From 754b85495158aa2c7a9cc5a95af590c64e3f48d6 Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:31:44 +0000 Subject: [PATCH] Update latest docs --- ...-17-14-aws-cloudtrail-log-evasion.asciidoc | 129 +++++++ ...-aws-ec2-deprecated-ami-discovery.asciidoc | 149 ++++++++ ...s-ec2-ebs-snapshot-access-removed.asciidoc | 121 ++++++ ...bs-snapshot-shared-or-made-public.asciidoc | 120 ++++++ ...work-access-control-list-creation.asciidoc | 134 +++++++ ...work-access-control-list-deletion.asciidoc | 125 ++++++ ...credential-fetch-via-assumed-role.asciidoc | 120 ++++++ ...r-data-retrieval-for-ec2-instance.asciidoc | 146 +++++++ ...aws-iam-assume-role-policy-update.asciidoc | 130 +++++++ ...-17-14-aws-vpc-flow-logs-deletion.asciidoc | 131 +++++++ ...dhound-suite-user-agents-detected.asciidoc | 174 +++++++++ ...nt-utility-run-inside-a-container.asciidoc | 149 ++++++++ ...recated-aws-ec2-snapshot-activity.asciidoc | 128 +++++++ ...oft-365-accounts-by-repeat-source.asciidoc | 134 +++++++ ...rule-8-17-14-downloaded-url-files.asciidoc | 126 +++++++ ...ction-risk-detection-sign-in-risk.asciidoc | 155 ++++++++ ...otection-risk-detection-user-risk.asciidoc | 152 ++++++++ ...ocess-and-or-service-terminations.asciidoc | 117 ++++++ ...fig-file-creation-or-modification.asciidoc | 131 +++++++ ...8-17-14-kubeconfig-file-discovery.asciidoc | 122 ++++++ ...7-14-kubectl-permission-discovery.asciidoc | 100 +++++ ...tes-service-account-secret-access.asciidoc | 123 ++++++ ...-14-kubernetes-user-exec-into-pod.asciidoc | 115 ++++++ ...odule-configuration-file-creation.asciidoc | 154 ++++++++ ...cessive-account-lockouts-detected.asciidoc | 202 ++++++++++ ...k-home-page-registry-modification.asciidoc | 133 +++++++ ...ntial-cve-2025-33053-exploitation.asciidoc | 136 +++++++ ...ercion-via-dns-based-spn-spoofing.asciidoc | 149 ++++++++ ...spoofing-via-suspicious-dns-query.asciidoc | 124 ++++++ ...hine-account-relay-attack-via-smb.asciidoc | 129 +++++++ ...hacktool-script-by-function-names.asciidoc | 356 ++++++++++++++++++ ...high-numeric-character-proportion.asciidoc | 120 ++++++ ...tion-via-invalid-escape-sequences.asciidoc | 116 ++++++ ...ion-via-special-character-overuse.asciidoc | 119 ++++++ ...uscation-via-string-concatenation.asciidoc | 113 ++++++ ...obfuscation-via-string-reordering.asciidoc | 128 +++++++ ...guration-creation-or-modification.asciidoc | 189 ++++++++++ ...oauth-flow-via-auth-broker-to-drs.asciidoc | 217 +++++++++++ ...unusual-parent-child-relationship.asciidoc | 175 +++++++++ .../prebuilt-rules-8-17-14-appendix.asciidoc | 45 +++ .../prebuilt-rules-8-17-14-summary.asciidoc | 90 +++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 92 +++-- .../prebuilt-rules/rule-desc-index.asciidoc | 27 +- .../aws-cloudtrail-log-evasion.asciidoc | 129 +++++++ .../aws-ec2-deprecated-ami-discovery.asciidoc | 21 +- ...s-ec2-ebs-snapshot-access-removed.asciidoc | 121 ++++++ ...bs-snapshot-shared-or-made-public.asciidoc | 6 +- ...work-access-control-list-creation.asciidoc | 21 +- ...work-access-control-list-deletion.asciidoc | 13 +- ...credential-fetch-via-assumed-role.asciidoc | 120 ++++++ ...r-data-retrieval-for-ec2-instance.asciidoc | 13 +- ...aws-iam-assume-role-policy-update.asciidoc | 13 +- .../aws-vpc-flow-logs-deletion.asciidoc | 13 +- ...dhound-suite-user-agents-detected.asciidoc | 174 +++++++++ ...nt-utility-run-inside-a-container.asciidoc | 7 +- ...recated-aws-ec2-snapshot-activity.asciidoc | 128 +++++++ ...oft-365-accounts-by-repeat-source.asciidoc | 134 +++++++ .../downloaded-url-files.asciidoc | 4 +- ...ction-risk-detection-sign-in-risk.asciidoc | 155 ++++++++ ...otection-risk-detection-user-risk.asciidoc | 152 ++++++++ ...ocess-and-or-service-terminations.asciidoc | 4 +- ...fig-file-creation-or-modification.asciidoc | 131 +++++++ .../kubeconfig-file-discovery.asciidoc | 122 ++++++ .../kubectl-permission-discovery.asciidoc | 100 +++++ ...tes-service-account-secret-access.asciidoc | 123 ++++++ .../kubernetes-user-exec-into-pod.asciidoc | 12 +- ...odule-configuration-file-creation.asciidoc | 9 +- ...brute-force-via-entra-id-sign-ins.asciidoc | 252 +++++++++++++ ...cessive-account-lockouts-detected.asciidoc | 202 ++++++++++ ...a-id-sign-in-brute-force-activity.asciidoc | 248 ++++++++++++ ...k-home-page-registry-modification.asciidoc | 11 +- ...ntial-cve-2025-33053-exploitation.asciidoc | 136 +++++++ ...ercion-via-dns-based-spn-spoofing.asciidoc | 149 ++++++++ ...spoofing-via-suspicious-dns-query.asciidoc | 124 ++++++ ...hine-account-relay-attack-via-smb.asciidoc | 129 +++++++ ...hacktool-script-by-function-names.asciidoc | 8 +- ...high-numeric-character-proportion.asciidoc | 10 +- ...tion-via-invalid-escape-sequences.asciidoc | 6 +- ...ion-via-special-character-overuse.asciidoc | 11 +- ...uscation-via-string-concatenation.asciidoc | 6 +- ...obfuscation-via-string-reordering.asciidoc | 16 +- ...guration-creation-or-modification.asciidoc | 10 +- ...oauth-flow-via-auth-broker-to-drs.asciidoc | 217 +++++++++++ ...unusual-parent-child-relationship.asciidoc | 14 +- docs/index.asciidoc | 2 + 86 files changed, 8989 insertions(+), 137 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-downloaded-url-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubectl-permission-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-service-account-secret-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-outlook-home-page-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-shell-configuration-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-unusual-parent-child-relationship.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-evasion.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-access-removed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/bloodhound-suite-user-agents-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/deprecated-aws-ec2-snapshot-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-sign-in-risk.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-user-risk.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubeconfig-file-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubeconfig-file-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubectl-permission-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubernetes-service-account-secret-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-sign-in-brute-force-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-cve-2025-33053-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-machine-account-relay-attack-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion.asciidoc new file mode 100644 index 0000000000..b7826f92d9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion]] +=== AWS CloudTrail Log Evasion + +Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS IAM +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS CloudTrail Log Evasion* + + +Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. In the `requestParameters` field of CloudTrail logs, a policy that was created/updated is typically displayed, including details such as the policy name and the full policy document content. However, when policies padded with large amounts of insignificant whitespace (such as spaces, tabs, or line breaks), reach a size range of 102,401 to 131,072 characters they begin to be omitted from CloudTrail logs and are instead rendered as "requestParameters too large". Attackers can do this to cover their tracks and impact security monitoring that relies on this source. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Examine the newly created or modified policy highlighted in `target.entity.id`. +- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached to the `actor.entity.id` for unexpected permission changes or additions. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. However, this behavior is rarely seen in legitimate operations and should be thoroughly investigated. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery.asciidoc new file mode 100644 index 0000000000..f104d66ee0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery]] +=== AWS EC2 Deprecated AMI Discovery + +Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: AWS EC2 +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 Deprecated AMI Discovery* + + +This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations. + + +*Possible Investigation Steps* + + +1. **Identify the User Performing the Query**: + - Review the `aws.cloudtrail.user_identity.arn` field to determine the AWS user or role making the request. + - Check `aws.cloudtrail.user_identity.type` and `aws.cloudtrail.user_identity.access_key_id` to verify the type of access (e.g., IAM user, role, or federated identity). + +2. **Analyze the Source of the Request**: + - Review the `source.ip` field to determine the IP address of the source making the request. + - Check `source.geo` for the geographic location of the IP address. + - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK). + +3. **Validate the Query Context**: + - Inspect the `aws.cloudtrail.flattened.request_parameters` field + - Determine if the request is part of legitimate activity, such as: + - Security assessments or vulnerability scans. + - Maintenance or testing of legacy systems. + - Check if the query aligns with recent changes in the AWS environment, such as new configurations or services. + +4. **Correlate with Other Events**: + - Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation. + - Review logs for related actions, such as launching instances from deprecated AMIs (`RunInstances` API call). + +5. **Assess Security Risks**: + - Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities. + - Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats. + + +*False Positive Analysis* + + +- **Legitimate Use**: Users may query for deprecated AMIs for testing or compatibility purposes. +- **Automated Tools**: Security or compliance tools might query deprecated AMIs as part of regular assessments. +- **Misconfigured Services**: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries. + + +*Response and Remediation* + + +1. **Immediate Actions**: + - Verify the intent of the user querying for deprecated AMIs. + - Restrict IAM permissions to prevent unauthorized access to deprecated AMIs. + +2. **Mitigation Steps**: + - Identify and replace deprecated AMIs in use with supported and updated AMIs. + - Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs. + +3. **Enhance Monitoring**: + - Enable alerts for future queries involving deprecated AMIs or other unusual API activity. + - Monitor CloudTrail logs for additional reconnaissance or suspicious behavior. + +4. **Security Audits**: + - Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images. + - Remove any deprecated AMIs from production environments and restrict their usage to isolated testing. + +5. **Add Rule Exceptions**: + - Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs. + - Document and communicate the exceptions to relevant teams to avoid future alerts. + + +*Additional Resources* + + +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[AWS Documentation: AMI Lifecycle Management] +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html[AWS Documentation: Deprecated AMIs] + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "ec2.amazonaws.com" + and event.action: "DescribeImages" + and event.outcome: "success" + and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true" + and aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner: * + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Cloud Infrastructure Discovery +** ID: T1580 +** Reference URL: https://attack.mitre.org/techniques/T1580/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed.asciidoc new file mode 100644 index 0000000000..8e5b03d87e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed]] +=== AWS EC2 EBS Snapshot Access Removed + +Identifies the removal of access permissions from a shared AWS EC2 EBS snapshot. EBS snapshots are essential for data retention and disaster recovery. Adversaries may revoke or modify snapshot permissions to prevent legitimate users from accessing backups, thereby obstructing recovery efforts after data loss or destructive actions. This tactic can also be used to evade detection or maintain exclusive access to critical backups, ultimately increasing the impact of an attack and complicating incident response. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 EBS Snapshot Access Removed* + + +This rule detects when access is removed for an AWS EC2 EBS snapshot. EBS virtual disks can be copied into snapshots, which can then be used as backups for recovery and data retention efforts. Adversaries may attempt to remove access to snapshots in order to prevent legitimate users or automated processes from accessing or restoring from snapshots following data loss, ransomware, or destructive actions. This can significantly delay or even prevent recovery, increasing the impact of the attack. +Restricting snapshot access may help adversaries cover their tracks by making it harder for defenders to analyze or recover deleted or altered data. Attackers may remove permissions for all users except their own compromised account, allowing them to maintain exclusive access to backups for future use or leverage. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they should have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. In particular, use the `snapshotId` to see if this snapshot was shared with an unauthorized account. +- **Review UserID**: Check the `userId` field to identify which user's permissions were removed. Verify if this account should be authorized to access the data or if the access removal is expected. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation:* + + +- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to restore it to its previous state. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions. +- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing EBS snapshots and securing AWS environments, refer to the https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security: +- https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS Snapshot Permissions] +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html[AWS API ModifySnapshotAttribute] + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* metadata _id, _version, _index +| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" +| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}" +| where operationType == "remove" +| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc new file mode 100644 index 0000000000..97e875d405 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public]] +=== AWS EC2 EBS Snapshot Shared or Made Public + +Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump +* https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Exfiltration +* Resources: Investigation Guide + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 EBS Snapshot Shared or Made Public* + + +This rule detects when an AWS EC2 EBS snapshot is shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Review UserID**: Check the `userId` field to identify the AWS account with which the snapshot was shared. Verify if this account is authorized to access the data or if it belongs to a known third party. If this value is `all`, the snapshot is made public. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. +- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy. + + +*Response and Remediation:* + + +- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions. +- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing EBS snapshots and securing AWS environments, refer to the https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security: +- https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS Snapshot Permissions] +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html[AWS API ModifySnapshotAttribute] +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump[AWS EBS Snapshot Dump] + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* metadata _id, _version, _index +| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" +| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}" +| where operationType == "add" and cloud.account.id != userId +| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation.asciidoc new file mode 100644 index 0000000000..374c52cc5a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation]] +=== AWS EC2 Network Access Control List Creation + +Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Network Security Monitoring +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating AWS EC2 Network Access Control List Creation* + + +AWS EC2 Network ACLs are stateless firewalls for controlling inbound and outbound traffic at the subnet level. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. The detection rule monitors successful creation events of ACLs or entries, flagging potential unauthorized modifications that align with persistence tactics, aiding in early threat identification. + + +*Possible investigation steps* + + +- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail entries to identify the user or role (event.user) that initiated the CreateNetworkAcl or CreateNetworkAclEntry actions. +- Examine the event.provider:ec2.amazonaws.com logs to determine the IP addresses and locations associated with the request to assess if they are expected or suspicious. +- Check the event.action details to understand the specific rules created in the Network ACL, focusing on any overly permissive rules that could indicate a security risk. +- Investigate the event.outcome:success entries to confirm the successful creation of the ACL or ACL entry and correlate with any other suspicious activities in the AWS environment. +- Cross-reference the event with other security alerts or logs to identify any patterns or anomalies that could suggest malicious intent or unauthorized access. +- Assess the impact of the new ACL rules on the network security posture, ensuring they do not inadvertently allow unauthorized access or data exfiltration. + + +*False positive analysis* + + +- Routine infrastructure updates or deployments may trigger the creation of new network ACLs or entries. To manage this, establish a baseline of expected changes during scheduled maintenance windows and exclude these from alerts. +- Automated scripts or infrastructure-as-code tools like Terraform or CloudFormation can create network ACLs as part of normal operations. Identify and whitelist these automated processes to prevent unnecessary alerts. +- Changes made by trusted administrators or security teams for legitimate purposes can be mistaken for suspicious activity. Implement a process to log and review approved changes, allowing you to exclude these from detection. +- Temporary ACLs created for troubleshooting or testing purposes can generate alerts. Document and track these activities, and use tags or naming conventions to easily identify and exclude them from monitoring. +- Third-party services or integrations that require specific network configurations might create ACLs. Review and validate these services, and if deemed safe, add them to an exception list to reduce false positives. + + +*Response and remediation* + + +- Immediately review the AWS CloudTrail logs to confirm the creation of the Network ACL or entry and identify the IAM user or role responsible for the action. This helps determine if the action was authorized or potentially malicious. +- Revoke any suspicious or unauthorized IAM credentials associated with the creation of the Network ACL or entry to prevent further unauthorized access. +- Modify or delete the newly created Network ACL or entry if it is determined to be unauthorized or overly permissive, ensuring that it aligns with your organization's security policies. +- Conduct a security review of the affected AWS environment to identify any other unauthorized changes or indicators of compromise, focusing on persistence mechanisms. +- Implement additional monitoring and alerting for changes to Network ACLs and other critical AWS resources to enhance detection of similar threats in the future. +- Escalate the incident to the security operations team or incident response team for further investigation and to determine if additional containment or remediation actions are necessary. +- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of unauthorized changes to network configurations. + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion.asciidoc new file mode 100644 index 0000000000..99002e8fff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion]] +=== AWS EC2 Network Access Control List Deletion + +Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Network Security Monitoring +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating AWS EC2 Network Access Control List Deletion* + + +AWS EC2 Network ACLs are essential for controlling inbound and outbound traffic to subnets, acting as a firewall layer. Adversaries may delete these ACLs to disable security controls, facilitating unauthorized access or data exfiltration. The detection rule monitors AWS CloudTrail logs for successful deletion events of ACLs or their entries, signaling potential defense evasion attempts. + + +*Possible investigation steps* + + +- Review the AWS CloudTrail logs to identify the specific user or role associated with the deletion event by examining the user identity information in the logs. +- Check the time and date of the deletion event to determine if it coincides with any other suspicious activities or known maintenance windows. +- Investigate the source IP address and location from which the deletion request was made to assess if it aligns with expected access patterns or if it appears anomalous. +- Examine the AWS account activity around the time of the event to identify any other unusual actions or changes, such as the creation of new resources or modifications to existing ones. +- Assess the impact of the deleted Network ACL or entries by identifying the affected subnets and evaluating the potential exposure or risk to the network. +- Review any recent changes to IAM policies or roles that might have inadvertently granted excessive permissions to users or services, allowing them to delete Network ACLs. + + +*False positive analysis* + + +- Routine maintenance or updates by authorized personnel may trigger deletion events. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts. +- Automated scripts or infrastructure-as-code tools like Terraform or CloudFormation might delete and recreate ACLs as part of normal operations. Identify these tools and exclude their actions from triggering alerts. +- Changes in network architecture or security policy updates can lead to legitimate ACL deletions. Document these changes and adjust the detection rule to ignore such planned modifications. +- Ensure that the AWS accounts involved in the deletion events are recognized and trusted. Exclude actions from these accounts if they are part of regular administrative tasks. +- Collaborate with the security team to establish a baseline of normal ACL deletion activities and refine the detection rule to minimize false positives based on this baseline. + + +*Response and remediation* + + +- Immediately isolate the affected subnet to prevent further unauthorized access or data exfiltration. This can be done by applying a restrictive security group or temporarily removing the subnet from the VPC. +- Review AWS CloudTrail logs to identify the source of the deletion event, including the IAM user or role responsible, and assess whether the action was authorized or part of a larger compromise. +- Recreate the deleted Network ACL or its entries using the most recent backup or configuration documentation to restore intended security controls. +- Implement a temporary monitoring solution to track any further unauthorized changes to network ACLs or related security configurations. +- Escalate the incident to the security operations team for a comprehensive investigation to determine the root cause and scope of the breach, including potential lateral movement or data exfiltration. +- Revoke or rotate credentials for any compromised IAM users or roles involved in the deletion event to prevent further unauthorized actions. +- Enhance detection capabilities by configuring alerts for any future unauthorized changes to network ACLs, ensuring rapid response to similar threats. + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc new file mode 100644 index 0000000000..e940c656e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role]] +=== AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role + +Identifies the first occurrence of an unauthorized attempt by an AWS role to use `GetPassword` to access the administrator password of an EC2 instance. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role* + + +This rule detects the first occurrence of a role using the `GetPasswordData` API call, which retrieves the administrator password, against an unauthorized EC2 instance in AWS. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. + +This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. + + +*Possible Investigation Steps* + + +- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. +- **Review Request Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.error_message` fields to understand the context of the API call. +- **Contextualize with User Behavior**: Compare this activity against the role's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the role prior to and following the incident. +- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password retrieval was attempted. Assess the criticality and sensitivity of the applications running on this instance. +- **Examine Related CloudTrail Events**: Search for other API calls made by the same role, especially those modifying security groups, network access controls, or instance metadata. +- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. +- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. + + +*Response and Remediation* + + +- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. +- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. +- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. +- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. + + +*Additional Information* + + +Refer to resources like https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc[AWS privilege escalation methods] and the MITRE ATT&CK technique https://attack.mitre.org/techniques/T1552/005/[T1552.005 - Cloud Instance Metadata API] for more details on potential vulnerabilities and mitigation strategies. