidoc[] +include::prebuilt-rule-8-16-4-pluggable-authentication-module-pam-creation-in-unusual-directory.asciidoc[] +include::prebuilt-rule-8-16-4-pluggable-authentication-module-pam-source-download.asciidoc[] +include::prebuilt-rule-8-16-4-simple-http-web-server-connection.asciidoc[] +include::prebuilt-rule-8-16-4-simple-http-web-server-creation.asciidoc[] +include::prebuilt-rule-8-16-4-login-via-unusual-system-user.asciidoc[] +include::prebuilt-rule-8-16-4-unusual-sshd-child-process.asciidoc[] +include::prebuilt-rule-8-16-4-my-first-rule.asciidoc[] +include::prebuilt-rule-8-16-4-rapid-secret-retrieval-attempts-from-aws-secretsmanager.asciidoc[] +include::prebuilt-rule-8-16-4-endpoint-security-elastic-defend.asciidoc[] +include::prebuilt-rule-8-16-4-potential-persistence-via-file-modification.asciidoc[] +include::prebuilt-rule-8-16-4-multiple-okta-sessions-detected-for-a-single-user.asciidoc[] +include::prebuilt-rule-8-16-4-creation-or-modification-of-pluggable-authentication-module-or-configuration.asciidoc[] +include::prebuilt-rule-8-16-4-suspicious-antimalware-scan-interface-dll.asciidoc[] +include::prebuilt-rule-8-16-4-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-16-4-uncommon-registry-persistence-change.asciidoc[] +include::prebuilt-rule-8-16-4-suspicious-wmi-event-subscription-created.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-summary.asciidoc new file mode 100644 index 0000000000..847d12600b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-16-4/prebuilt-rules-8-16-4-summary.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-16-4-prebuilt-rules-8-16-4-summary]] +[role="xpack"] +== Update v8.16.4 + +This section lists all updates associated with version 8.16.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior detections only, and does not include prevention alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior preventions only, and does not include detection only alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts. | new | 1 + +|<> | Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts. | new | 1 + +|<> | This rule detects the creation of the dynamic linker (ld.so) file. The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code. | new | 1 + +|<> | This rule detects processes that are executed with environment variables that are not commonly used. This could indicate an attacker is attempting to hijack the execution flow of a process by loading malicious libraries or binaries into the process memory space. | new | 1 + +|<> | This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an attacker attempting to backdoor the authentication process through malicious PAM modules. | new | 1 + +|<> | This rule detects the creation of a Linux kernel object file (.ko) on a system. Threat actors may leverage Linux kernel object files to load a rootkit or other type of malware on a system providing them with complete control and the ability to hide from security products. | new | 1 + +|<> | This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. | new | 1 + +|<> | This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories. Attackers may compile PAM shared object files in temporary directories, to move them to system directories later, potentially allowing them to maintain persistence on a compromised system, or harvest account credentials. | new | 1 + +|<> | This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process. | new | 1 + +|<> | This rule detects connections accepted by a simple HTTP web server in Python and PHP built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. This event may occur when an attacker requests the server to execute a command or script via a potential backdoor. | new | 1 + +|<> | This rule detects the creation of a simple HTTP web server using PHP or Python built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. | new | 1 + +|<> | This rule identifies successful logins by system users that are uncommon to authenticate. These users have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system. | new | 1 + +|<> | This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created. | new | 1 + +|<> | This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. | update | 4 + +|<> | This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions. | update | 2 + +|<> | Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. | update | 104 + +|<> | This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app. | update | 5 + +|<> | Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. | update | 207 + +|<> | This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials. | update | 3 + +|<> | Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. | update | 314 + +|<> | Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. | update | 115 + +|<> | Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. | update | 212 + +|<> | Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges. | update | 306 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 1c1c8f2b7e..1278bab322 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 08 Jan 2025 | 20 | 10 | +This release includes new rules for Linux, Azure and Elastic Defend integration. Deprecated rules include `Suspicious File Changes Activity Detected` New rules for Linux include detection for persistence and defense evasion. New rules for Azure include detection for credential access. New Rules for Elastic Defend include detection for defense evasion, execution and impact. Additionally, significant rule tuning for Linux, Windows and Okta rules has been added for better rule efficacy and performance. + + |<> | 10 Dec 2024 | 5 | 6 | This release includes new rules for AWS, and AWS Bedrock integration. New rules for AWS include detection for persistence. New rules for AWS Bedrock include detection for LLM prompt injection and LLM jailbreak. Additionally, significant rule tuning for AWS, Github, AWS Bedrock and Azure rules has been added for better rule efficacy and performance. @@ -28,3 +32,4 @@ This release includes new rules for Windows, Linux, AWS, and Azure integration. include::downloadable-packages/8-16-1/prebuilt-rules-8-16-1-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-16-2/prebuilt-rules-8-16-2-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-16-3/prebuilt-rules-8-16-3-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-16-4/prebuilt-rules-8-16-4-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 8ec7d18c82..786cb6a132 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -398,6 +398,8 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. |[Domain: Cloud], [Data Source: Azure], [Tactic: Defense Evasion] |None |102 +|<> |Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access] |8.13.0 |1 + |<> |Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access] |8.13.0 |2 |<> |Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access] |8.13.0 |2 @@ -444,6 +446,10 @@ and their rule type is `machine_learning`. |<> |Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |104 +|<> |Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior detections only, and does not include prevention alerts. |[Data Source: Elastic Defend] |8.16.0 |1 + +|<> |Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior preventions only, and does not include detection only alerts. |[Data Source: Elastic Defend] |8.16.0 |1 + |<> |Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame], [Data Source: System] |8.14.0 |106 |<> |Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |110 @@ -512,7 +518,7 @@ and their rule type is `machine_learning`. |<> |Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike] |8.14.0 |412 -|<> |This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend] |None |2 +|<> |This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend] |None |3 |<> |Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |8.14.0 |311 @@ -586,6 +592,8 @@ and