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" + and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" + and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc new file mode 100644 index 0000000000..485870096e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance]] +=== AWS EC2 User Data Retrieval for EC2 Instance + +Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html +* https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon EC2 +* Resources: Investigation Guide +* Use Case: Log Auditing +* Tactic: Discovery + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS EC2 User Data Retrieval for EC2 Instance* + + +This rule detects requests to retrieve the `userData` attribute of an EC2 instance using the `DescribeInstanceAttribute` API action. The `userData` field can contain sensitive information, such as hardcoded credentials or configuration scripts, that adversaries may exploit for further attacks. + + +*Possible Investigation Steps* + + +- **Identify the Target Instance**: + - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceId` field to identify the EC2 instance targeted by the request. Confirm whether this instance should expose its `userData` and whether it is associated with sensitive workloads. + - **Analyze userData**: If possible, retrieve and inspect the `userData` field to identify sensitive information like hardcoded credentials or configuration scripts. + +- **Review User Context**: + - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions. + - **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior. + - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised. + - **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity. + - **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent. + +- **Check for Related Activity**: + - **IAM Changes**: Correlate this event with any IAM changes or temporary credential creation to identify potential privilege escalation attempts. + - **API Usage**: Look for other unusual API calls (e.g., `RunInstances`, `GetObject`, `AssumeRole`) by the same user or IP to detect lateral movement or data exfiltration attempts. + +- **Validate Intent**: + - **Permissions and Justification**: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the `userData` field. + + +*False Positive Analysis* + + +- **Automation**: This event is often triggered by legitimate automation tools, such as Terraform or custom scripts, that require access to `userData` during instance initialization. +- **Maintenance Activity**: Verify whether this event aligns with expected administrative activities, such as debugging or instance configuration updates. + + +*Response and Remediation* + + +- **Revoke Excessive Permissions**: If unauthorized, immediately remove `DescribeInstanceAttribute` permissions from the user or role. +- **Quarantine the Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance to limit further exposure. +- **Secure User Data**: + - Avoid storing sensitive information, such as credentials, in `userData`. Use AWS Secrets Manager or Parameter Store instead. + - Encrypt user data and ensure only authorized users can decrypt it. +- **Audit IAM Policies**: Regularly review IAM policies to ensure they adhere to the principle of least privilege. +- **Monitor and Detect**: Set up additional alerts for unexpected `DescribeInstanceAttribute` calls or other suspicious API activity. + + +*Additional Information* + + +For more details on managing EC2 user data securely, refer to the https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html[AWS EC2 User Data Documentation]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "ec2.amazonaws.com" + and event.action: "DescribeInstanceAttribute" + and event.outcome: "success" + and aws.cloudtrail.flattened.request_parameters.attribute: "userData" + and not aws.cloudtrail.user_identity.invoked_by: ( + "AWS Internal" or + "cloudformation.amazonaws.com" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Cloud Infrastructure Discovery +** ID: T1580 +** Reference URL: https://attack.mitre.org/techniques/T1580/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update.asciidoc new file mode 100644 index 0000000000..b4d2b00152 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update]] +=== AWS IAM Assume Role Policy Update + +Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS IAM +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Privilege Escalation + +*Version*: 213 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS IAM Assume Role Policy Update* + + +An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. + +The role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role. + + +*Possible investigation steps* + + +- Review the `aws.cloudtrail.user_identity.arn` to determine the IAM User that performed the action. +- If an AssumedRole identity type performed the action review the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field to determine which role was used. +- Review the `aws.cloudtrail.flattened.request_parameters.roleName` field to confirm the role that was updated. +- Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy. +- If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of the user agent and user ID conditions — to cover administrator activities and infrastructure as code tooling. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Use AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html[policy versioning] to restore the trust policy to the desired state. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "iam.amazonaws.com" + and event.action: "UpdateAssumeRolePolicy" + and event.outcome: "success" + and not source.address: "cloudformation.amazonaws.com" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion.asciidoc new file mode 100644 index 0000000000..2644335750 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion]] +=== AWS VPC Flow Logs Deletion + +Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS VPC Flow Logs Deletion* + + +VPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. + +This rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. +- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected.asciidoc new file mode 100644 index 0000000000..63a6ce1464 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected]] +=== BloodHound Suite User-Agents Detected + +Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-azure.* +* logs-o365.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://specterops.io/bloodhound-overview/ +* https://github.com/SpecterOps/AzureHound +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Azure Activity Logs +* Data Source: Graph API +* Data Source: Graph API Activity Logs +* Data Source: Microsoft 365 +* Data Source: Microsoft 365 Audit Logs +* Data Source: Microsoft Entra ID +* Data Source: Microsoft Entra ID Audit Logs +* Data Source: Microsoft Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. + +The detection is based on known enumeration patterns, particularly the presence of suspicious user agent strings (e.g., `azurehound/`, `sharphound/`, `bloodhound/`) in various Azure and M365 logs. The rule monitors multiple log sources, including: + +- Azure Graph API Activity Logs +- Microsoft 365 Audit Logs +- Entra ID Sign-in Logs +- Entra ID Audit Logs +- Azure Activity Logs + +This ensures broader detection of credential abuse, token misuse, or unauthorized identity discovery activity from both interactive and non-interactive (API) sessions. + + +*Possible investigation steps* + + +- Confirm the tool used via `user_agent.original`. Look for: + - `azurehound/x.y.z` + - `bloodhound/1.0` + - `sharphound/1.0` +- Examine `url.original` or `url.path` to determine which APIs were accessed if Graph API activity logs. For example: + - `/v1.0/organization`, `/v1.0/users`, `/v1.0/groups` may indicate user/group/tenant discovery. +- Identify the `user.id`, `user.name`, or `azure.auditlogs.properties.initiated_by.user.user_principal_name` fields to determine which identity executed the API request. +- Review `app_id`, `app_display_name`, or `client_id` to identify the application context (e.g., Azure CLI, Graph Explorer, unauthorized app). +- Check `http.request.method`, `http.response.status_code`, and `event.action` for enumeration patterns (many successful GETs in a short period) if Graph API activity logs. +- Investigate correlated sign-ins (`azure.signinlogs`) by the same user, IP, or app immediately preceding the API calls. Was MFA used? Is the location suspicious? +- Review `source.ip`, `client.geo.*`, and `network.*` fields to determine the origin of the requests. Flag unexpected IPs or ISPs. +- If the event originates in M365 Audit Logs, investigate cross-service activity: Exchange Online, Teams, SharePoint, or role escalations via Unified Audit. + + +*False positive analysis* + + +- This activity may be benign if performed by red teams, internal security auditors, or known security tools under authorization. +- Automated monitoring solutions, cloud posture scanners, or legitimate Azure/M365 integrations may generate similar traffic. Review the `app_id` and user context. +- Developer activity in test tenants may include tool usage for learning or validation purposes. + + +*Response and remediation* + + +- If confirmed malicious: + - Revoke active sessions or tokens associated with the identified user/app. + - Disable the account or rotate credentials immediately. + - Review the role assignments (`Directory.Read.All`, `AuditLog.Read.All`, `Directory.AccessAsUser.All`) and remove excessive privileges. + - Conduct historical analysis to determine how long enumeration has been occurring and what objects were queried. + - Enable Conditional Access policies to require MFA for API and CLI-based access. + - Validate audit logging and alerting is enabled across Microsoft Graph, Azure Activity Logs, and M365 workloads. + +- If legitimate: + - Document the source (e.g., red team operation, security tool). + - Add appropriate allowlist conditions for service principal, user, source address or device if policy allows. + + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset : ( + "azure.activitylogs", + "azure.graphactivitylogs", + "azure.auditlogs", + "azure.signinlogs", + "o365.audit" +) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Cloud Groups +** ID: T1069.003 +** Reference URL: https://attack.mitre.org/techniques/T1069/003/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Cloud Account +** ID: T1087.004 +** Reference URL: https://attack.mitre.org/techniques/T1087/004/ +* Technique: +** Name: Password Policy Discovery +** ID: T1201 +** Reference URL: https://attack.mitre.org/techniques/T1201/ +* Technique: +** Name: Cloud Service Discovery +** ID: T1526 +** Reference URL: https://attack.mitre.org/techniques/T1526/ +* Technique: +** Name: Cloud Infrastructure Discovery +** ID: T1580 +** Reference URL: https://attack.mitre.org/techniques/T1580/ +* Technique: +** Name: Virtual Machine Discovery +** ID: T1673 +** Reference URL: https://attack.mitre.org/techniques/T1673/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container.asciidoc new file mode 100644 index 0000000000..23698e6f03 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container]] +=== Container Management Utility Run Inside A Container + +This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Container Management Utility Run Inside A Container* + + +Container management utilities like Docker and Kubectl are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types. + + +*Possible investigation steps* + + +- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands. +- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks. +- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility. +- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity. +- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise. + + +*False positive analysis* + + +- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities. +- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only. +- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives. +- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods. +- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight. + + +*Response and remediation* + + +- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network. +- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities. +- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts. +- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation. +- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited. +- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes. +- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment. + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.interactive == true and +process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and +not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Container Administration Command +** ID: T1609 +** Reference URL: https://attack.mitre.org/techniques/T1609/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity.asciidoc new file mode 100644 index 0000000000..c429f2e828 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity]] +=== Deprecated - AWS EC2 Snapshot Activity + +An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Use Case: Asset Visibility +* Tactic: Exfiltration +* Resources: Investigation Guide + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Deprecated - AWS EC2 Snapshot Activity* + + +Amazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery. + +This rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail. +- Investigate other alerts associated with the user account during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Check if this operation was approved and performed according to the organization's change management policy. +- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc new file mode 100644 index 0000000000..864ea18490 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source]] +=== Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source + +Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source* + + +Azure Entra ID, integral to Microsoft 365, manages identity and access, ensuring secure authentication. Adversaries exploit this by attempting numerous failed logins to breach accounts. The detection rule identifies such brute-force attempts by monitoring failed logins from a single IP within a short timeframe, flagging potential unauthorized access efforts. + + +*Possible investigation steps* + + +- Review the source IP address identified in the alert to determine if it is associated with known malicious activity or if it belongs to a legitimate user or organization. +- Examine the list of user principal names targeted by the failed login attempts to identify any patterns or specific users that may be at higher risk. +- Check the azure.signinlogs.properties.resource_display_name to understand which Microsoft 365 services were targeted, such as Exchange, SharePoint, or Teams, and assess the potential impact on those services. +- Investigate the error codes in azure.signinlogs.properties.status.error_code for additional context on why the login attempts failed, which may provide insights into the attacker's methods. +- Correlate the failed login attempts with any successful logins from the same source IP or user accounts to identify potential unauthorized access. +- Assess the risk and exposure of the affected user accounts and consider implementing additional security measures, such as multi-factor authentication, if not already in place. + + +*False positive analysis* + + +- High volume of legitimate login attempts from a single IP, such as a corporate proxy or VPN, can trigger false positives. To mitigate, exclude known IP addresses of trusted network infrastructure from the rule. +- Automated scripts or applications performing frequent login operations on behalf of users may be misidentified as brute force attempts. Identify and whitelist these applications by their source IPs or user agents. +- Shared workstations or kiosks where multiple users log in from the same IP address can result in false positives. Implement user-based exclusions for these environments to prevent unnecessary alerts. +- Frequent password resets or account recovery processes can generate multiple failed login attempts. Monitor and exclude these activities by correlating with password reset logs or helpdesk tickets. +- Training or testing environments where multiple failed logins are expected should be excluded by identifying and filtering out the associated IP ranges or user accounts. + + +*Response and remediation* + + +- Immediately block the source IP address identified in the alert to prevent further unauthorized access attempts. +- Reset passwords for all affected user accounts that experienced failed login attempts from the flagged IP address to ensure account security. +- Enable multi-factor authentication (MFA) for the affected accounts if not already in place, to add an additional layer of security against unauthorized access. +- Review and update conditional access policies to restrict access from suspicious or untrusted locations, enhancing security posture. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. +- Monitor the affected accounts and source IP for any additional suspicious activity, ensuring no further attempts are made. +- Document the incident details, including the source IP, affected accounts, and actions taken, for future reference and compliance purposes. + +This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-azure.signinlogs* +| WHERE + event.dataset == "azure.signinlogs" + and event.category == "authentication" + and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)" + and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") + and event.outcome != "success" + + // For tuning, review azure.signinlogs.properties.status.error_code + // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes + +// keep only relevant fields +| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip + +// Count the number of unique targets per source IP +| stats + target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip + +// Filter for at least 10 distinct failed login attempts from a single source +| where target_count >= 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-downloaded-url-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-downloaded-url-files.asciidoc new file mode 100644 index 0000000000..a007c16300 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-downloaded-url-files.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-17-14-downloaded-url-files]] +=== Downloaded URL Files + +Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Downloaded URL Files* + + +URL shortcut files, typically used for quick access to web resources, can be exploited by attackers in phishing schemes to execute malicious content. These files, when downloaded from non-local sources, may bypass traditional security measures. The detection rule identifies such files by monitoring their creation events on Windows systems, focusing on those not initiated by standard processes like Explorer, and flags them based on their network origin, aiding in early threat detection. + + +*Possible investigation steps* + + +- Review the file creation event details to confirm the file extension is ".url" and verify the zone identifier is greater than 1, indicating a non-local source. +- Investigate the process that created the .url file, ensuring it was not initiated by "explorer.exe" and identify the actual process responsible for the creation. +- Check the network origin of the downloaded .url file to determine if it is from a known malicious domain or IP address. +- Analyze the contents of the .url file to identify the target URL and assess its reputation and potential risk. +- Correlate the event with other security alerts or logs from the same host to identify any additional suspicious activities or patterns. +- Contact the user associated with the alert to verify if they intentionally downloaded the file and gather any additional context regarding their actions. + + +*False positive analysis* + + +- Corporate applications that generate .url files for legitimate purposes may trigger alerts. Identify these applications and create exceptions for their processes to prevent unnecessary alerts. +- Automated scripts or system management tools that download .url files as part of routine operations can be mistaken for threats. Review these tools and whitelist their activities if they are verified as safe. +- User-initiated downloads from trusted internal web portals might be flagged. Educate users on safe downloading practices and consider excluding specific trusted domains from monitoring. +- Security software updates or patches that include .url files could be misidentified. Verify the source of these updates and adjust the rule to exclude known safe update processes. +- Collaboration platforms that share .url files for internal use may cause false positives. Evaluate the platform's behavior and exclude its processes if they are deemed secure. + + +*Response and remediation* + + +- Isolate the affected system from the network to prevent further spread of any potential malicious activity. +- Terminate any suspicious processes that are not initiated by standard processes like Explorer, especially those related to the creation of .url files. +- Delete the identified .url files from the system to remove the immediate threat. +- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats. +- Review and analyze the network logs to identify any other systems that may have downloaded similar .url files and apply the same containment measures. +- Escalate the incident to the security operations team for further investigation and to determine if there is a broader campaign targeting the organization. +- Update security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources in the future. + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" + and file.Ext.windows.zone_identifier == 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk.asciidoc new file mode 100644 index 0000000000..fed370d013 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk]] +=== Entra ID Protection - Risk Detection - Sign-in Risk + +Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.identity_protection-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1000 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://github.com/dirkjanm/ROADtools +* https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/ +* https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Use Case: Risk Detection +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule detects sign-in risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts. + + +*Possible investigation steps* + + +- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected. +- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event. +- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event. +- Review the `azure.correlation_id` field to correlate this event with other related events in your environment. +- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection. +- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment. +- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns. + + +*False positive analysis* + + +- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges. +- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. +- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. + + +*Response and remediation* + +- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior. +- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily. +- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access. +- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations. +- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts. +- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation. + + +==== Setup + + + +*Required Microsoft Entra ID Protection Logs* + +To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration. + + +*Additional notes* + + +For information on troubleshooting the maximum alerts warning please refer to this https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.identity_protection" and + event.action: "User Risk Detection" and + azure.identityprotection.properties.activity: "signin" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk.asciidoc new file mode 100644 index 0000000000..2a58443c93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk]] +=== Entra ID Protection - Risk Detection - User Risk + +Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.identity_protection-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1000 + +*References*: + +* https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Use Case: Risk Detection +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule detects user risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts. + + +*Possible investigation steps* + + +- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected. +- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event. +- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event. +- Review the `azure.correlation_id` field to correlate this event with other related events in your environment. +- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection. +- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment. +- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns. + + +*False positive analysis* + + +- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges. +- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. +- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. + + +*Response and remediation* + +- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior. +- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily. +- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access. +- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations. +- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts. +- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation. + + +==== Setup + + + +*Required Microsoft Entra ID Protection Logs* + +To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration. + + +*Additional notes* + + +For information on troubleshooting the maximum alerts warning please refer to this https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.identity_protection" and + event.action: "User Risk Detection" and + azure.identityprotection.properties.activity: "user" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations.asciidoc new file mode 100644 index 0000000000..aa710c7c33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations]] +=== High Number of Process and/or Service Terminations + +This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* logs-system.security* +* logs-windows.forwarded* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/luna-ransomware-attack-pattern + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Windows Security Event Logs + +*Version*: 216 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating High Number of Process and/or Service Terminations* + + +Attackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc. + +This rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period. + + +*Possible investigation steps* + + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and + process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") and + not process.parent.name:(osquerybeat.exe or agentbeat.exe) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification.asciidoc new file mode 100644 index 0000000000..3a78742614 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification]] +=== Kubeconfig File Creation or Modification + +The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes-threat-matrix.redguard.ch/initial-access/kubeconfig-file/ +* https://kubenomicon.com/Initial_access/Kubeconfig_file.html + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and file.path like ( + "/root/.kube/config", + "/home/*/.kube/config", + "/etc/kubernetes/admin.conf", + "/etc/kubernetes/super-admin.conf", + "/etc/kubernetes/kubelet.conf", + "/etc/kubernetes/controller-manager.conf", + "/etc/kubernetes/scheduler.conf", + "/var/lib/*/kubeconfig" +) and not ( + process.name in ("kubeadm", "kubelet", "vcluster", "minikube") or + (process.name == "sed" and file.Ext.original.name like "sed*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-discovery.asciidoc new file mode 100644 index 0000000000..15f95852a5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubeconfig-file-discovery.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-17-14-kubeconfig-file-discovery]] +=== Kubeconfig File Discovery + +The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. This rule detects process discovery executions that involve kubeconfig files, particularly those executed from common shell environments or world-writeable directories. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes-threat-matrix.redguard.ch/initial-access/kubeconfig-file/ +* https://kubenomicon.com/Initial_access/Kubeconfig_file.html + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + ( + process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or + process.parent.name like (".*", "*.sh") + ) +) and +( + ( + process.working_directory like ("/etc/kubernetes", "/root/.kube", "/home/*/.kube") and + process.args in ("kubeconfig", "admin.conf", "super-admin.conf", "kubelet.conf", "controller-manager.conf", "scheduler.conf") + ) or + process.args like ( + "/etc/kubernetes/admin.conf", + "/etc/kubernetes/super-admin.conf", + "/etc/kubernetes/kubelet.conf", + "/etc/kubernetes/controller-manager.conf", + "/etc/kubernetes/scheduler.conf", + "/home/*/.kube/config", + "/root/.kube/config", + "/var/lib/*/kubeconfig" + ) +) and not process.name in ("stat", "md5sum", "dirname") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubectl-permission-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubectl-permission-discovery.asciidoc new file mode 100644 index 0000000000..1c0894251c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubectl-permission-discovery.asciidoc @@ -0,0 +1,100 @@ +[[prebuilt-rule-8-17-14-kubectl-permission-discovery]] +=== Kubectl Permission Discovery + +This rule detects the use of the "kubectl auth --can-i" command, which is used to check permissions in Kubernetes clusters. Attackers may use this command to enumerate permissions and discover potential misconfigurations in the cluster, allowing them to gain unauthorized access or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/ + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "kubectl" and process.args == "auth" and process.args == "can-i" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-service-account-secret-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-service-account-secret-access.asciidoc new file mode 100644 index 0000000000..107f9c00db --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-service-account-secret-access.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-17-14-kubernetes-service-account-secret-access]] +=== Kubernetes Service Account Secret Access + +This rule detects when a process accesses Kubernetes service account secrets. Kubernetes service account secrets are files that contain sensitive information used by applications running in Kubernetes clusters to authenticate and authorize access to the cluster. These secrets are typically mounted into pods at runtime, allowing applications to access them securely. Unauthorized access to these secrets can lead to privilege escalation, lateral movement and unauthorized actions within the cluster. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.command_line like ( + "*/run/secrets/kubernetes.io/serviceaccount*", + "*/var/run/secrets/kubernetes.io/serviceaccount*", + "*/secrets/kubernetes.io/serviceaccount*" + ) or ( + process.working_directory like ( + "/run/secrets/kubernetes.io/serviceaccount", + "/var/run/secrets/kubernetes.io/serviceaccount", + "/secrets/kubernetes.io/serviceaccount" + ) and + process.args in ("ca.crt", "token", "namespace") + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod.asciidoc new file mode 100644 index 0000000000..d016fd1e2b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod]] +=== Kubernetes User Exec into Pod + +This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. + +*Rule type*: eql + +*Rule indices*: + +* logs-kubernetes.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/ +* https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/ + +*Tags*: + +* Data Source: Kubernetes +* Tactic: Execution +* Resources: Investigation Guide + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Kubernetes User Exec into Pod* + + +Kubernetes allows users to execute commands within a pod using the 'exec' command, facilitating temporary shell sessions for legitimate management tasks. However, adversaries can exploit this to gain unauthorized access, potentially exposing sensitive data. The detection rule identifies such misuse by monitoring audit logs for specific patterns, such as allowed 'exec' actions on pods, indicating possible malicious activity. + + +*Possible investigation steps* + + +- Review the Kubernetes audit logs to identify the user who executed the 'exec' command by examining the event.dataset field for "kubernetes.audit_logs". +- Check the kubernetes.audit.annotations.authorization_k8s_io/decision field to confirm that the action was allowed and determine if the user had legitimate access. +- Investigate the kubernetes.audit.objectRef.resource and kubernetes.audit.objectRef.subresource fields to verify that the action involved a pod and the 'exec' subresource. +- Analyze the context of the pod involved, including its purpose and the data it has access to, to assess the potential impact of the unauthorized access. +- Correlate the event with other logs or alerts to identify any suspicious patterns or repeated unauthorized access attempts by the same user or IP address. +- Review the user's activity history to determine if there are other instances of unusual or unauthorized access attempts within the Kubernetes environment. + + +*False positive analysis* + + +- Routine administrative tasks by DevOps teams can trigger the rule when they use 'exec' for legitimate management purposes. To handle this, create exceptions for specific user accounts or roles that are known to perform these tasks regularly. +- Automated scripts or tools that use 'exec' for monitoring or maintenance can also cause false positives. Identify these scripts and whitelist their associated service accounts or IP addresses. +- Scheduled jobs or cron tasks that require 'exec' to perform updates or checks within pods may be flagged. Exclude these by setting up time-based exceptions for known maintenance windows. +- Development environments where frequent testing and debugging occur using 'exec' can lead to alerts. Implement environment-specific exclusions to reduce noise from non-production clusters. + + +*Response and remediation* + + +- Immediately isolate the affected pod to prevent further unauthorized access or data exposure. This can be done by applying network policies or temporarily scaling down the pod. +- Review the audit logs to identify the user or service account responsible for the 'exec' command and assess whether the access was legitimate or unauthorized. +- Revoke or adjust permissions for the identified user or service account to prevent further unauthorized 'exec' actions. Ensure that only necessary permissions are granted following the principle of least privilege. +- Conduct a thorough investigation of the pod's environment to identify any potential data exposure or tampering. Check for unauthorized changes to configurations, secrets, or data within the pod. +- If unauthorized access is confirmed, rotate any exposed secrets or credentials that the pod had access to, and update any affected systems or services. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems or pods have been compromised. +- Enhance monitoring and alerting for similar 'exec' actions in the future by ensuring that audit logs are continuously reviewed and that alerts are configured to notify the security team of any suspicious activity. + +==== Setup + + +The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and +kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and +kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Container Administration Command +** ID: T1609 +** Reference URL: https://attack.mitre.org/techniques/T1609/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation.asciidoc new file mode 100644 index 0000000000..a0bbecd1a5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation]] +=== Loadable Kernel Module Configuration File Creation + +This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Loadable Kernel Module Configuration File Creation* + + +Loadable Kernel Modules (LKMs) are components that can be dynamically loaded into the Linux kernel to extend its functionality without rebooting. Adversaries exploit this by creating or altering LKM configuration files to ensure their malicious modules load at startup, achieving persistence. The detection rule identifies suspicious file creation or renaming activities in key directories, excluding benign processes, to flag potential threats. + + +*Possible investigation steps* + + +- Review the file path and name to determine if it matches any known or expected LKM configuration files, focusing on paths like /etc/modules, /etc/modprobe.d/*, and others specified in the query. +- Examine the process executable responsible for the file creation or renaming to identify if it is a known or trusted application, especially if it is not in the list of excluded executables. +- Check the process name and executable path for any anomalies or signs of masquerading, particularly if they are not in the list of excluded names or paths. +- Investigate the user account associated with the process to determine if it has legitimate access or if it might be compromised. +- Correlate the event with other recent system activities to identify any patterns or additional suspicious behavior, such as other file modifications or network connections. +- Review system logs for any related entries that might provide additional context or evidence of malicious activity. +- Assess the risk and impact of the detected activity on the system's security posture and determine if further containment or remediation actions are necessary. + + +*False positive analysis* + + +- System package managers like dpkg, rpm, and yum may trigger false positives when they update or install legitimate kernel modules. To handle this, exclude these processes by adding them to the exception list in the detection rule. +- Automated system management tools such as Puppet, Chef, and Ansible can create or modify LKM configuration files during routine operations. Exclude these processes by specifying their executables in the exception criteria. +- Temporary files created by text editors or system processes, such as those with extensions like swp or swx, can be mistaken for suspicious activity. Exclude these file extensions to reduce false positives. +- Processes running from specific directories like /nix/store or /snap may be part of legitimate software installations. Add these paths to the exclusion list to prevent unnecessary alerts. +- Scheduled tasks or cron jobs that involve file operations in the monitored directories might be flagged. Identify and exclude these processes by their names or paths to minimize false positives. + + +*Response and remediation* + + +- Isolate the affected system from the network to prevent further propagation of the malicious loadable kernel module. +- Terminate any suspicious processes identified in the alert that are associated with the creation or modification of LKM configuration files. +- Remove or revert any unauthorized changes to LKM configuration files in the specified directories to prevent the malicious module from loading on reboot. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components. +- Review system logs and the history of executed commands to identify the initial vector of compromise and any other affected systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents. + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and +file.path like ( + "/etc/modules", "/etc/modprobe.d/*", "/run/modprobe.d/*", "/usr/local/lib/modprobe.d/*", "/usr/lib/modprobe.d/*", + "/lib/modprobe.d/*", "/etc/modules-load.d/*", "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", + "/usr/lib/modules-load.d/*" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", + "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", "/usr/bin/prime-select" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/info/kmod.postinst", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", + "/usr/libexec/platform-python*" + ) or + process.executable == null or + process.name in ( + "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", + "jumpcloud-agent", "crio", "dnf_install", "utild" + ) or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc new file mode 100644 index 0000000000..b666cd056b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc @@ -0,0 +1,202 @@ +[[prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected]] +=== Microsoft Entra ID Exccessive Account Lockouts Detected + +Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray +* https://www.sprocketsecurity.com/blog/exploring-modern-password-spraying +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties +* https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes +* https://github.com/0xZDH/Omnispray +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Entra ID Exccessive Account Lockouts Detected* + + +This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users. + + +*Possible investigation steps* + + +- Review `user_id_list` and `user_principal_name`: Check if targeted users include high-value accounts such as administrators, service principals, or shared inboxes. +- Check `error_codes` and `result_description`: Validate that `50053` (account locked) is the consistent failure type. Messages indicating "malicious IP" activity suggest Microsoft’s backend flagged the source. +- Analyze `ip_list` and `source_orgs`: Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers). In the example, traffic originates from `MASSCOM`, which should be validated. +- Inspect `device_detail_browser` and `user_agent`: Clients like `"Python Requests"` indicate scripted automation rather than legitimate login attempts. +- Evaluate `unique_users` vs. `total_attempts`: A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying. +- Correlate `client_app_display_name` and `incoming_token_type`: PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass. +- Review `conditional_access_status` and `risk_state`: If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed. +- Validate time range (`first_seen`, `last_seen`): Determine whether the attack is a short burst or part of a longer campaign. + + +*False positive analysis* + + +- Misconfigured clients, scripts, or services with outdated credentials may inadvertently cause lockouts. +- Repeated lockouts from known internal IPs or during credential rotation windows could be benign. +- Legacy applications without modern auth support may repeatedly fail and trigger Smart Lockout. +- Specific known user agents (e.g., corporate service accounts). +- Internal IPs or cloud-hosted automation with expected failure behavior. + + +*Response and remediation* + + +- Investigate locked accounts immediately. Confirm if the account was successfully accessed prior to lockout. +- Reset credentials for impacted users and enforce MFA before re-enabling accounts. +- Block malicious IPs or ASN at the firewall, identity provider, or Conditional Access level. +- Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols. +- Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients. +- Conduct credential hygiene audits to assess reuse and rotation for targeted accounts. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* + +| EVAL + time_window = DATE_TRUNC(30 minutes, @timestamp), + user_id = TO_LOWER(azure.signinlogs.properties.user_principal_name), + ip = source.ip, + login_error = azure.signinlogs.result_description, + error_code = azure.signinlogs.properties.status.error_code, + request_type = TO_LOWER(azure.signinlogs.properties.incoming_token_type), + app_name = TO_LOWER(azure.signinlogs.properties.app_display_name), + asn_org = source.`as`.organization.name, + country = source.geo.country_name, + user_agent = user_agent.original, + event_time = @timestamp + +| WHERE event.dataset == "azure.signinlogs" + AND event.category == "authentication" + AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs") + AND event.outcome == "failure" + AND azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" + AND error_code == 50053 + AND user_id IS NOT NULL AND user_id != "" + AND asn_org != "MICROSOFT-CORP-MSN-AS-BLOCK" + +| STATS + authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + client_app_id = VALUES(azure.signinlogs.properties.app_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + target_resource_id = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser), + device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id), + device_detail_operating_system = VALUES(azure.signinlogs.properties.device_detail.operating_system), + incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + session_id = VALUES(azure.signinlogs.properties.session_id), + user_id = VALUES(azure.signinlogs.properties.user_id), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + result_description = VALUES(azure.signinlogs.result_description), + result_signature = VALUES(azure.signinlogs.result_signature), + result_type = VALUES(azure.signinlogs.result_type), + + unique_users = COUNT_DISTINCT(user_id), + user_id_list = VALUES(user_id), + login_errors = VALUES(login_error), + unique_login_errors = COUNT_DISTINCT(login_error), + error_codes = VALUES(error_code), + unique_error_codes = COUNT_DISTINCT(error_code), + request_types = VALUES(request_type), + app_names = VALUES(app_name), + ip_list = VALUES(ip), + unique_ips = COUNT_DISTINCT(ip), + source_orgs = VALUES(asn_org), + countries = VALUES(country), + unique_country_count = COUNT_DISTINCT(country), + unique_asn_orgs = COUNT_DISTINCT(asn_org), + first_seen = MIN(event_time), + last_seen = MAX(event_time), + total_attempts = COUNT() +BY time_window +| WHERE unique_users >= 15 AND total_attempts >= 20 +| KEEP + time_window, total_attempts, first_seen, last_seen, + unique_users, user_id_list, login_errors, unique_login_errors, + unique_error_codes, error_codes, request_types, app_names, + ip_list, unique_ips, source_orgs, countries, + unique_country_count, unique_asn_orgs, + authentication_requirement, client_app_id, client_app_display_name, + target_resource_id, target_resource_display_name, conditional_access_status, + device_detail_browser, device_detail_device_id, device_detail_operating_system, + incoming_token_type, risk_state, session_id, user_id, + user_principal_name, result_description, result_signature, result_type + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Sub-technique: +** Name: Credential Stuffing +** ID: T1110.004 +** Reference URL: https://attack.mitre.org/techniques/T1110/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-outlook-home-page-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-outlook-home-page-registry-modification.asciidoc new file mode 100644 index 0000000000..31d73a8f14 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-outlook-home-page-registry-modification.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-17-14-outlook-home-page-registry-modification]] +=== Outlook Home Page Registry Modification + +Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/ +* https://github.com/trustedsec/specula + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Microsoft Defender for Endpoint +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 205 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Outlook Home Page Registry Modification* + + +The Outlook Home Page feature allows users to set a webpage as the default view for folders, leveraging registry keys to store URL configurations. Adversaries exploit this by modifying these keys to redirect to malicious sites, enabling command and control or persistence. The detection rule identifies suspicious registry changes, focusing on URL entries within specific paths, flagging potential misuse for further investigation. + + +*Possible investigation steps* + + +- Review the registry path and value to confirm the presence of a suspicious URL entry in the specified registry paths, such as "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL". +- Investigate the URL found in the registry data strings to determine if it is known to be malicious or associated with suspicious activity. +- Check the modification history of the registry key to identify when the change occurred and which user or process made the modification. +- Correlate the registry modification event with other security events on the host, such as network connections or process executions, to identify potential malicious activity. +- Assess the affected system for signs of compromise, including unusual network traffic or unauthorized access attempts, to determine the scope of the incident. +- Consult threat intelligence sources to see if the URL or related indicators are associated with known threat actors or campaigns. + + +*False positive analysis* + + +- Legitimate software updates or installations may modify the registry keys associated with Outlook's Home Page feature. Users can create exceptions for known software update processes to prevent unnecessary alerts. +- Custom scripts or administrative tools used by IT departments to configure Outlook settings across multiple machines might trigger this rule. Identifying and excluding these trusted scripts or tools can reduce false positives. +- Some third-party Outlook add-ins or plugins may alter the registry keys for legitimate purposes. Users should verify the legitimacy of these add-ins and whitelist them if they are deemed safe. +- Automated backup or recovery solutions that restore Outlook settings might cause registry changes. Users can exclude these processes if they are part of a regular and secure backup routine. + + +*Response and remediation* + + +- Immediately isolate the affected system from the network to prevent further communication with potentially malicious sites. +- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the modified registry keys. +- Restore the modified registry keys to their default values to remove the malicious URL configuration. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats. +- Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected. +- Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity. + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and + registry.path : ( + "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*", + "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*" + ) and registry.data.strings : "*://*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ +* Sub-technique: +** Name: Outlook Home Page +** ID: T1137.004 +** Reference URL: https://attack.mitre.org/techniques/T1137/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation.asciidoc new file mode 100644 index 0000000000..01192b6240 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation]] +=== Potential CVE-2025-33053 Exploitation + +Identifies a suspicious Diagnostics Utility for Internet Explorer child process. This may indicate the successful exploitation of the vulnerability CVE-2025-33053. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2025/stealth-falcon-zero-day/ +* https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Microsoft Defender for Endpoint +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential CVE-2025-33053 Exploitation* + + + +*Possible investigation steps* + + +- Review the process details to confirm the suspicious child process was indeed started by iediagcmd.exe. +- Check any URL file type creation before the alert and review the source of those files. +- Investigate the process tree and make sure all descendant processes are terminated. +- Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses. +- Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack. + + +*False positive analysis* + + +- This behavior is very rare and should be highly suspicious. + + +*Response and remediation* + + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious child process identified in the alert. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. +- Review and update endpoint security policies to restrict the execution of potentially malicious URL files. + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "C:\\Program Files\\Internet Explorer\\iediagcmd.exe" and + process.name : ("route.exe", "netsh.exe", "ipconfig.exe", "dxdiag.exe", "conhost.exe", "makecab.exe") and + process.executable != null and + not process.executable : ("C:\\Windows\\System32\\route.exe", + "C:\\Windows\\System32\\netsh.exe", + "C:\\Windows\\System32\\ipconfig.exe", + "C:\\Windows\\System32\\dxdiag.exe", + "C:\\Windows\\System32\\conhost.exe", + "C:\\Windows\\System32\\makecab.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc new file mode 100644 index 0000000000..a410f7c166 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing]] +=== Potential Kerberos Coercion via DNS-Based SPN Spoofing + +Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback. + +*Rule type*: query + +*Rule indices*: + +* logs-system.security* +* logs-windows.forwarded* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +* https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ +* https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +* https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md +* https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Active Directory +* Use Case: Active Directory Monitoring +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Kerberos Coercion via DNS-Based SPN Spoofing* + + + +*Possible investigation steps* + + +- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. +- Inspect the ObjectDN field to identify the full distinguished name of the created DNS record. Look for entries containing Base64-encoded segments matching UWhRCA...BAAAA, which are indicative of an embedded CREDENTIAL_TARGET_INFORMATION payload used in SPN spoofing. +- Validate the associated user or computer account responsible for the DNS record creation. Investigate whether the account has legitimate administrative access to modify DNS zones or whether it may have been compromised. +- Correlate with DNS query logs and network telemetry to determine if the suspicious DNS hostname was later queried or resolved by other hosts on the network. A match suggests the attacker moved forward with the coercion attempt. +- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. + + +*Response and remediation* + + +- Review and remove the malicious DNS record containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone. +- Identify the source of the DNS modification by correlating the event with user context and host activity. Investigate whether the account used was compromised or misused. +- Audit Kerberos ticket activity following the DNS record creation. Look for suspicious service ticket requests (Event ID 4769) or authentication attempts that could indicate a relay or privilege escalation attempt. +- Temporarily isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. + + +==== Setup + + + +*Setup* + + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. + +``` +Set-AuditRule -AdObjectPath 'AD:\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` + + +==== Rule query + + +[source, js] +---------------------------------- +(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or +(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc new file mode 100644 index 0000000000..35754273cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query]] +=== Potential Kerberos SPN Spoofing via Suspicious DNS Query + +Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity), enabling attacks such as NTLM reflection. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.network-* +* logs-sentinel_one_cloud_funnel.* +* logs-windows.sysmon_operational-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +* https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ +* https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +* https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md +* https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Data Source: Sysmon +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Kerberos SPN Spoofing via Suspicious DNS Query* + + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the system that issued the DNS query for the suspicious hostname. Determine whether it is a server or an end user device. This technique is typically only relevant against server systems, but queries originating from workstations may indicate compromise or misuse. +- Identify attacker-controlled system by getting the IP addresses (`dns.resolved_ip`) that this DNS query resolved to by looking for the related `lookup_result` events. + - !{investigate{"label":"Show the related DNS events","providers":[[{"excluded":false,"field":"dns.question.name","queryType":"phrase","value":"{{dns.question.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- If this alert was triggered on a domain controller, escalate the investigation to involve the incident response team to determine the full scope of the breach as soon as possible. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. + + +*Response and remediation* + + +- Review and remove malicious DNS records containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone. +- Isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb.asciidoc new file mode 100644 index 0000000000..8a3a3c0bd3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb]] +=== Potential Machine Account Relay Attack via SMB + +Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.security* +* logs-windows.forwarded* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/p0dalirius/windows-coerced-authentication-methods +* https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications +* https://attack.mitre.org/techniques/T1187/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Active Directory +* Use Case: Active Directory Monitoring +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Machine Account Relay Attack via SMB* + + + +*Possible investigation steps* + +- Compare the source.ip to the target server host.ip addresses to make sure it's indeed a remote use of the machine account. +- Examine the source.ip activities as this is the attacker IP address used to relay. +- Review all relevant activities such as services creation, file and process events on the target server within the same period. +- Verify the machine account names that end with a dollar sign ($) to ensure they match the expected hostnames, and investigate any discrepancies. +- Check the network logon types to confirm if they align with typical usage patterns for the identified machine accounts. +- Investigate the context of the source IP addresses that do not match the host IP, looking for any signs of unauthorized access or unusual network activity. +- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack. + + +*False positive analysis* + + +- Machine accounts performing legitimate network logons from different IP addresses can trigger false positives. To manage this, identify and whitelist known IP addresses associated with legitimate administrative tasks or automated processes. +- Scheduled tasks or automated scripts that use machine accounts for network operations may be flagged. Review and document these tasks, then create exceptions for their associated IP addresses and hostnames. +- Load balancers or proxy servers that alter the source IP address of legitimate authentication requests can cause false alerts. Ensure these devices are accounted for in the network architecture and exclude their IP addresses from the rule. +- Temporary network reconfigurations or migrations might result in machine accounts appearing to log in from unexpected hosts. During such events, temporarily adjust the rule parameters or disable the rule to prevent unnecessary alerts. +- Regularly review and update the list of exceptions to ensure they reflect current network configurations and operational practices, minimizing the risk of overlooking genuine threats. + + +*Response and remediation* + + +- Coordinate isolation of the affected domain controller with infrastructure and identity teams to contain the threat while preserving service availability and forensic evidence. Prioritize this step if active compromise or attacker persistence is confirmed. +- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable. +- Analyze recent authentication logs, event logs, and network traffic, focusing on suspicious activity and the source IPs referenced in the alert. Correlate findings to identify any lateral movement or additional compromised systems. +- Strengthen network segmentation, especially between domain controllers, administrative workstations, and critical infrastructure. This limits the attack surface and impedes credential relay or reuse across systems. +- Escalate the incident to the SOC or incident response team to coordinate a full investigation, containment, and recovery plan. Ensure stakeholders are kept informed throughout the response. +- Enhance detection mechanisms by tuning alerts and deploying additional telemetry focused on credential relay patterns, anomalous authentication, and NTLM-related activity. +- Conduct a structured post-incident review, documenting findings, identifying control gaps, and updating playbooks, configurations, or security policies to reduce the likelihood of similar incidents in the future. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.code == "5145" and endswith(user.name, "$") and + + /* compare computername with user.name and make sure they match */ + startswith~(winlog.computer_name, substring(user.name, 0, -1)) and + + /* exclude local access */ + not endswith(string(source.ip), string(host.ip)) and + source.ip != "::" and source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names.asciidoc new file mode 100644 index 0000000000..64bc8f23f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names.asciidoc @@ -0,0 +1,356 @@ +[[prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names]] +=== Potential PowerShell HackTool Script by Function Names + +Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.powershell* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md +* https://github.com/BC-SECURITY/Empire +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: PowerShell Logs +* Resources: Investigation Guide + +*Version*: 217 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential PowerShell HackTool Script by Function Names* + + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Adversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + + +*False positive analysis* + + +- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools. +- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users. + + +*Related Rules* + + +- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88 +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Reimage the host operating system or restore the compromised files to clean versions. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Add-DomainGroupMember" or "Add-DomainObjectAcl" or + "Add-RemoteConnection" or "Add-ServiceDacl" or + "Add-Win32Type" or "Convert-ADName" or + "Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or + "ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or + "Create-NamedPipe" or "Create-ProcessWithToken" or + "Create-RemoteThread" or "Create-SuspendedWinLogon" or + "Create-WinLogonProcess" or "Emit-CallThreadStub" or + "Enable-SeAssignPrimaryTokenPrivilege" or "Enable-SeDebugPrivilege" or + "Enum-AllTokens" or "Export-PowerViewCSV" or + "Find-AVSignature" or "Find-AppLockerLog" or + "Find-DomainLocalGroupMember" or "Find-DomainObjectPropertyOutlier" or + "Find-DomainProcess" or "Find-DomainShare" or + "Find-DomainUserEvent" or "Find-DomainUserLocation" or + "Find-InterestingDomainAcl" or "Find-InterestingDomainShareFile" or + "Find-InterestingFile" or "Find-LocalAdminAccess" or + "Find-PSScriptsInPSAppLog" or "Find-PathDLLHijack" or + "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or + "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or + "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or + "Get-DelegateType" or "New-RelayEnumObject" or + "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or + "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or + "Get-DomainDNSZone" or "Get-DomainFileServer" or + "Get-DomainForeignGroupMember" or "Get-DomainForeignUser" or + "Get-DomainGPO" or "Get-DomainGPOComputerLocalGroupMapping" or + "Get-DomainGPOLocalGroup" or "Get-DomainGPOUserLocalGroupMapping" or + "Get-DomainGUIDMap" or "Get-DomainGroup" or + "Get-DomainGroupMember" or "Get-DomainGroupMemberDeleted" or + "Get-DomainManagedSecurityGroup" or "Get-DomainOU" or + "Get-DomainObject" or "Get-DomainObjectAcl" or + "Get-DomainObjectAttributeHistory" or "Get-DomainObjectLinkedAttributeHistory" or + "Get-DomainPolicyData" or "Get-DomainSID" or + "Get-DomainSPNTicket" or "Get-DomainSearcher" or + "Get-DomainSite" or "Get-DomainSubnet" or + "Get-DomainTrust" or "Get-DomainTrustMapping" or + "Get-DomainUser" or "Get-DomainUserEvent" or + "Get-Forest" or "Get-ForestDomain" or + "Get-ForestGlobalCatalog" or "Get-ForestSchemaClass" or + "Get-ForestTrust" or "Get-GPODelegation" or + "Get-GPPAutologon" or "Get-GPPInnerField" or + "Get-GPPInnerFields" or "Get-GPPPassword" or + "Get-GptTmpl" or "Get-GroupsXML" or + "Get-HttpStatus" or "Get-ImageNtHeaders" or + "Get-Keystrokes" or "New-SOASerialNumberArray" or + "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or + "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or + "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or + "Get-ModifiableServiceFile" or "Get-Name" or + "Get-NetComputerSiteName" or "Get-NetLocalGroup" or + "Get-NetLocalGroupMember" or "Get-NetLoggedon" or + "Get-NetRDPSession" or "Get-NetSession" or + "Get-NetShare" or "Get-PEArchitecture" or + "Get-PEBasicInfo" or "Get-PEDetailedInfo" or + "Get-PathAcl" or "Get-PrimaryToken" or + "Get-ProcAddress" or "Get-ProcessTokenGroup" or + "Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or + "Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or + "Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or + "Get-Screenshot" or "Get-ServiceDetail" or + "Get-SiteListPassword" or "Get-SitelistField" or + "Get-System" or "Get-SystemNamedPipe" or + "Get-SystemToken" or "Get-ThreadToken" or + "Get-TimedScreenshot" or "Get-TokenInformation" or + "Get-TopPort" or "Get-UnattendedInstallFile" or + "Get-UniqueTokens" or "Get-UnquotedService" or + "Get-VaultCredential" or "Get-VaultElementValue" or + "Get-VirtualProtectValue" or "Get-VolumeShadowCopy" or + "Get-WMIProcess" or "Get-WMIRegCachedRDPConnection" or + "Get-WMIRegLastLoggedOn" or "Get-WMIRegMountedDrive" or + "Get-WMIRegProxy" or "Get-WebConfig" or + "Get-Win32Constants" or "Get-Win32Functions" or + "Get-Win32Types" or "Import-DllImports" or + "Import-DllInRemoteProcess" or "Inject-LocalShellcode" or + "Inject-RemoteShellcode" or "Install-ServiceBinary" or + "Invoke-CompareAttributesForClass" or "Invoke-CreateRemoteThread" or + "Invoke-CredentialInjection" or "Invoke-DllInjection" or + "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or + "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or + "Invoke-MemoryLoadLibrary" or + "Invoke-Mimikatz" or "Invoke-NinjaCopy" or + "Invoke-PatchDll" or "Invoke-Portscan" or + "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or + "Invoke-ReverseDnsLookup" or "Invoke-RevertToSelf" or + "Invoke-ServiceAbuse" or "Invoke-Shellcode" or + "Invoke-TokenManipulation" or "Invoke-UserImpersonation" or + "Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or + "New-ADObjectAccessControlEntry" or "New-DomainGroup" or + "New-DomainUser" or "New-DynamicParameter" or + "New-InMemoryModule" or + "New-ThreadedFunction" or "New-VolumeShadowCopy" or + "Out-CompressedDll" or "Out-EncodedCommand" or + "Out-EncryptedScript" or "Out-Minidump" or + "PortScan-Alive" or "Portscan-Port" or + "Remove-DomainGroupMember" or "Remove-DomainObjectAcl" or + "Remove-RemoteConnection" or "Remove-VolumeShadowCopy" or + "Restore-ServiceBinary" or "Set-DesktopACLToAllowEveryone" or + "Set-DesktopACLs" or "Set-DomainObject" or + "Set-DomainObjectOwner" or "Set-DomainUserPassword" or + "Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or + "Test-AdminAccess" or "Test-MemoryRangeValid" or + "Test-ServiceDaclPermission" or "Update-ExeFunctions" or + "Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or + "Write-BytesToMemory" or "Write-HijackDll" or + "Write-PortscanOut" or "Write-ServiceBinary" or + "Write-UserAddMSI" or "Invoke-Privesc" or + "func_get_proc_address" or "Invoke-BloodHound" or + "Invoke-HostEnum" or "Get-BrowserInformation" or + "Get-DomainAccountPolicy" or "Get-DomainAdmins" or + "Get-AVProcesses" or "Get-AVInfo" or + "Get-RecycleBin" or "Invoke-BruteForce" or + "Get-PassHints" or "Invoke-SessionGopher" or + "Get-LSASecret" or "Get-PassHashes" or + "Invoke-WdigestDowngrade" or "Get-ChromeDump" or + "Invoke-DomainPasswordSpray" or "Get-FoxDump" or + "New-HoneyHash" or "Invoke-DCSync" or + "Invoke-PowerDump" or "Invoke-SSIDExfil" or + "Invoke-PowerShellTCP" or "Add-Exfiltration" or + "Do-Exfiltration" or "Invoke-DropboxUpload" or + "Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or + "Invoke-PostExfil" or "Create-MultipleSessions" or + "Invoke-NetworkRelay" or "New-GPOImmediateTask" or + "Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or + "Invoke-SMBExec" or "Invoke-PSRemoting" or + "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or + "Invoke-InveighRelay" or "Invoke-PsExec" or + "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or + "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or + "Remove-Persistence" or "DNS_TXT_Pwnage" or + "Execute-OnTime" or "HTTP-Backdoor" or + "Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or + "Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or + "Invoke-ADSBackdoor" or "Add-Persistence" or + "Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or + "Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or + "Invoke-AccessBinary" or "Add-NetUser" or + "Invoke-Schtasks" or "Invoke-JSRatRegsvr" or + "Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or + "Invoke-PsGcatAgent" or "Remove-PoshRat" or + "Install-SSP" or "Invoke-BackdoorLNK" or + "PowerBreach" or "InstallEXE-Persistence" or + "RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or + "Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or + "Invoke-PacketCapture" or "Start-WebcamRecorder" or + "Get-USBKeyStrokes" or "Invoke-KeeThief" or + "Get-Keystrokes" or "Invoke-NetRipper" or + "Get-EmailItems" or "Invoke-MailSearch" or + "Invoke-SearchGAL" or "Get-WebCredentials" or + "Start-CaptureServer" or "Invoke-PowerShellIcmp" or + "Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or + "Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or + "Run-EXEonRemote" or "Download-Execute-PS" or + "Out-RundllCommand" or "Set-RemoteWMI" or + "Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or + "Invoke-Vnc" or "Invoke-LockWorkStation" or + "Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or + "Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or + "Invoke-RunAs" or "ExetoText" or + "Disable-SecuritySettings" or "Set-MacAttribute" or + "Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or + "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or + "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or + "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or + "Get-ServicePermission" or + "Enable-DuplicateToken" or "Invoke-PsUaCme" or + "Invoke-Tater" or "Invoke-WScriptBypassUAC" or + "Invoke-AllChecks" or "Find-TrustedDocuments" or + "Invoke-Interceptor" or "Invoke-PoshRatHttp" or + "Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or + "Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or + "Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or + "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or + "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or + "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or + "Invoke-AzureHound" or "Invoke-SharpHound" + ) and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" + ) and + not user.id : ("S-1-5-18" or "S-1-5-19") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc new file mode 100644 index 0000000000..d7ec4216a7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion]] +=== Potential PowerShell Obfuscation via High Numeric Character Proportion + +Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-windows.powershell_operational* metadata _id, _version, _index +| WHERE event.code == "4104" + +// Look for scripts with more than 1000 chars that contain a related keyword +| EVAL script_len = LENGTH(powershell.file.script_block_text) +| WHERE script_len > 1000 + +// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for +// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 +| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """[0-9]""", "🔥") + +// Count the occurrence of numbers and their proportion to the total chars in the script +| EVAL special_count = script_len - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) +| EVAL proportion = special_count::double / script_len::double + +// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id +| KEEP special_count, script_len, proportion, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id + +// Filter for scripts with a 30%+ proportion of numbers +| WHERE proportion > 0.30 + +// Exclude noisy patterns +| WHERE + NOT powershell.file.script_block_text RLIKE """.*\"[a-fA-F0-9]{64}\"\,.*""" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc new file mode 100644 index 0000000000..b1632a61fa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences]] +=== Potential PowerShell Obfuscation via Invalid Escape Sequences + +Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-windows.powershell_operational* metadata _id, _version, _index +| WHERE event.code == "4104" and powershell.file.script_block_text LIKE "*`*" + +// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for +// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 +| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """[A-Za-z0-9_-]`(?![rntb]|\r|\n|\d)[A-Za-z0-9_-]""", "🔥") + +// Count how many patterns were detected by calculating the number of 🔥 characters inserted +| EVAL count = LENGTH(replaced_with_fire) - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) + +// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id +| KEEP count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.name, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id +| WHERE count >= 10 + +// Filter FPs, and due to the behavior of the LIKE operator, allow null values +| WHERE (file.name NOT LIKE "TSS_*.psm1" or file.name IS NULL) + +| WHERE + // VSCode Shell integration + NOT powershell.file.script_block_text LIKE "*$([char]0x1b)]633*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse.asciidoc new file mode 100644 index 0000000000..ec2e23cf07 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse]] +=== Potential PowerShell Obfuscation via Special Character Overuse + +Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-windows.powershell_operational* metadata _id, _version, _index +| WHERE event.code == "4104" + +// Replace repeated spaces used for formatting after a new line with a single space to reduce FPs +| EVAL dedup_space_script_block = REPLACE(powershell.file.script_block_text, """\n\s+""", "\n ") + +// Look for scripts with more than 1000 chars that contain a related keyword +| EVAL script_len = LENGTH(dedup_space_script_block) +| WHERE script_len > 1000 + +// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for +// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 +| EVAL replaced_with_fire = REPLACE(dedup_space_script_block, """[\s\$\{\}\+\@\=\(\)\^\\\"~\[\]\?\.]""", "🔥") + +// Count the occurrence of numbers and their proportion to the total chars in the script +| EVAL special_count = script_len - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) +| EVAL proportion = special_count::double / script_len::double + +// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id +| KEEP special_count, script_len, proportion, dedup_space_script_block, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id + +// Filter for scripts with a 75%+ proportion of numbers +| WHERE proportion > 0.75 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation.asciidoc new file mode 100644 index 0000000000..8f3d765ba3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation]] +=== Potential PowerShell Obfuscation via String Concatenation + +Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-windows.powershell_operational* metadata _id, _version, _index +| WHERE event.code == "4104" + +// Look for scripts with more than 500 chars that contain a related keyword +| EVAL script_len = LENGTH(powershell.file.script_block_text) +| WHERE script_len > 500 + +// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for +// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 +| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """['"][A-Za-z0-9.]+['"](\s?\+\s?['"][A-Za-z0-9.,\-\s]+['"]){2,}""", "🔥") + +// Count how many patterns were detected by calculating the number of 🔥 characters inserted +| EVAL count = LENGTH(replaced_with_fire) - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) + +// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id +| KEEP count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id +| WHERE count >= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering.asciidoc new file mode 100644 index 0000000000..cb752c265e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering]] +=== Potential PowerShell Obfuscation via String Reordering + +Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-windows.powershell_operational* metadata _id, _version, _index +| WHERE event.code == "4104" + +// Look for scripts with more than 500 chars that contain a related keyword +| EVAL script_len = LENGTH(powershell.file.script_block_text) +| WHERE script_len > 500 +| WHERE powershell.file.script_block_text LIKE "*{0}*" + +// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for +// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 +| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """((\{\d+\}){2,}["']\s?-f|::Format[^\{]+(\{\d+\}){2,})""", "🔥") + +// Count how many patterns were detected by calculating the number of 🔥 characters inserted +| EVAL count = LENGTH(replaced_with_fire) - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) + +// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id +| KEEP count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id +| WHERE count > 3 + +// Exclude Noisy Patterns + +// Icinga Framework +| WHERE (file.name NOT LIKE "framework_cache.psm1" or file.name IS NULL) +| WHERE NOT + // https://wtfbins.wtf/17 + ( + (powershell.file.script_block_text LIKE "*sentinelbreakpoints*" OR + powershell.file.script_block_text LIKE "*:::::\\\\windows\\\\sentinel*") + AND + (powershell.file.script_block_text LIKE "*$local:Bypassed*" OR + powershell.file.script_block_text LIKE "*origPSExecutionPolicyPreference*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-shell-configuration-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-shell-configuration-creation-or-modification.asciidoc new file mode 100644 index 0000000000..6d123cab7c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-shell-configuration-creation-or-modification.asciidoc @@ -0,0 +1,189 @@ +[[prebuilt-rule-8-17-14-shell-configuration-creation-or-modification]] +=== Shell Configuration Creation or Modification + +This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ +* https://www.elastic.co/security-labs/primer-on-persistence-mechanisms + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Shell Configuration Creation or Modification* + + +Shell configuration files in Unix-like systems are crucial for setting up user environments by defining variables, aliases, and startup scripts. Adversaries exploit these files to execute malicious code persistently. The detection rule identifies suspicious creation or modification of these files, excluding benign processes, to flag potential threats, aligning with tactics like persistence and event-triggered execution. + + +*Possible investigation steps* + + +- Review the specific file path involved in the alert to determine if it is a system-wide or user-specific shell configuration file, as listed in the query. +- Identify the process executable that triggered the alert and verify if it is part of the excluded benign processes. If not, investigate the process's origin and purpose. +- Check the modification or creation timestamp of the file to correlate with any known user activities or scheduled tasks that might explain the change. +- Examine the contents of the modified or newly created shell configuration file for any suspicious or unauthorized entries, such as unexpected scripts or commands. +- Investigate the user account associated with the file modification to determine if the activity aligns with their typical behavior or if the account may have been compromised. +- Cross-reference the alert with other security logs or alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. + + +*False positive analysis* + + +- System package managers like dpkg, rpm, and yum often modify shell configuration files during software installations or updates. To handle these, exclude processes with executables such as /bin/dpkg or /usr/bin/rpm from triggering alerts. +- Automated system management tools like Puppet and Chef may alter shell configuration files as part of their routine operations. Exclude these processes by adding exceptions for executables like /opt/puppetlabs/puppet/bin/puppet or /usr/bin/chef-client. +- User account management activities, such as adding new users, can lead to shell configuration file modifications. Exclude processes like /usr/sbin/adduser or /sbin/useradd to prevent false positives in these scenarios. +- Temporary files created by text editors (e.g., .swp files) during editing sessions can trigger alerts. Exclude file extensions such as swp, swpx, and swx to avoid these false positives. +- Virtualization and containerization tools like Docker and Podman may modify shell configuration files as part of their operations. Exclude executables like /usr/bin/dockerd or /usr/bin/podman to manage these cases. + + +*Response and remediation* + + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Review the modified or newly created shell configuration files to identify and remove any unauthorized or malicious code. +- Restore the affected shell configuration files from a known good backup to ensure the system's environment is clean and secure. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Monitor the system and network for any signs of re-infection or related suspicious activity, focusing on the indicators of compromise (IOCs) associated with the Kaiji malware family. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement additional monitoring and alerting for changes to shell configuration files to enhance detection of similar threats in the future. + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( + // system-wide configurations + "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/bash.bash_logout", "/etc/zsh/*", + "/etc/csh.cshrc", "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc", + // root and user configurations + "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.bash_profile", + "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout", "/root/.bash_profile", + "/root/.bash_aliases", "/home/*/.bash_aliases", "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", + "/root/.zshrc", "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", + "/root/.logout", "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", "/home/*/.kshrc", + "/root/.kshrc" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/sbin/adduser", "/usr/sbin/useradd", "/usr/local/bin/dockerd", + "/usr/sbin/gdm", "/usr/bin/unzip", "/usr/bin/gnome-shell", "/sbin/mkhomedir_helper", "/usr/sbin/sshd", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/xfce4-session", "/usr/libexec/oddjob/mkhomedir", "/sbin/useradd", + "/usr/lib/systemd/systemd", "/usr/sbin/crond", "/usr/bin/pamac-daemon", "/usr/sbin/mkhomedir_helper", + "/opt/pbis/sbin/lwsmd", "/usr/sbin/oddjobd" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", + "/usr/libexec/platform-python*" + ) or + process.executable == null or + process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon", "executor", "crio") or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Unix Shell Configuration Modification +** ID: T1546.004 +** Reference URL: https://attack.mitre.org/techniques/T1546/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc new file mode 100644 index 0000000000..92b3991d76 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc @@ -0,0 +1,217 @@ +[[prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs]] +=== Suspicious Microsoft OAuth Flow via Auth Broker to DRS + +Identifies separate OAuth authorization flows in Microsoft Entra ID where the same user principal and session ID are observed across multiple IP addresses within a 5-minute window. These flows involve the Microsoft Authentication Broker (MAB) as the client application and the Device Registration Service (DRS) as the target resource. This pattern is highly indicative of OAuth phishing activity, where an adversary crafts a legitimate Microsoft login URL to trick a user into completing authentication and sharing the resulting authorization code, which is then exchanged for an access and refresh token by the attacker. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 60m + +*Searches indices from*: now-61m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://github.com/dirkjanm/ROADtools +* https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Resources: Investigation Guide +* Tactic: Initial Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Microsoft OAuth Flow via Auth Broker to DRS* + + +This rule identifies potential OAuth phishing behavior in Microsoft Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. + + +*Possible Investigation Steps:* + + +- `target`: The user principal name targeted by the authentication broker. Investigate whether this user has recently registered a device, signed in from new IPs, or had password resets or MFA changes. +- `session_id`: Used to correlate all events in the OAuth flow. All sign-ins in the alert share the same session, suggesting shared or hijacked state. +- `unique_token_id`: Lists tokens generated in the flow. If multiple IDs exist in the same session, this indicates token issuance from different locations. +- `source_ip`, `city_name`, `country_name`, `region_name`: Review the IPs and geolocations involved. A mismatch in geographic origin within minutes can signal adversary involvement. +- `user_agent`: Conflicting user agents (e.g., `python-requests` and `Chrome`) suggest one leg of the session was scripted or automated. +- `os`: If multiple operating systems are observed in the same short session (e.g., macOS and Windows), this may suggest activity from different environments. +- `incoming_token_type`: Look for values like `"none"` or `"refreshToken"` that can indicate abnormal or re-authenticated activity. +- `token_session_status`: A value of `"unbound"` means the issued token is not tied to a device or CAE session, making it reusable from another IP. +- `conditional_access_status`: If this is `"notApplied"`, it may indicate that expected access policies were not enforced. +- `auth_count`: Number of events in the session. More than one indicates the session was reused within the time window. +- `target_time_window`: Use this to pivot into raw sign-in logs to review the exact sequence and timing of the activity. +- Search `azure.auditlogs` for any device join or registration activity around the `target_time_window`. +- Review `azure.identityprotection` logs for anonymized IPs, impossible travel, or token replay alerts. +- Search for other activity from the same IPs across all users to identify horizontal movement. + + +*False Positive Analysis* + + +- A legitimate device join from a user switching networks (e.g., mobile hotspot to Wi-Fi) could explain multi-IP usage. +- Some identity management agents or EDR tools may use MAB for background device registration flows. +- Developers or IT administrators may access DRS across environments when testing. + + +*Response and Remediation* + + +- If confirmed unauthorized, revoke all refresh tokens for the user and disable any suspicious registered devices. +- Notify the user and verify if the authentication or device join was expected. +- Review Conditional Access policies for the Microsoft Authentication Broker (`29d9ed98-a469-4536-ade2-f981bc1d605e`) to ensure enforcement of MFA and device trust. +- Consider restricting token-based reauthentication from anonymized infrastructure or unusual user agents. +- Continue monitoring for follow-on activity, such as privilege escalation, token misuse, or lateral movement. + + +==== Setup + + + +*Required Microsoft Entra ID Sign-In Logs* + +This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled and configured to collect sign-in logs. In Entra ID, sign-in logs must be enabled and streaming to the Event Hub used for the Azure integration. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* metadata _id, _version, _index + +// Filter for Microsoft Entra ID sign-in logs +| WHERE event.dataset == "azure.signinlogs" + AND event.outcome == "success" + AND azure.signinlogs.properties.user_type == "Member" + AND azure.signinlogs.identity IS NOT NULL + AND azure.signinlogs.properties.user_principal_name IS NOT NULL + AND source.address IS NOT NULL + + // Filter for MAB as client (app_id) and DRS as resource (resource_id) + AND azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" // MAB + AND azure.signinlogs.properties.resource_id == "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" // DRS + +// Normalize timestamps into 30-minute detection windows +| EVAL target_time_window = DATE_TRUNC(30 minutes, @timestamp) + +// Tag browser-based requests and extract session ID +| EVAL + session_id = azure.signinlogs.properties.session_id, + is_browser = CASE( + TO_LOWER(azure.signinlogs.properties.device_detail.browser) RLIKE "(chrome|firefox|edge|safari).*", 1, 0 + ) + +| STATS + // user & session identity + user_display_name = VALUES(azure.signinlogs.properties.user_display_name), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + session_id = VALUES(azure.signinlogs.properties.session_id), + unique_token_id = VALUES(azure.signinlogs.properties.unique_token_identifier), + + // geolocation + city_name = VALUES(source.geo.city_name), + country_name = VALUES(source.geo.country_name), + region_name = VALUES(source.geo.region_name), + source_ip = VALUES(source.address), + ip_count = COUNT_DISTINCT(source.address), + autonomous_system = VALUES(source.`as`.organization.name), + + // authentication context + auth_protocol = VALUES(azure.signinlogs.properties.authentication_protocol), + auth_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + is_interactive = VALUES(azure.signinlogs.properties.is_interactive), + + // token & app context + token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + token_session_status = VALUES(azure.signinlogs.properties.token_protection_status_details.sign_in_session_status), + session_id_count = COUNT_DISTINCT(session_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + client_app_ids = VALUES(azure.signinlogs.properties.app_id), + target_resource_ids = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + + // tenant details + app_owner_tenant_id = VALUES(azure.signinlogs.properties.app_owner_tenant_id), + resource_owner_tenant_id = VALUES(azure.signinlogs.properties.resource_owner_tenant_id), + + // conditional access & risk signals + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + risk_level_aggregated = VALUES(azure.signinlogs.properties.risk_level_aggregated), + + // user agent & device + browser = VALUES(azure.signinlogs.properties.device_detail.browser), + os = VALUES(azure.signinlogs.properties.device_detail.operating_system), + user_agent = VALUES(user_agent.original), + has_browser = MAX(is_browser), + + auth_count = COUNT(*) +BY + target_time_window, + azure.signinlogs.properties.user_principal_name, + session_id + +| KEEP + target_time_window, user_display_name, user_principal_name, session_id, unique_token_id, + city_name, country_name, region_name, source_ip, ip_count, autonomous_system, + auth_protocol, auth_requirement, is_interactive, + token_type, token_session_status, session_id_count, client_app_display_name, + client_app_ids, target_resource_ids, target_resource_display_name, + app_owner_tenant_id, resource_owner_tenant_id, + conditional_access_status, risk_state, risk_level_aggregated, + browser, os, user_agent, has_browser, auth_count + +| WHERE + ip_count >= 2 AND + session_id_count == 1 AND + has_browser >= 1 AND + auth_count >= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-unusual-parent-child-relationship.asciidoc new file mode 100644 index 0000000000..380d9f1b6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rule-8-17-14-unusual-parent-child-relationship.asciidoc @@ -0,0 +1,175 @@ +[[prebuilt-rule-8-17-14-unusual-parent-child-relationship]] +=== Unusual Parent-Child Relationship + +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.forwarded* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png +* https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/ +* https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Windows Security Event Logs +* Data Source: Microsoft Defender for Endpoint +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Crowdstrike + +*Version*: 319 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual Parent-Child Relationship* + + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline. + +This rule uses this information to spot suspicious parent and child processes. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +process.parent.name != null and + ( + /* suspicious parent processes */ + (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe", "dwm.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:("svchost.exe", "Workplace Container Helper.exe")) or + (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or + (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or + (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or + (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or + (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or + (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or + (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or + (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:"services.exe" and not process.parent.name:"wininit.exe") or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or + (process.name:"spoolsv.exe" and not process.parent.name:("services.exe", "Workplace Starter.exe")) or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or + (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe", "KUsrInit.exe")) or + (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or + /* suspicious child processes */ + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe", "ngentask.exe")) or + (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe", "wpbbin.exe", "PvsVmBoot.exe", "SophosNA.exe", "omnissa-ic-nga.exe", "icarus_rvrt.exe", "poqexec.exe")) or + (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or + (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-appendix.asciidoc new file mode 100644 index 0000000000..938e133014 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-appendix.asciidoc @@ -0,0 +1,45 @@ +["appendix",role="exclude",id="prebuilt-rule-8-17-14-prebuilt-rules-8-17-14-appendix"] += Downloadable rule update v8.17.14 + +This section lists all updates associated with version 8.17.14 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-17-14-aws-cloudtrail-log-evasion.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-access-removed.asciidoc[] +include::prebuilt-rule-8-17-14-microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc[] +include::prebuilt-rule-8-17-14-bloodhound-suite-user-agents-detected.asciidoc[] +include::prebuilt-rule-8-17-14-entra-id-protection-risk-detection-user-risk.asciidoc[] +include::prebuilt-rule-8-17-14-kubernetes-service-account-secret-access.asciidoc[] +include::prebuilt-rule-8-17-14-kubeconfig-file-discovery.asciidoc[] +include::prebuilt-rule-8-17-14-kubectl-permission-discovery.asciidoc[] +include::prebuilt-rule-8-17-14-kubeconfig-file-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-17-14-potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc[] +include::prebuilt-rule-8-17-14-potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc[] +include::prebuilt-rule-8-17-14-potential-machine-account-relay-attack-via-smb.asciidoc[] +include::prebuilt-rule-8-17-14-potential-cve-2025-33053-exploitation.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc[] +include::prebuilt-rule-8-17-14-aws-vpc-flow-logs-deletion.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-deletion.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-deprecated-ami-discovery.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc[] +include::prebuilt-rule-8-17-14-deprecated-aws-ec2-snapshot-activity.asciidoc[] +include::prebuilt-rule-8-17-14-aws-ec2-network-access-control-list-creation.asciidoc[] +include::prebuilt-rule-8-17-14-aws-iam-assume-role-policy-update.asciidoc[] +include::prebuilt-rule-8-17-14-deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc[] +include::prebuilt-rule-8-17-14-entra-id-protection-risk-detection-sign-in-risk.asciidoc[] +include::prebuilt-rule-8-17-14-suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc[] +include::prebuilt-rule-8-17-14-kubernetes-user-exec-into-pod.asciidoc[] +include::prebuilt-rule-8-17-14-container-management-utility-run-inside-a-container.asciidoc[] +include::prebuilt-rule-8-17-14-loadable-kernel-module-configuration-file-creation.asciidoc[] +include::prebuilt-rule-8-17-14-shell-configuration-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-17-14-outlook-home-page-registry-modification.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-concatenation.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-string-reordering.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-obfuscation-via-special-character-overuse.asciidoc[] +include::prebuilt-rule-8-17-14-downloaded-url-files.asciidoc[] +include::prebuilt-rule-8-17-14-potential-powershell-hacktool-script-by-function-names.asciidoc[] +include::prebuilt-rule-8-17-14-high-number-of-process-and-or-service-terminations.asciidoc[] +include::prebuilt-rule-8-17-14-unusual-parent-child-relationship.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-summary.asciidoc new file mode 100644 index 0000000000..b9dddbc947 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-summary.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-17-14-prebuilt-rules-8-17-14-summary]] +[role="xpack"] +== Update v8.17.14 + +This section lists all updates associated with version 8.17.14 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. | new | 1 + +|<> | Identifies the removal of access permissions from a shared AWS EC2 EBS snapshot. EBS snapshots are essential for data retention and disaster recovery. Adversaries may revoke or modify snapshot permissions to prevent legitimate users from accessing backups, thereby obstructing recovery efforts after data loss or destructive actions. This tactic can also be used to evade detection or maintain exclusive access to critical backups, ultimately increasing the impact of an attack and complicating incident response. | new | 1 + +|<> | Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies. | new | 1 + +|<> | Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. | new | 1 + +|<> | Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more. | new | 1 + +|<> | This rule detects when a process accesses Kubernetes service account secrets. Kubernetes service account secrets are files that contain sensitive information used by applications running in Kubernetes clusters to authenticate and authorize access to the cluster. These secrets are typically mounted into pods at runtime, allowing applications to access them securely. Unauthorized access to these secrets can lead to privilege escalation, lateral movement and unauthorized actions within the cluster. | new | 1 + +|<> | The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. This rule detects process discovery executions that involve kubeconfig files, particularly those executed from common shell environments or world-writeable directories. | new | 1 + +|<> | This rule detects the use of the "kubectl auth --can-i" command, which is used to check permissions in Kubernetes clusters. Attackers may use this command to enumerate permissions and discover potential misconfigurations in the cluster, allowing them to gain unauthorized access or escalate privileges. | new | 1 + +|<> | The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. | new | 1 + +|<> | Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback. | new | 1 + +|<> | Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity), enabling attacks such as NTLM reflection. | new | 1 + +|<> | Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack. | new | 1 + +|<> | Identifies a suspicious Diagnostics Utility for Internet Explorer child process. This may indicate the successful exploitation of the vulnerability CVE-2025-33053. | new | 1 + +|<> | Identifies the first occurrence of an unauthorized attempt by an AWS role to use `GetPassword` to access the administrator password of an EC2 instance. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. | update | 7 + +|<> | Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. | update | 212 + +|<> | Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. | update | 210 + +|<> | Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. | update | 5 + +|<> | Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. | update | 6 + +|<> | Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data. | update | 6 + +|<> | An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. | update | 212 + +|<> | Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. | update | 210 + +|<> | Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days. | update | 213 + +|<> | Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. | update | 4 + +|<> | Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more. | update | 2 + +|<> | Identifies separate OAuth authorization flows in Microsoft Entra ID where the same user principal and session ID are observed across multiple IP addresses within a 5-minute window. These flows involve the Microsoft Authentication Broker (MAB) as the client application and the Device Registration Service (DRS) as the target resource. This pattern is highly indicative of OAuth phishing activity, where an adversary crafts a legitimate Microsoft login URL to trick a user into completing authentication and sharing the resulting authorization code, which is then exchanged for an access and refresh token by the attacker. | update | 2 + +|<> | This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. | update | 207 + +|<> | This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. | update | 3 + +|<> | This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. | update | 5 + +|<> | This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family. | update | 9 + +|<> | Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence. | update | 205 + +|<> | Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). | update | 2 + +|<> | Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content. | update | 2 + +|<> | Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). | update | 2 + +|<> | Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). | update | 3 + +|<> | Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection. | update | 2 + +|<> | Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. | update | 7 + +|<> | Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. | update | 217 + +|<> | This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. | update | 216 + +|<> | Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. | update | 319 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 3e3f1a4473..1bd89e72a9 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 18 Jun 2025 | 13 | 26 | +This release includes new rules for Windows, Linux, Azure and AWS. New rules for Windows include detection for initial access and credential access. New rules for Linux include detection for discovery, lateral movement and credential access. New rules for Azure include detection for initial access, credential access and discovery. New rules for AWS include detection for impact and defense evasion. Additionally, significant rule tuning for Windows, Linux, AWS, Azure and Kubernetes rules has been added for better rule efficacy and performance. + + |<> | 03 Jun 2025 | 6 | 11 | This release includes new rules for Windows, Azure and Microsoft 365. New rules for Windows include detection for privilege escalation and defense evasion. New rules for Azure include detection for initial access and privilege escalation. New rules for Microsoft 365 include detection for defense evasion. Additionally, significant rule tuning for Windows, AWS, Azure and Microsoft 365 rules has been added for better rule efficacy and performance. @@ -80,3 +84,4 @@ include::downloadable-packages/8-17-10/prebuilt-rules-8-17-10-summary.asciidoc[l include::downloadable-packages/8-17-11/prebuilt-rules-8-17-11-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-17-12/prebuilt-rules-8-17-12-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-17-13/prebuilt-rules-8-17-13-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-17-14/prebuilt-rules-8-17-14-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 8573785888..73e59e0bce 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -38,6 +38,8 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |212 +|<> |Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |1 + |<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |211 |<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Cloudtrail], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |None |211 @@ -62,11 +64,11 @@ and their rule type is `machine_learning`. |<> |Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS DynamoDB], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Exfiltration] |None |3 -|<> |Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Amazon EC2], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |None |6 +|<> |Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. |[Domain: Cloud], [Data Source: AWS], [Data Source: AWS EC2], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Discovery] |None |5 -|<> |Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. |[Domain: Cloud], [Data Source: AWS], [Data Source: AWS EC2], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Discovery] |None |4 +|<> |Identifies the removal of access permissions from a shared AWS EC2 EBS snapshot. EBS snapshots are essential for data retention and disaster recovery. Adversaries may revoke or modify snapshot permissions to prevent legitimate users from accessing backups, thereby obstructing recovery efforts after data loss or destructive actions. This tactic can also be used to evade detection or maintain exclusive access to critical backups, ultimately increasing the impact of an attack and complicating incident response. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide] |None |1 -|<> |Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Threat Detection], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |5 +|<> |Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Threat Detection], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |6 |<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Tactic: Impact], [Resources: Investigation Guide] |None |209 @@ -80,17 +82,17 @@ and their rule type is `machine_learning`. |<> |Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure. |[Domain: Cloud], [Data Source: AWS], [Data Source: AWS EC2], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Discovery] |None |4 -|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Tactic: Persistence], [Resources: Investigation Guide] |None |209 +|<> |Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Tactic: Persistence], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |210 -|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |209 +|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |210 |<> |Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 10 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Resources: Investigation Guide], [Tactic: Persistence] |None |210 |<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Resources: Investigation Guide], [Tactic: Persistence], [Tactic: Defense Evasion] |None |210 -|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |211 +|<> |Identifies the first occurrence of an unauthorized attempt by an AWS role to use `GetPassword` to access the administrator password of an EC2 instance. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |None |7 -|<> |Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific `aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Amazon EC2], [Resources: Investigation Guide], [Use Case: Log Auditing], [Tactic: Discovery] |None |5 +|<> |Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Amazon EC2], [Resources: Investigation Guide], [Use Case: Log Auditing], [Tactic: Discovery] |None |6 |<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection], [Resources: Investigation Guide] |None |209 @@ -112,7 +114,7 @@ and their rule type is `machine_learning`. |<> |An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation], [Tactic: Persistence], [Resources: Investigation Guide] |None |5 -|<> |Identifies AWS CloudTrail events where an IAM role's trust policy has been updated. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.flattened.request_parameters.roleName` fields that has not been seen making this API request within the last 14 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |None |212 +|<> |Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |None |213 |<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |None |212 @@ -248,7 +250,7 @@ and their rule type is `machine_learning`. |<> |Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the `withDecryption` parameter set to true. This is a [NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Systems Manager], [Tactic: Credential Access], [Resources: Investigation Guide] |None |5 -|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |211 +|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |212 |<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |209 @@ -410,14 +412,10 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. |[Domain: Cloud], [Data Source: Azure], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |105 -|<> |Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means. |[Domain: Cloud], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |1 - |<> |Identifies rare Azure Entra ID apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. |[Domain: Cloud], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide] |None |3 |<> |Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |2 -|<> |Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |3 - |<> |Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application. |[Domain: Cloud], [Data Source: Azure], [Use Case: Log Auditing], [Tactic: Collection], [Resources: Investigation Guide] |None |106 |<> |Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. |[Domain: Cloud], [Data Source: Azure], [Use Case: Log Auditing], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |105 @@ -470,6 +468,8 @@ and their rule type is `machine_learning`. |<> |Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |108 +|<> |Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. |[Domain: Cloud], [Data Source: Azure], [Data Source: Azure Activity Logs], [Data Source: Graph API], [Data Source: Graph API Activity Logs], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Audit Logs], [Data Source: Microsoft Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide] |None |1 + |<> |This rule detects the process of copying or moving files from or to the `/boot` directory on Linux systems. The `/boot` directory contains files that are essential for the system to boot, such as the kernel and initramfs images. Attackers may copy or move files to the `/boot` directory to modify the boot process, which can be leveraged to maintain access to the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |4 |<> |Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: SentinelOne], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Resources: Investigation Guide] |None |206 @@ -514,7 +514,7 @@ and their rule type is `machine_learning`. |<> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |211 -|<> |This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. |[Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |2 +|<> |This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. |[Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |3 |<> |Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |317 @@ -584,6 +584,10 @@ and their rule type is `machine_learning`. |<> |Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |314 +|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |212 + +|<> |Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |4 + |<> |Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. **Deprecated Notice** - This rule has been deprecated in favor of other rules that provide more contextual threat behavior for Azure Virtual Network. |[Domain: Cloud], [Data Source: Azure], [Use Case: Network Security Monitoring], [Tactic: Impact], [Resources: Investigation Guide] |None |105 |<> |Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |111 @@ -616,7 +620,7 @@ and their rule type is `machine_learning`. |<> |Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |6 -|<> |Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |6 +|<> |Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |7 |<> |This rule detects the creation of Dracut module files on Linux systems. Dracut is a tool used to generate an initramfs image that is used to boot the system. Dracut modules are scripts that are executed during the initramfs image generation process. Attackers may create malicious Dracut modules to execute arbitrary code at boot time, which can be leveraged to maintain persistence on a Linux system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |4 @@ -658,6 +662,10 @@ and their rule type is `machine_learning`. |<> |Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Resources: Investigation Guide] |None |4 +|<> |Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Use Case: Risk Detection], [Tactic: Initial Access], [Resources: Investigation Guide] |None |2 + +|<> |Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Use Case: Risk Detection], [Tactic: Initial Access], [Resources: Investigation Guide] |None |1 + |<> |Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |213 |<> |Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Data Source: Sysmon] |None |217 @@ -944,7 +952,7 @@ and their rule type is `machine_learning`. |<> |This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Auditd Manager] |None |114 -|<> |This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Windows Security Event Logs] |None |215 +|<> |This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Windows Security Event Logs] |None |216 |<> |A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement], [Resources: Investigation Guide] |None |7 @@ -1036,6 +1044,12 @@ and their rule type is `machine_learning`. |<> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |314 +|<> |The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Defense Evasion], [Tactic: Initial Access], [Data Source: Elastic Defend] |None |1 + +|<> |The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. This rule detects process discovery executions that involve kubeconfig files, particularly those executed from common shell environments or world-writeable directories. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |None |1 + +|<> |This rule detects the use of the "kubectl auth --can-i" command, which is used to check permissions in Kubernetes clusters. Attackers may use this command to enumerate permissions and discover potential misconfigurations in the cluster, allowing them to gain unauthorized access or escalate privileges. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |None |1 + |<> |This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Initial Access], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |9 |<> |This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |8 @@ -1054,11 +1068,13 @@ and their rule type is `machine_learning`. |<> |This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |207 +|<> |This rule detects when a process accesses Kubernetes service account secrets. Kubernetes service account secrets are files that contain sensitive information used by applications running in Kubernetes clusters to authenticate and authorize access to the cluster. These secrets are typically mounted into pods at runtime, allowing applications to access them securely. Unauthorized access to these secrets can lead to privilege escalation, lateral movement and unauthorized actions within the cluster. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Discovery], [Data Source: Elastic Defend] |None |1 + |<> |This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |9 |<> |This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster. |[Data Source: Kubernetes], [Tactic: Discovery], [Resources: Investigation Guide] |None |206 -|<> |This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. |[Data Source: Kubernetes], [Tactic: Execution], [Resources: Investigation Guide] |None |206 +|<> |This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. |[Data Source: Kubernetes], [Tactic: Execution], [Resources: Investigation Guide] |None |207 |<> |Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |None |314 @@ -1094,7 +1110,7 @@ and their rule type is `machine_learning`. |<> |This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |110 -|<> |This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |4 +|<> |This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |5 |<> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Resources: Investigation Guide] |None |315 @@ -1148,6 +1164,8 @@ and their rule type is `machine_learning`. |<> |This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |15 +|<> |Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.17.0 |105 + |<> |Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access], [Resources: Investigation Guide] |None |209 |<> |Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access], [Resources: Investigation Guide] |None |209 @@ -1216,6 +1234,8 @@ and their rule type is `machine_learning`. |<> |Identifies when a user has elevated their access to User Access Administrator for their Azure Resources. The User Access Administrator role allows users to manage user access to Azure resources, including the ability to assign roles and permissions. Adversaries may target an Entra ID Global Administrator or other privileged role to elevate their access to User Access Administrator, which can lead to further privilege escalation and unauthorized access to sensitive resources. This is a New Terms rule that only signals if the user principal name has not been seen doing this activity in the last 14 days. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Audit Logs], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |1 +|<> |Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.17.0 |1 + |<> |Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |None |108 |<> |Identifies an illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access resources. This is accomplished by tricking a user into granting consent to the application, typically via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Audit Logs], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access], [Tactic: Credential Access] |None |216 @@ -1224,8 +1244,6 @@ and their rule type is `machine_learning`. |<> |Identifies Microsoft Entra ID Protection sign-in risk detections triggered by a range of risk events such as anonymized IP addresses, password spray attacks, impossible travel, token anomalies, and more. These detections are often early indicators of potential account compromise or malicious sign-in behavior. This is a promotion rule intended to surface all Entra ID sign-in risk events for further investigation and correlation with other identity-related activity. This is a building block rule that is used to collect all Microsoft Entra ID Protection sign-in or user risk detections. It is not intended to be used as a standalone detection. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Protection], [Data Source: Microsoft Entra ID Protection Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: BBR] |None |1 -|<> |Identifies Microsoft Entra ID Protection risk detections triggered due to sign-in activity from anonymized IP addresses, which is often associated with Tor exit nodes, proxies, or anonymizing VPNs. This behavior may indicate evasion tactics or account compromise activity. |[Domain: Cloud], [Data Source: Azure], [Data Source: Entra ID], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide] |None |1 - |<> |Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide] |None |4 |<> |Identifies when a new service principal is added in Microsoft Entra ID. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Audit Logs], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Persistence] |None |108 @@ -1236,6 +1254,8 @@ and their rule type is `machine_learning`. |<> |This rule detects non-interactive authentication activity against SharePoint Online (`Office 365 SharePoint Online`) by a user principal via the `Microsoft Authentication Broker` application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios. |[Domain: Cloud], [Use Case: Identity and Access Audit], [Tactic: Collection], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Sign-in Logs], [Resources: Investigation Guide] |None |2 +|<> |Identifies potential brute-force attacks targeting user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to applications integrated with Entra ID or to compromise valid user accounts. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.17.0 |2 + |<> |Identifies suspicious activity reported by users in Microsoft Entra ID where users have reported suspicious activity related to their accounts, which may indicate potential compromise or unauthorized access attempts. Reported suspicious activity typically occurs during the authentication process and may involve various authentication methods, such as password resets, account recovery, or multi-factor authentication challenges. Adversaries may attempt to exploit user accounts by leveraging social engineering techniques or other methods to gain unauthorized access to sensitive information or resources. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Audit Logs], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |None |1 |<> |Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |315 @@ -1410,7 +1430,7 @@ and their rule type is `machine_learning`. |<> |Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Sysmon], [Resources: Investigation Guide] |None |212 -|<> |Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |204 +|<> |Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |205 |<> |A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |110 @@ -1492,6 +1512,8 @@ and their rule type is `machine_learning`. |<> |Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Initial Access], [Use Case: Vulnerability], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide] |None |4 +|<> |Identifies a suspicious Diagnostics Utility for Internet Explorer child process. This may indicate the successful exploitation of the vulnerability CVE-2025-33053. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |1 + |<> |Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Domain: Container], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |106 |<> |This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |11 @@ -1588,6 +1610,10 @@ and their rule type is `machine_learning`. |<> |Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |110 +|<> |Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |1 + +|<> |Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity), enabling attacks such as NTLM reflection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Sysmon], [Resources: Investigation Guide] |None |1 + |<> |Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint], [Resources: Investigation Guide] |None |109 |<> |Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |212 @@ -1614,6 +1640,8 @@ and their rule type is `machine_learning`. |<> |Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |315 +|<> |Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |1 + |<> |Identifies PowerShell script blocks associated with multiple distinct detections, indicating likely malicious behavior. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide] |None |1 |<> |This detection identifies a Linux host that has potentially been infected with malware and is being used to conduct brute-force attacks against external systems over SSH (port 22 and common alternative SSH ports). The detection looks for a high volume of outbound connection attempts to non-private IP addresses from a single process. A compromised host may be part of a botnet or controlled by an attacker, attempting to gain unauthorized access to remote systems. This behavior is commonly observed in SSH brute-force campaigns where malware hijacks vulnerable machines to expand its attack surface. ES|QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |3 @@ -1634,8 +1662,6 @@ and their rule type is `machine_learning`. |<> |This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. |[Data Source: Auditd Manager], [Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide] |None |10 -|<> |Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams. |[Domain: Cloud], [Domain: SaaS], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.17.0 |104 - |<> |Identifies brute-force authentication activity targeting Microsoft 365 user accounts using failed sign-in patterns that match password spraying, credential stuffing, or password guessing behavior. Adversaries may attempt brute-force authentication with credentials obtained from previous breaches, leaks, marketplaces or guessable passwords. |[Domain: Cloud], [Domain: SaaS], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.17.0 |413 |<> |Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |110 @@ -1680,7 +1706,7 @@ and their rule type is `machine_learning`. |<> |Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |None |107 -|<> |Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |None |216 +|<> |Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |None |217 |<> |Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |None |107 @@ -1690,19 +1716,19 @@ and their rule type is `machine_learning`. |<> |Identifies PowerShell scripts that use concatenated strings within dynamic command invocation (&() or .()) as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 -|<> |Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 +|<> |Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |2 |<> |Identifies PowerShell scripts with an abnormally high proportion of non-alphanumeric characters, often resulting from encoding, string mangling, or dynamic code generation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs], [Rule Type: BBR] |None |1 -|<> |Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 +|<> |Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |2 |<> |Identifies PowerShell scripts that use reversed strings as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |8.17.0 |1 -|<> |Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 +|<> |Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |2 -|<> |Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 +|<> |Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |2 -|<> |Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |2 +|<> |Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |3 |<> |Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |None |107 @@ -2144,7 +2170,7 @@ and their rule type is `machine_learning`. |<> |This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |13 -|<> |This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |8 +|<> |This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |9 |<> |Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |112 @@ -2232,8 +2258,6 @@ and their rule type is `machine_learning`. |<> |Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Initial Access], [Resources: Investigation Guide] |8.15.0 |412 -|<> |Identifies suspicious activity from the Microsoft Authentication Broker in Microsoft Entra ID sign-in logs. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to register a device and access Microsoft services as a user. The pattern includes sign-ins from multiple IPs across services (Microsoft Graph, DRS, AAD) using the Authentication Broker client on behalf of a principal user. |[Domain: Cloud], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Resources: Investigation Guide], [Tactic: Defense Evasion], [Tactic: Persistence] |8.17.0 |1 - |<> |Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint] |None |318 |<> |Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |111 @@ -2326,6 +2350,8 @@ and their rule type is `machine_learning`. |<> |Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Resources: Investigation Guide] |None |213 +|<> |Identifies separate OAuth authorization flows in Microsoft Entra ID where the same user principal and session ID are observed across multiple IP addresses within a 5-minute window. These flows involve the Microsoft Authentication Broker (MAB) as the client application and the Device Registration Service (DRS) as the target resource. This pattern is highly indicative of OAuth phishing activity, where an adversary crafts a legitimate Microsoft login URL to trick a user into completing authentication and sharing the resulting authorization code, which is then exchanged for an access and refresh token by the attacker. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Entra ID], [Data Source: Entra ID Sign-in Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Resources: Investigation Guide], [Tactic: Initial Access] |8.17.0 |2 + |<> |Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |110 |<> |Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. |[Data Source: Auditd Manager], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |None |110 @@ -2640,7 +2666,7 @@ and their rule type is `machine_learning`. |<> |Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Resources: Investigation Guide] |None |416 -|<> |Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |318 +|<> |Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |319 |<> |Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |313 diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc index 33f3a803bc..52b91a9288 100644 --- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -10,6 +10,7 @@ include::rule-details/aws-cli-command-with-custom-endpoint-url.asciidoc[] include::rule-details/aws-cli-with-kali-linux-fingerprint-identified.asciidoc[] include::rule-details/aws-cloudtrail-log-created.asciidoc[] include::rule-details/aws-cloudtrail-log-deleted.asciidoc[] +include::rule-details/aws-cloudtrail-log-evasion.asciidoc[] include::rule-details/aws-cloudtrail-log-suspended.asciidoc[] include::rule-details/aws-cloudtrail-log-updated.asciidoc[] include::rule-details/aws-cloudwatch-alarm-deletion.asciidoc[] @@ -22,8 +23,8 @@ include::rule-details/aws-deletion-of-rds-instance-or-cluster.asciidoc[] include::rule-details/aws-discovery-api-calls-via-cli-from-a-single-resource.asciidoc[] include::rule-details/aws-dynamodb-scan-by-unusual-user.asciidoc[] include::rule-details/aws-dynamodb-table-exported-to-s3.asciidoc[] -include::rule-details/aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc[] include::rule-details/aws-ec2-deprecated-ami-discovery.asciidoc[] +include::rule-details/aws-ec2-ebs-snapshot-access-removed.asciidoc[] include::rule-details/aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc[] include::rule-details/aws-ec2-encryption-disabled.asciidoc[] include::rule-details/aws-ec2-full-network-packet-capture-detected.asciidoc[] @@ -35,7 +36,7 @@ include::rule-details/aws-ec2-network-access-control-list-creation.asciidoc[] include::rule-details/aws-ec2-network-access-control-list-deletion.asciidoc[] include::rule-details/aws-ec2-route-table-modified-or-deleted.asciidoc[] include::rule-details/aws-ec2-security-group-configuration-change.asciidoc[] -include::rule-details/aws-ec2-snapshot-activity.asciidoc[] +include::rule-details/aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc[] include::rule-details/aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc[] include::rule-details/aws-ec2-vm-export-failure.asciidoc[] include::rule-details/aws-efs-file-system-or-mount-deleted.asciidoc[] @@ -196,10 +197,8 @@ include::rule-details/azure-blob-container-access-level-modification.asciidoc[] include::rule-details/azure-blob-permissions-modification.asciidoc[] include::rule-details/azure-command-execution-on-virtual-machine.asciidoc[] include::rule-details/azure-diagnostic-settings-deletion.asciidoc[] -include::rule-details/azure-entra-id-password-spraying-non-interactive-sfa.asciidoc[] include::rule-details/azure-entra-id-rare-app-id-for-principal-authentication.asciidoc[] include::rule-details/azure-entra-mfa-totp-brute-force-attempts.asciidoc[] -include::rule-details/azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc[] include::rule-details/azure-event-hub-authorization-rule-created-or-updated.asciidoc[] include::rule-details/azure-event-hub-deletion.asciidoc[] include::rule-details/azure-external-guest-user-invitation.asciidoc[] @@ -226,6 +225,7 @@ include::rule-details/behavior-prevented-elastic-defend.asciidoc[] include::rule-details/binary-content-copy-via-cmd-exe.asciidoc[] include::rule-details/binary-executed-from-shared-memory-directory.asciidoc[] include::rule-details/bitsadmin-activity.asciidoc[] +include::rule-details/bloodhound-suite-user-agents-detected.asciidoc[] include::rule-details/boot-file-copy.asciidoc[] include::rule-details/browser-extension-install.asciidoc[] include::rule-details/bypass-uac-via-event-viewer.asciidoc[] @@ -283,6 +283,8 @@ include::rule-details/default-cobalt-strike-team-server-certificate.asciidoc[] include::rule-details/delayed-execution-via-ping.asciidoc[] include::rule-details/delegated-managed-service-account-modification-by-an-unusual-user.asciidoc[] include::rule-details/delete-volume-usn-journal-with-fsutil.asciidoc[] +include::rule-details/deprecated-aws-ec2-snapshot-activity.asciidoc[] +include::rule-details/deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc[] include::rule-details/deprecated-azure-virtual-network-device-modified-or-deleted.asciidoc[] include::rule-details/deprecated-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[] include::rule-details/deprecated-suspicious-file-creation-in-etc-for-persistence.asciidoc[] @@ -320,6 +322,8 @@ include::rule-details/encoded-executable-stored-in-the-registry.asciidoc[] include::rule-details/encrypting-files-with-winrar-or-7z.asciidoc[] include::rule-details/endpoint-security-elastic-defend.asciidoc[] include::rule-details/entra-id-device-code-auth-with-broker-client.asciidoc[] +include::rule-details/entra-id-protection-risk-detection-sign-in-risk.asciidoc[] +include::rule-details/entra-id-protection-risk-detection-user-risk.asciidoc[] include::rule-details/enumerating-domain-trusts-via-dsquery-exe.asciidoc[] include::rule-details/enumerating-domain-trusts-via-nltest-exe.asciidoc[] include::rule-details/enumeration-command-spawned-via-wmiprvse.asciidoc[] @@ -509,6 +513,9 @@ include::rule-details/keychain-commandline-interaction-via-unsigned-or-untrusted include::rule-details/keychain-password-retrieval-via-command-line.asciidoc[] include::rule-details/kill-command-execution.asciidoc[] include::rule-details/kirbi-file-creation.asciidoc[] +include::rule-details/kubeconfig-file-creation-or-modification.asciidoc[] +include::rule-details/kubeconfig-file-discovery.asciidoc[] +include::rule-details/kubectl-permission-discovery.asciidoc[] include::rule-details/kubernetes-anonymous-request-authorized.asciidoc[] include::rule-details/kubernetes-container-created-with-excessive-linux-capabilities.asciidoc[] include::rule-details/kubernetes-denied-service-account-request.asciidoc[] @@ -518,6 +525,7 @@ include::rule-details/kubernetes-pod-created-with-hostnetwork.asciidoc[] include::rule-details/kubernetes-pod-created-with-hostpid.asciidoc[] include::rule-details/kubernetes-pod-created-with-a-sensitive-hostpath-volume.asciidoc[] include::rule-details/kubernetes-privileged-pod-created.asciidoc[] +include::rule-details/kubernetes-service-account-secret-access.asciidoc[] include::rule-details/kubernetes-suspicious-assignment-of-controller-service-account.asciidoc[] include::rule-details/kubernetes-suspicious-self-subject-review.asciidoc[] include::rule-details/kubernetes-user-exec-into-pod.asciidoc[] @@ -565,6 +573,7 @@ include::rule-details/memory-swap-modification.asciidoc[] include::rule-details/memory-threat-detected-elastic-defend.asciidoc[] include::rule-details/memory-threat-prevented-elastic-defend.asciidoc[] include::rule-details/message-of-the-day-motd-file-creation.asciidoc[] +include::rule-details/microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc[] include::rule-details/microsoft-365-exchange-anti-phish-policy-deletion.asciidoc[] include::rule-details/microsoft-365-exchange-anti-phish-rule-modification.asciidoc[] include::rule-details/microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc[] @@ -599,16 +608,17 @@ include::rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc[] include::rule-details/microsoft-entra-id-concurrent-sign-ins-with-suspicious-properties.asciidoc[] include::rule-details/microsoft-entra-id-conditional-access-policy-cap-modified.asciidoc[] include::rule-details/microsoft-entra-id-elevated-access-to-user-access-administrator.asciidoc[] +include::rule-details/microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc[] include::rule-details/microsoft-entra-id-high-risk-sign-in.asciidoc[] include::rule-details/microsoft-entra-id-illicit-consent-grant-via-registered-application.asciidoc[] include::rule-details/microsoft-entra-id-oauth-phishing-via-visual-studio-code-client.asciidoc[] include::rule-details/microsoft-entra-id-protection-risk-detections.asciidoc[] -include::rule-details/microsoft-entra-id-protection-anonymized-ip-risk-detection.asciidoc[] include::rule-details/microsoft-entra-id-rare-authentication-requirement-for-principal-user.asciidoc[] include::rule-details/microsoft-entra-id-service-principal-created.asciidoc[] include::rule-details/microsoft-entra-id-service-principal-credentials-added-by-rare-user.asciidoc[] include::rule-details/microsoft-entra-id-session-reuse-with-suspicious-graph-access.asciidoc[] include::rule-details/microsoft-entra-id-sharepoint-access-for-user-principal-via-auth-broker.asciidoc[] +include::rule-details/microsoft-entra-id-sign-in-brute-force-activity.asciidoc[] include::rule-details/microsoft-entra-id-user-reported-suspicious-activity.asciidoc[] include::rule-details/microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc[] include::rule-details/microsoft-exchange-server-um-writing-suspicious-files.asciidoc[] @@ -737,6 +747,7 @@ include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[] include::rule-details/potential-azure-openai-model-theft.asciidoc[] include::rule-details/potential-backdoor-execution-through-pam-exec.asciidoc[] include::rule-details/potential-buffer-overflow-attack-detected.asciidoc[] +include::rule-details/potential-cve-2025-33053-exploitation.asciidoc[] include::rule-details/potential-chroot-container-escape-via-mount.asciidoc[] include::rule-details/potential-code-execution-via-postgresql.asciidoc[] include::rule-details/potential-command-and-control-via-internet-explorer.asciidoc[] @@ -785,6 +796,8 @@ include::rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc include::rule-details/potential-invoke-mimikatz-powershell-script.asciidoc[] include::rule-details/potential-java-jndi-exploitation-attempt.asciidoc[] include::rule-details/potential-kerberos-attack-via-bifrost.asciidoc[] +include::rule-details/potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc[] +include::rule-details/potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc[] include::rule-details/potential-lsa-authentication-package-abuse.asciidoc[] include::rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[] include::rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[] @@ -798,6 +811,7 @@ include::rule-details/potential-linux-ransomware-note-creation-detected.asciidoc include::rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc[] include::rule-details/potential-linux-tunneling-and-or-port-forwarding-via-ssh-option.asciidoc[] include::rule-details/potential-local-ntlm-relay-via-http.asciidoc[] +include::rule-details/potential-machine-account-relay-attack-via-smb.asciidoc[] include::rule-details/potential-malicious-powershell-based-on-alert-correlation.asciidoc[] include::rule-details/potential-malware-driven-ssh-brute-force-attempt.asciidoc[] include::rule-details/potential-masquerading-as-browser-process.asciidoc[] @@ -808,7 +822,6 @@ include::rule-details/potential-masquerading-as-system32-executable.asciidoc[] include::rule-details/potential-masquerading-as-vlc-dll.asciidoc[] include::rule-details/potential-memory-seeking-activity.asciidoc[] include::rule-details/potential-meterpreter-reverse-shell.asciidoc[] -include::rule-details/potential-microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc[] include::rule-details/potential-microsoft-365-user-account-brute-force.asciidoc[] include::rule-details/potential-microsoft-office-sandbox-evasion.asciidoc[] include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[] @@ -1107,7 +1120,6 @@ include::rule-details/suspicious-apt-package-manager-execution.asciidoc[] include::rule-details/suspicious-apt-package-manager-network-connection.asciidoc[] include::rule-details/suspicious-access-to-ldap-attributes.asciidoc[] include::rule-details/suspicious-activity-reported-by-okta-user.asciidoc[] -include::rule-details/suspicious-activity-via-auth-broker-on-behalf-of-principal-user.asciidoc[] include::rule-details/suspicious-antimalware-scan-interface-dll.asciidoc[] include::rule-details/suspicious-automator-workflows-execution.asciidoc[] include::rule-details/suspicious-browser-child-process.asciidoc[] @@ -1154,6 +1166,7 @@ include::rule-details/suspicious-memory-grep-activity.asciidoc[] include::rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc[] include::rule-details/suspicious-microsoft-365-userloggedin-via-oauth-code.asciidoc[] include::rule-details/suspicious-microsoft-diagnostics-wizard-execution.asciidoc[] +include::rule-details/suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc[] include::rule-details/suspicious-mining-process-creation-event.asciidoc[] include::rule-details/suspicious-modprobe-file-event.asciidoc[] include::rule-details/suspicious-module-loaded-by-lsass.asciidoc[] diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-evasion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-evasion.asciidoc new file mode 100644 index 0000000000..f5710f30ce --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-evasion.asciidoc @@ -0,0 +1,129 @@ +[[aws-cloudtrail-log-evasion]] +=== AWS CloudTrail Log Evasion + +Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS IAM +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS CloudTrail Log Evasion* + + +Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. In the `requestParameters` field of CloudTrail logs, a policy that was created/updated is typically displayed, including details such as the policy name and the full policy document content. However, when policies padded with large amounts of insignificant whitespace (such as spaces, tabs, or line breaks), reach a size range of 102,401 to 131,072 characters they begin to be omitted from CloudTrail logs and are instead rendered as "requestParameters too large". Attackers can do this to cover their tracks and impact security monitoring that relies on this source. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Contact the account and resource owners and confirm whether they are aware of this activity. +- Check if this operation was approved and performed according to the organization's change management policy. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Examine the newly created or modified policy highlighted in `target.entity.id`. +- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached to the `actor.entity.id` for unexpected permission changes or additions. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. However, this behavior is rarely seen in legitimate operations and should be thoroughly investigated. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-deprecated-ami-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-deprecated-ami-discovery.asciidoc index 33b7aeecc1..cea71179d5 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-deprecated-ami-discovery.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-deprecated-ami-discovery.asciidoc @@ -1,7 +1,7 @@ [[aws-ec2-deprecated-ami-discovery]] === AWS EC2 Deprecated AMI Discovery -Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. +Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks. *Rule type*: query @@ -16,7 +16,7 @@ Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) i *Runs every*: 5m -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -33,7 +33,7 @@ Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) i * Use Case: Threat Detection * Tactic: Discovery -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -62,29 +62,24 @@ This rule detects when a user queries AWS for deprecated Amazon Machine Images ( 1. **Identify the User Performing the Query**: - Review the `aws.cloudtrail.user_identity.arn` field to determine the AWS user or role making the request. - Check `aws.cloudtrail.user_identity.type` and `aws.cloudtrail.user_identity.access_key_id` to verify the type of access (e.g., IAM user, role, or federated identity). - - Investigate the `related.user` field for additional user context. 2. **Analyze the Source of the Request**: - Review the `source.ip` field to determine the IP address of the source making the request. - Check `source.geo` for the geographic location of the IP address. - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK). -3. **Review the Request Details**: - - Inspect the `aws.cloudtrail.flattened.request_parameters` field for query parameters, such as `includeDeprecated=true`. - - Confirm that the request explicitly includes deprecated AMIs (`includeDeprecated=true`) and is tied to specific owners via the `ownersSet` field. - - Verify the `event.action` is `DescribeImages` and the `event.outcome` is `success`. - -4. **Validate the Query Context**: +3. **Validate the Query Context**: + - Inspect the `aws.cloudtrail.flattened.request_parameters` field - Determine if the request is part of legitimate activity, such as: - Security assessments or vulnerability scans. - Maintenance or testing of legacy systems. - Check if the query aligns with recent changes in the AWS environment, such as new configurations or services. -5. **Correlate with Other Events**: +4. **Correlate with Other Events**: - Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation. - Review logs for related actions, such as launching instances from deprecated AMIs (`RunInstances` API call). -6. **Assess Security Risks**: +5. **Assess Security Risks**: - Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities. - Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats. @@ -138,7 +133,7 @@ event.dataset: "aws.cloudtrail" and event.action: "DescribeImages" and event.outcome: "success" and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true" - and aws.cloudtrail.request_parameters: *owner=* + and aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner: * ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-access-removed.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-access-removed.asciidoc new file mode 100644 index 0000000000..f531c4695a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-access-removed.asciidoc @@ -0,0 +1,121 @@ +[[aws-ec2-ebs-snapshot-access-removed]] +=== AWS EC2 EBS Snapshot Access Removed + +Identifies the removal of access permissions from a shared AWS EC2 EBS snapshot. EBS snapshots are essential for data retention and disaster recovery. Adversaries may revoke or modify snapshot permissions to prevent legitimate users from accessing backups, thereby obstructing recovery efforts after data loss or destructive actions. This tactic can also be used to evade detection or maintain exclusive access to critical backups, ultimately increasing the impact of an attack and complicating incident response. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 EBS Snapshot Access Removed* + + +This rule detects when access is removed for an AWS EC2 EBS snapshot. EBS virtual disks can be copied into snapshots, which can then be used as backups for recovery and data retention efforts. Adversaries may attempt to remove access to snapshots in order to prevent legitimate users or automated processes from accessing or restoring from snapshots following data loss, ransomware, or destructive actions. This can significantly delay or even prevent recovery, increasing the impact of the attack. +Restricting snapshot access may help adversaries cover their tracks by making it harder for defenders to analyze or recover deleted or altered data. Attackers may remove permissions for all users except their own compromised account, allowing them to maintain exclusive access to backups for future use or leverage. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they should have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. In particular, use the `snapshotId` to see if this snapshot was shared with an unauthorized account. +- **Review UserID**: Check the `userId` field to identify which user's permissions were removed. Verify if this account should be authorized to access the data or if the access removal is expected. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation:* + + +- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to restore it to its previous state. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions. +- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing EBS snapshots and securing AWS environments, refer to the https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security: +- https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html[AWS EBS Snapshot Permissions] +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html[AWS API ModifySnapshotAttribute] + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* metadata _id, _version, _index +| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" +| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}" +| where operationType == "remove" +| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc index bd755e1c1e..e8fd50462c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-ebs-snapshot-shared-or-made-public.asciidoc @@ -13,7 +13,7 @@ Identifies AWS EC2 EBS snaphots being shared with another AWS account or made pu *Runs every*: 5m -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -34,7 +34,7 @@ Identifies AWS EC2 EBS snaphots being shared with another AWS account or made pu * Tactic: Exfiltration * Resources: Investigation Guide -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -104,7 +104,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}" | where operationType == "add" and cloud.account.id != userId -| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId +| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc index 064ccbe29c..68e3c7423c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc @@ -1,7 +1,7 @@ [[aws-ec2-network-access-control-list-creation]] === AWS EC2 Network Access Control List Creation -Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. +Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. *Rule type*: query @@ -14,9 +14,9 @@ Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access con *Risk score*: 21 -*Runs every*: 10m +*Runs every*: 5m -*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -35,9 +35,10 @@ Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access con * Data Source: AWS EC2 * Use Case: Network Security Monitoring * Tactic: Persistence +* Tactic: Defense Evasion * Resources: Investigation Guide -*Version*: 209 +*Version*: 210 *Rule authors*: @@ -119,3 +120,15 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti ** Name: External Remote Services ** ID: T1133 ** Reference URL: https://attack.mitre.org/techniques/T1133/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc index 4bcbd9b6c6..857f514e29 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc @@ -14,9 +14,9 @@ Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access *Risk score*: 47 -*Runs every*: 10m +*Runs every*: 5m -*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -32,11 +32,12 @@ Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access * Domain: Cloud * Data Source: AWS * Data Source: Amazon Web Services +* Data Source: AWS EC2 * Use Case: Network Security Monitoring * Tactic: Defense Evasion * Resources: Investigation Guide -*Version*: 209 +*Version*: 210 *Rule authors*: @@ -119,6 +120,6 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti ** ID: T1562 ** Reference URL: https://attack.mitre.org/techniques/T1562/ * Sub-technique: -** Name: Disable or Modify Tools -** ID: T1562.001 -** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc new file mode 100644 index 0000000000..1fed3d6db1 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role.asciidoc @@ -0,0 +1,120 @@ +[[aws-ec2-unauthorized-admin-credential-fetch-via-assumed-role]] +=== AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role + +Identifies the first occurrence of an unauthorized attempt by an AWS role to use `GetPassword` to access the administrator password of an EC2 instance. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role* + + +This rule detects the first occurrence of a role using the `GetPasswordData` API call, which retrieves the administrator password, against an unauthorized EC2 instance in AWS. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. + +This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. + + +*Possible Investigation Steps* + + +- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. +- **Review Request Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.error_message` fields to understand the context of the API call. +- **Contextualize with User Behavior**: Compare this activity against the role's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the role prior to and following the incident. +- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password retrieval was attempted. Assess the criticality and sensitivity of the applications running on this instance. +- **Examine Related CloudTrail Events**: Search for other API calls made by the same role, especially those modifying security groups, network access controls, or instance metadata. +- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. +- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. + + +*Response and Remediation* + + +- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. +- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. +- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. +- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. + + +*Additional Information* + + +Refer to resources like https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc[AWS privilege escalation methods] and the MITRE ATT&CK technique https://attack.mitre.org/techniques/T1552/005/[T1552.005 - Cloud Instance Metadata API] for more details on potential vulnerabilities and mitigation strategies. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" + and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" + and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc index 5522b7a251..1b53d2b2f2 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-user-data-retrieval-for-ec2-instance.asciidoc @@ -1,7 +1,7 @@ [[aws-ec2-user-data-retrieval-for-ec2-instance]] === AWS EC2 User Data Retrieval for EC2 Instance -Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific `aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days. +Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. *Rule type*: new_terms @@ -16,7 +16,7 @@ Identifies discovery request `DescribeInstanceAttribute` with the attribute user *Runs every*: 5m -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -35,7 +35,7 @@ Identifies discovery request `DescribeInstanceAttribute` with the attribute user * Use Case: Log Auditing * Tactic: Discovery -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -69,12 +69,7 @@ This rule detects requests to retrieve the `userData` attribute of an EC2 instan - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions. - **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior. - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised. - -- **Analyze Request Details**: - - **Parameters**: Verify that the `attribute=userData` parameter was explicitly requested. This indicates intentional access to user data. - **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity. - -- **Review Source Tool**: - **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent. - **Check for Related Activity**: @@ -119,7 +114,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: "DescribeInstanceAttribute" and event.outcome: "success" - and aws.cloudtrail.request_parameters: (*attribute=userData* and *instanceId*) + and aws.cloudtrail.flattened.request_parameters.attribute: "userData" and not aws.cloudtrail.user_identity.invoked_by: ( "AWS Internal" or "cloudformation.amazonaws.com" diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc index 6a03239cc8..c2826ffa68 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc @@ -1,7 +1,7 @@ [[aws-iam-assume-role-policy-update]] === AWS IAM Assume Role Policy Update -Identifies AWS CloudTrail events where an IAM role's trust policy has been updated. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.flattened.request_parameters.roleName` fields that has not been seen making this API request within the last 14 days. +Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days. *Rule type*: new_terms @@ -16,7 +16,7 @@ Identifies AWS CloudTrail events where an IAM role's trust policy has been updat *Runs every*: 5m -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -34,7 +34,7 @@ Identifies AWS CloudTrail events where an IAM role's trust policy has been updat * Resources: Investigation Guide * Tactic: Privilege Escalation -*Version*: 212 +*Version*: 213 *Rule authors*: @@ -62,7 +62,8 @@ The role trust policy is a JSON document in which you define the principals you *Possible investigation steps* -- Review the `aws.cloudtrail.user_identity.arn` field to determine the user identity that performed the action. +- Review the `aws.cloudtrail.user_identity.arn` to determine the IAM User that performed the action. +- If an AssumedRole identity type performed the action review the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field to determine which role was used. - Review the `aws.cloudtrail.flattened.request_parameters.roleName` field to confirm the role that was updated. - Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy. - If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised. @@ -123,3 +124,7 @@ event.dataset: "aws.cloudtrail" ** Name: Valid Accounts ** ID: T1078 ** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc index 8f67128e6e..8f959d1901 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc @@ -14,9 +14,9 @@ Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (E *Risk score*: 73 -*Runs every*: 10m +*Runs every*: 5m -*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 @@ -30,11 +30,12 @@ Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (E * Domain: Cloud * Data Source: AWS * Data Source: Amazon Web Services +* Data Source: AWS EC2 * Use Case: Log Auditing * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 211 +*Version*: 212 *Rule authors*: @@ -125,6 +126,6 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti ** ID: T1562 ** Reference URL: https://attack.mitre.org/techniques/T1562/ * Sub-technique: -** Name: Disable or Modify Tools -** ID: T1562.001 -** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/bloodhound-suite-user-agents-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/bloodhound-suite-user-agents-detected.asciidoc new file mode 100644 index 0000000000..c302750bbf --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/bloodhound-suite-user-agents-detected.asciidoc @@ -0,0 +1,174 @@ +[[bloodhound-suite-user-agents-detected]] +=== BloodHound Suite User-Agents Detected + +Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-azure.* +* logs-o365.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://specterops.io/bloodhound-overview/ +* https://github.com/SpecterOps/AzureHound +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Azure Activity Logs +* Data Source: Graph API +* Data Source: Graph API Activity Logs +* Data Source: Microsoft 365 +* Data Source: Microsoft 365 Audit Logs +* Data Source: Microsoft Entra ID +* Data Source: Microsoft Entra ID Audit Logs +* Data Source: Microsoft Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. + +The detection is based on known enumeration patterns, particularly the presence of suspicious user agent strings (e.g., `azurehound/`, `sharphound/`, `bloodhound/`) in various Azure and M365 logs. The rule monitors multiple log sources, including: + +- Azure Graph API Activity Logs +- Microsoft 365 Audit Logs +- Entra ID Sign-in Logs +- Entra ID Audit Logs +- Azure Activity Logs + +This ensures broader detection of credential abuse, token misuse, or unauthorized identity discovery activity from both interactive and non-interactive (API) sessions. + + +*Possible investigation steps* + + +- Confirm the tool used via `user_agent.original`. Look for: + - `azurehound/x.y.z` + - `bloodhound/1.0` + - `sharphound/1.0` +- Examine `url.original` or `url.path` to determine which APIs were accessed if Graph API activity logs. For example: + - `/v1.0/organization`, `/v1.0/users`, `/v1.0/groups` may indicate user/group/tenant discovery. +- Identify the `user.id`, `user.name`, or `azure.auditlogs.properties.initiated_by.user.user_principal_name` fields to determine which identity executed the API request. +- Review `app_id`, `app_display_name`, or `client_id` to identify the application context (e.g., Azure CLI, Graph Explorer, unauthorized app). +- Check `http.request.method`, `http.response.status_code`, and `event.action` for enumeration patterns (many successful GETs in a short period) if Graph API activity logs. +- Investigate correlated sign-ins (`azure.signinlogs`) by the same user, IP, or app immediately preceding the API calls. Was MFA used? Is the location suspicious? +- Review `source.ip`, `client.geo.