their rule type is `machine_learning`. |<> |Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |None |107 +|<> |This rule detects the creation of the dynamic linker (ld.so) file. The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Tactic: Persistence], [Data Source: Elastic Defend] |None |1 + |<> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend] |None |109 |<> |Detects the creation or modification of files related to the dynamic linker on Linux systems. The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Data Source: Elastic Defend] |None |2 @@ -612,7 +620,7 @@ and their rule type is `machine_learning`. |<> |Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |8.14.0 |214 -|<> |Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |None |103 +|<> |Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |8.3.0 |104 |<> |Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |None |1 @@ -960,6 +968,8 @@ and their rule type is `machine_learning`. |<> |Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |110 +|<> |This rule detects the creation of a Linux kernel object file (.ko) on a system. Threat actors may leverage Linux kernel object files to load a rootkit or other type of malware on a system providing them with complete control and the ability to hide from security products. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |1 + |<> |Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |None |108 |<> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Elastic Endgame], [Data Source: Crowdstrike] |8.14.0 |311 @@ -1018,10 +1028,14 @@ and their rule type is `machine_learning`. |<> |This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |6 +|<> |This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |1 + |<> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint] |8.14.0 |312 |<> |Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.14.0 |208 +|<> |This rule identifies successful logins by system users that are uncommon to authenticate. These users have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: System] |None |1 + |<> |Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta], [Domain: Cloud] |8.15.0 |412 |<> |Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Resources: Investigation Guide] |None |206 @@ -1040,6 +1054,10 @@ and their rule type is `machine_learning`. |<> |A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. |[OS: Windows], [Data Source: Elastic Endgame], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |8 +|<> |Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts. |[Data Source: Elastic Defend], [Tactic: Execution] |8.16.0 |1 + +|<> |Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts. |[Data Source: Elastic Defend], [Tactic: Execution] |8.16.0 |1 + |<> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |None |103 |<> |Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |None |103 @@ -1052,6 +1070,10 @@ and their rule type is `machine_learning`. |<> |This rule detects memory swap modification events on Linux systems. Memory swap modification can be used to manipulate the system's memory and potentially impact the system's performance. This behavior is commonly observed in malware that deploys miner software such as XMRig. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Tactic: Execution], [Data Source: Elastic Defend] |None |1 +|<> |Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts. |[Data Source: Elastic Defend], [Tactic: Defense Evasion] |8.16.0 |1 + +|<> |Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts. |[Data Source: Elastic Defend], [Tactic: Defense Evasion] |8.16.0 |1 + |<> |This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |12 |<> |Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |None |206 @@ -1170,7 +1192,7 @@ and their rule type is `machine_learning`. |<> |Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: System] |8.14.0 |110 -|<> |Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Lateral Movement] |8.15.0 |206 +|<> |Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Lateral Movement] |8.15.0 |207 |<> |Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access] |8.15.0 |206 @@ -1180,7 +1202,7 @@ and their rule type is `machine_learning`. |<> |Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: System] |8.14.0 |111 -|<> |This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. |[Use Case: Guided Onboarding] |None |3 +|<> |This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. |[Use Case: Guided Onboarding] |None |4 |<> |Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: System], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |8.14.0 |203 @@ -1318,6 +1340,12 @@ and their rule type is `machine_learning`. |<> |Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |8.14.0 |312 +|<> |This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories. Attackers may compile PAM shared object files in temporary directories, to move them to system directories later, potentially allowing them to maintain persistence on a compromised system, or harvest account credentials. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend] |None |1 + +|<> |This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |1 + +|<> |This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an attacker attempting to backdoor the authentication process through malicious PAM modules. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Persistence], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |1 + |<> |Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint] |8.14.0 |413 |<> |Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |None |213 @@ -1500,7 +1528,7 @@ and their rule type is `machine_learning`. |<> |Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |106 -|<> |This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: File Integrity Monitoring] |None |4 +|<> |This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: File Integrity Monitoring] |None |5 |<> |Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |108 @@ -1766,7 +1794,7 @@ and their rule type is `machine_learning`. |<> |Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |109 -|<> |This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |105 +|<> |This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |106 |<> |This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection], [Data Source: PAN-OS] |None |104 @@ -1780,11 +1808,15 @@ and their rule type is `machine_learning`. |<> |This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |2 +|<> |Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts. |[Data Source: Elastic Defend], [Tactic: Impact] |8.16.0 |1 + |<> |Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |None |103 +|<> |Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts. |[Data Source: Elastic Defend], [Tactic: Impact] |8.16.0 |1 + |<> |Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |None |103 -|<> |This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Secrets Manager], [Tactic: Credential Access], [Resources: Investigation Guide] |None |1 +|<> |This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Secrets Manager], [Tactic: Credential Access], [Resources: Investigation Guide] |None |2 |<> |This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment. |[OS: Windows], [Data Source: Elastic Endgame], [Data Source: Windows], [Data Source: Network], [Data Source: Rapid7 Threat Command], [Rule Type: Threat Match], [Resources: Investigation Guide], [Use Case: Vulnerability], [Use Case: Asset Visibility], [Use Case: Continuous Monitoring] |8.13.0 |103 @@ -1804,7 +1836,7 @@ and their rule type is `machine_learning`. |<> |Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: System], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne] |8.14.0 |1 -|<> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |114 +|<> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |115 |<