*`, and `network.*` fields to determine the origin of the requests. Flag unexpected IPs or ISPs. +- If the event originates in M365 Audit Logs, investigate cross-service activity: Exchange Online, Teams, SharePoint, or role escalations via Unified Audit. + + +*False positive analysis* + + +- This activity may be benign if performed by red teams, internal security auditors, or known security tools under authorization. +- Automated monitoring solutions, cloud posture scanners, or legitimate Azure/M365 integrations may generate similar traffic. Review the `app_id` and user context. +- Developer activity in test tenants may include tool usage for learning or validation purposes. + + +*Response and remediation* + + +- If confirmed malicious: + - Revoke active sessions or tokens associated with the identified user/app. + - Disable the account or rotate credentials immediately. + - Review the role assignments (`Directory.Read.All`, `AuditLog.Read.All`, `Directory.AccessAsUser.All`) and remove excessive privileges. + - Conduct historical analysis to determine how long enumeration has been occurring and what objects were queried. + - Enable Conditional Access policies to require MFA for API and CLI-based access. + - Validate audit logging and alerting is enabled across Microsoft Graph, Azure Activity Logs, and M365 workloads. + +- If legitimate: + - Document the source (e.g., red team operation, security tool). + - Add appropriate allowlist conditions for service principal, user, source address or device if policy allows. + + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset : ( + "azure.activitylogs", + "azure.graphactivitylogs", + "azure.auditlogs", + "azure.signinlogs", + "o365.audit" +) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Cloud Groups +** ID: T1069.003 +** Reference URL: https://attack.mitre.org/techniques/T1069/003/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Cloud Account +** ID: T1087.004 +** Reference URL: https://attack.mitre.org/techniques/T1087/004/ +* Technique: +** Name: Password Policy Discovery +** ID: T1201 +** Reference URL: https://attack.mitre.org/techniques/T1201/ +* Technique: +** Name: Cloud Service Discovery +** ID: T1526 +** Reference URL: https://attack.mitre.org/techniques/T1526/ +* Technique: +** Name: Cloud Infrastructure Discovery +** ID: T1580 +** Reference URL: https://attack.mitre.org/techniques/T1580/ +* Technique: +** Name: Virtual Machine Discovery +** ID: T1673 +** Reference URL: https://attack.mitre.org/techniques/T1673/ diff --git a/docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc b/docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc index 9d373d14ce..4578228fee 100644 --- a/docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc @@ -30,7 +30,7 @@ This rule detects when a container management binary is run from inside a contai * Data Source: Elastic Defend * Resources: Investigation Guide -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -131,8 +131,9 @@ For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/ [source, js] ---------------------------------- process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.entry_leader.entry_meta.type == "container" and -process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") +process.entry_leader.entry_meta.type == "container" and process.interactive == true and +process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and +not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/deprecated-aws-ec2-snapshot-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/deprecated-aws-ec2-snapshot-activity.asciidoc new file mode 100644 index 0000000000..2a47c68317 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/deprecated-aws-ec2-snapshot-activity.asciidoc @@ -0,0 +1,128 @@ +[[deprecated-aws-ec2-snapshot-activity]] +=== Deprecated - AWS EC2 Snapshot Activity + +An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Use Case: Asset Visibility +* Tactic: Exfiltration +* Resources: Investigation Guide + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Deprecated - AWS EC2 Snapshot Activity* + + +Amazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery. + +This rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail. +- Investigate other alerts associated with the user account during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Check if this operation was approved and performed according to the organization's change management policy. +- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/rule-details/deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc b/docs/detections/prebuilt-rules/rule-details/deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc new file mode 100644 index 0000000000..4c3b72bb2c --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source.asciidoc @@ -0,0 +1,134 @@ +[[deprecated-azure-entra-sign-in-brute-force-microsoft-365-accounts-by-repeat-source]] +=== Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source + +Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source* + + +Azure Entra ID, integral to Microsoft 365, manages identity and access, ensuring secure authentication. Adversaries exploit this by attempting numerous failed logins to breach accounts. The detection rule identifies such brute-force attempts by monitoring failed logins from a single IP within a short timeframe, flagging potential unauthorized access efforts. + + +*Possible investigation steps* + + +- Review the source IP address identified in the alert to determine if it is associated with known malicious activity or if it belongs to a legitimate user or organization. +- Examine the list of user principal names targeted by the failed login attempts to identify any patterns or specific users that may be at higher risk. +- Check the azure.signinlogs.properties.resource_display_name to understand which Microsoft 365 services were targeted, such as Exchange, SharePoint, or Teams, and assess the potential impact on those services. +- Investigate the error codes in azure.signinlogs.properties.status.error_code for additional context on why the login attempts failed, which may provide insights into the attacker's methods. +- Correlate the failed login attempts with any successful logins from the same source IP or user accounts to identify potential unauthorized access. +- Assess the risk and exposure of the affected user accounts and consider implementing additional security measures, such as multi-factor authentication, if not already in place. + + +*False positive analysis* + + +- High volume of legitimate login attempts from a single IP, such as a corporate proxy or VPN, can trigger false positives. To mitigate, exclude known IP addresses of trusted network infrastructure from the rule. +- Automated scripts or applications performing frequent login operations on behalf of users may be misidentified as brute force attempts. Identify and whitelist these applications by their source IPs or user agents. +- Shared workstations or kiosks where multiple users log in from the same IP address can result in false positives. Implement user-based exclusions for these environments to prevent unnecessary alerts. +- Frequent password resets or account recovery processes can generate multiple failed login attempts. Monitor and exclude these activities by correlating with password reset logs or helpdesk tickets. +- Training or testing environments where multiple failed logins are expected should be excluded by identifying and filtering out the associated IP ranges or user accounts. + + +*Response and remediation* + + +- Immediately block the source IP address identified in the alert to prevent further unauthorized access attempts. +- Reset passwords for all affected user accounts that experienced failed login attempts from the flagged IP address to ensure account security. +- Enable multi-factor authentication (MFA) for the affected accounts if not already in place, to add an additional layer of security against unauthorized access. +- Review and update conditional access policies to restrict access from suspicious or untrusted locations, enhancing security posture. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. +- Monitor the affected accounts and source IP for any additional suspicious activity, ensuring no further attempts are made. +- Document the incident details, including the source IP, affected accounts, and actions taken, for future reference and compliance purposes. + +This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-azure.signinlogs* +| WHERE + event.dataset == "azure.signinlogs" + and event.category == "authentication" + and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)" + and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") + and event.outcome != "success" + + // For tuning, review azure.signinlogs.properties.status.error_code + // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes + +// keep only relevant fields +| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip + +// Count the number of unique targets per source IP +| stats + target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip + +// Filter for at least 10 distinct failed login attempts from a single source +| where target_count >= 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc b/docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc index 980409ce4c..308f0110e4 100644 --- a/docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc @@ -30,7 +30,7 @@ Identifies .url shortcut files downloaded from outside the local network. These * Data Source: Elastic Defend * Resources: Investigation Guide -*Version*: 6 +*Version*: 7 *Rule authors*: @@ -94,7 +94,7 @@ URL shortcut files, typically used for quick access to web resources, can be exp [source, js] ---------------------------------- file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" - and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe" + and file.Ext.windows.zone_identifier == 3 ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-sign-in-risk.asciidoc b/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-sign-in-risk.asciidoc new file mode 100644 index 0000000000..f2d9d1698f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-sign-in-risk.asciidoc @@ -0,0 +1,155 @@ +[[entra-id-protection-risk-detection-sign-in-risk]] +=== Entra ID Protection - Risk Detection - Sign-in Risk + +Identifies sign-in risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects sign-in activity such as anonymized IP addresses, unlikely travel, password spray, and more. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.identity_protection-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1000 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://github.com/dirkjanm/ROADtools +* https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/ +* https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Use Case: Risk Detection +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule detects sign-in risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts. + + +*Possible investigation steps* + + +- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected. +- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event. +- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event. +- Review the `azure.correlation_id` field to correlate this event with other related events in your environment. +- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection. +- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment. +- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns. + + +*False positive analysis* + + +- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges. +- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. +- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. + + +*Response and remediation* + +- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior. +- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily. +- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access. +- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations. +- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts. +- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation. + + +==== Setup + + + +*Required Microsoft Entra ID Protection Logs* + +To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration. + + +*Additional notes* + + +For information on troubleshooting the maximum alerts warning please refer to this https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.identity_protection" and + event.action: "User Risk Detection" and + azure.identityprotection.properties.activity: "signin" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-user-risk.asciidoc b/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-user-risk.asciidoc new file mode 100644 index 0000000000..024cb24955 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/entra-id-protection-risk-detection-user-risk.asciidoc @@ -0,0 +1,152 @@ +[[entra-id-protection-risk-detection-user-risk]] +=== Entra ID Protection - Risk Detection - User Risk + +Identifies user risk detection events via Microsofts Entra ID Protection service. Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and more. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.identity_protection-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1000 + +*References*: + +* https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Use Case: Risk Detection +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +This rule detects user risk detection events via Microsoft Entra ID Protection. It identifies various risk event types such as anonymized IP addresses, unlikely travel, password spray, and more. These events can indicate potential malicious activity or compromised accounts. + + +*Possible investigation steps* + + +- Review the `azure.identityprotection.properties.risk_event_type` field to understand the specific risk event type detected. +- Check the `azure.identityprotection.properties.risk_level` field to determine the severity of the risk event. +- Check the `azure.identityprotection.properties.risk_detail` field for additional context on the risk event. +- Review the `azure.correlation_id` field to correlate this event with other related events in your environment. +- Review the `azure.identityprotection.properties.additional_info` field for any additional information provided by Entra ID Protection. +- Review the `azure.identityprotection.properties.detection_timing_type` field to understand when the risk event was detected. Offline detections may indicate a delayed response to a potential threat while real-time detections indicate immediate risk assessment. +- Check the `azure.identityprotection.properties.user_principal_name` field to identify the user account associated with the risk event. This can help determine if the account is compromised or if the risk event is expected behavior for that user. Triage the user account with other events from Entra ID audit or sign-in logs to identify any suspicious activity or patterns. + + +*False positive analysis* + + +- Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges. +- Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. +- Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. + + +*Response and remediation* + +- Investigate the user account associated with the risk event to determine if it has been compromised or if the risk event is expected behavior. +- If the risk event indicates a compromised account, take appropriate actions such as resetting the password, enabling multi-factor authentication, or disabling the account temporarily. +- Review authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised. If necessary, revoke these tokens to prevent further access. +- Implement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations. +- Ensure multi-factor authentication is enabled for all user accounts to provide an additional layer of security against compromised accounts. +- Consider using high risk detections and conditional access evaluations to enforce stricter security measures for accounts or enable access revocation. + + +==== Setup + + + +*Required Microsoft Entra ID Protection Logs* + +To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration. + + +*Additional notes* + + +For information on troubleshooting the maximum alerts warning please refer to this https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.identity_protection" and + event.action: "User Risk Detection" and + azure.identityprotection.properties.activity: "user" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/rule-details/high-number-of-process-and-or-service-terminations.asciidoc b/docs/detections/prebuilt-rules/rule-details/high-number-of-process-and-or-service-terminations.asciidoc index f48cb0b590..ea6031b91d 100644 --- a/docs/detections/prebuilt-rules/rule-details/high-number-of-process-and-or-service-terminations.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/high-number-of-process-and-or-service-terminations.asciidoc @@ -40,7 +40,7 @@ This rule identifies a high number (10) of process terminations (stop, delete, o * Data Source: Sysmon * Data Source: Windows Security Event Logs -*Version*: 215 +*Version*: 216 *Rule authors*: @@ -101,7 +101,7 @@ This rule identifies a high number (10) of service and/or process terminations ( ---------------------------------- event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") and - not process.parent.name:osquerybeat.exe + not process.parent.name:(osquerybeat.exe or agentbeat.exe) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-creation-or-modification.asciidoc new file mode 100644 index 0000000000..413eefd73a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-creation-or-modification.asciidoc @@ -0,0 +1,131 @@ +[[kubeconfig-file-creation-or-modification]] +=== Kubeconfig File Creation or Modification + +The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes-threat-matrix.redguard.ch/initial-access/kubeconfig-file/ +* https://kubenomicon.com/Initial_access/Kubeconfig_file.html + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and file.path like ( + "/root/.kube/config", + "/home/*/.kube/config", + "/etc/kubernetes/admin.conf", + "/etc/kubernetes/super-admin.conf", + "/etc/kubernetes/kubelet.conf", + "/etc/kubernetes/controller-manager.conf", + "/etc/kubernetes/scheduler.conf", + "/var/lib/*/kubeconfig" +) and not ( + process.name in ("kubeadm", "kubelet", "vcluster", "minikube") or + (process.name == "sed" and file.Ext.original.name like "sed*") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-discovery.asciidoc new file mode 100644 index 0000000000..05303ed624 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/kubeconfig-file-discovery.asciidoc @@ -0,0 +1,122 @@ +[[kubeconfig-file-discovery]] +=== Kubeconfig File Discovery + +The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. This rule detects process discovery executions that involve kubeconfig files, particularly those executed from common shell environments or world-writeable directories. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes-threat-matrix.redguard.ch/initial-access/kubeconfig-file/ +* https://kubenomicon.com/Initial_access/Kubeconfig_file.html + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + ( + process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or + process.parent.name like (".*", "*.sh") + ) +) and +( + ( + process.working_directory like ("/etc/kubernetes", "/root/.kube", "/home/*/.kube") and + process.args in ("kubeconfig", "admin.conf", "super-admin.conf", "kubelet.conf", "controller-manager.conf", "scheduler.conf") + ) or + process.args like ( + "/etc/kubernetes/admin.conf", + "/etc/kubernetes/super-admin.conf", + "/etc/kubernetes/kubelet.conf", + "/etc/kubernetes/controller-manager.conf", + "/etc/kubernetes/scheduler.conf", + "/home/*/.kube/config", + "/root/.kube/config", + "/var/lib/*/kubeconfig" + ) +) and not process.name in ("stat", "md5sum", "dirname") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/rule-details/kubectl-permission-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/kubectl-permission-discovery.asciidoc new file mode 100644 index 0000000000..b278680815 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/kubectl-permission-discovery.asciidoc @@ -0,0 +1,100 @@ +[[kubectl-permission-discovery]] +=== Kubectl Permission Discovery + +This rule detects the use of the "kubectl auth --can-i" command, which is used to check permissions in Kubernetes clusters. Attackers may use this command to enumerate permissions and discover potential misconfigurations in the cluster, allowing them to gain unauthorized access or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/ + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "kubectl" and process.args == "auth" and process.args == "can-i" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/rule-details/kubernetes-service-account-secret-access.asciidoc b/docs/detections/prebuilt-rules/rule-details/kubernetes-service-account-secret-access.asciidoc new file mode 100644 index 0000000000..fabbaae472 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/kubernetes-service-account-secret-access.asciidoc @@ -0,0 +1,123 @@ +[[kubernetes-service-account-secret-access]] +=== Kubernetes Service Account Secret Access + +This rule detects when a process accesses Kubernetes service account secrets. Kubernetes service account secrets are files that contain sensitive information used by applications running in Kubernetes clusters to authenticate and authorize access to the cluster. These secrets are typically mounted into pods at runtime, allowing applications to access them securely. Unauthorized access to these secrets can lead to privilege escalation, lateral movement and unauthorized actions within the cluster. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.command_line like ( + "*/run/secrets/kubernetes.io/serviceaccount*", + "*/var/run/secrets/kubernetes.io/serviceaccount*", + "*/secrets/kubernetes.io/serviceaccount*" + ) or ( + process.working_directory like ( + "/run/secrets/kubernetes.io/serviceaccount", + "/var/run/secrets/kubernetes.io/serviceaccount", + "/secrets/kubernetes.io/serviceaccount" + ) and + process.args in ("ca.crt", "token", "namespace") + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Container and Resource Discovery +** ID: T1613 +** Reference URL: https://attack.mitre.org/techniques/T1613/ diff --git a/docs/detections/prebuilt-rules/rule-details/kubernetes-user-exec-into-pod.asciidoc b/docs/detections/prebuilt-rules/rule-details/kubernetes-user-exec-into-pod.asciidoc index fc73e14632..2b79d56f0a 100644 --- a/docs/detections/prebuilt-rules/rule-details/kubernetes-user-exec-into-pod.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kubernetes-user-exec-into-pod.asciidoc @@ -3,7 +3,7 @@ This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. -*Rule type*: query +*Rule type*: eql *Rule indices*: @@ -30,7 +30,7 @@ This rule detects a user attempt to establish a shell session into a pod using t * Tactic: Execution * Resources: Investigation Guide -*Version*: 206 +*Version*: 207 *Rule authors*: @@ -97,11 +97,9 @@ The Kubernetes Fleet integration with Audit Logs enabled or similarly structured [source, js] ---------------------------------- -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.verb:"create" - and kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.objectRef.subresource:"exec" +any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and +kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and +kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/loadable-kernel-module-configuration-file-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/loadable-kernel-module-configuration-file-creation.asciidoc index b892606c5a..46269b7193 100644 --- a/docs/detections/prebuilt-rules/rule-details/loadable-kernel-module-configuration-file-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/loadable-kernel-module-configuration-file-creation.asciidoc @@ -31,7 +31,7 @@ This rule detects the creation of Loadable Kernel Module (LKM) configuration fil * Data Source: Elastic Defend * Resources: Investigation Guide -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -96,9 +96,10 @@ Loadable Kernel Modules (LKMs) are components that can be dynamically loaded int [source, js] ---------------------------------- file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and -file.path like~ ( - "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*", - "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*" +file.path like ( + "/etc/modules", "/etc/modprobe.d/*", "/run/modprobe.d/*", "/usr/local/lib/modprobe.d/*", "/usr/lib/modprobe.d/*", + "/lib/modprobe.d/*", "/etc/modules-load.d/*", "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", + "/usr/lib/modules-load.d/*" ) and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc new file mode 100644 index 0000000000..143aa5a200 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-365-brute-force-via-entra-id-sign-ins.asciidoc @@ -0,0 +1,252 @@ +[[microsoft-365-brute-force-via-entra-id-sign-ins]] +=== Microsoft 365 Brute Force via Entra ID Sign-Ins + +Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties +* https://securityscorecard.com/research/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks/ +* https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes +* https://github.com/0xZDH/Omnispray +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins* + + +Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage. + + +*Possible investigation steps* + + +- Review `bf_type`: Classifies the brute-force behavior (`password_spraying`, `credential_stuffing`, `password_guessing`). +- Examine `user_id_list`: Review the identities targeted. Are they admins, service accounts, or external identities? +- Review `login_errors`: Multiple identical errors (e.g., `"Invalid grant..."`) suggest automated abuse or tooling. +- Check `ip_list` and `source_orgs`: Determine if requests came from known VPNs, hosting providers, or anonymized infrastructure. +- Validate `unique_ips` and `countries`: Multiple countries or IPs in a short window may indicate credential stuffing or distributed spray attempts. +- Compare `total_attempts` vs `duration_seconds`: High volume over a short duration supports non-human interaction. +- Inspect `user_agent.original` via `device_detail_browser`: Clients like `Python Requests` or `curl` are highly suspicious. +- Investigate `client_app_display_name` and `incoming_token_type`: Identify non-browser-based logins, token abuse or commonly mimicked clients like VSCode. +- Review `target_resource_display_name`: Confirm the service being targeted (e.g., SharePoint, Exchange). This may be what authorization is being attempted against. +- Pivot using `session_id` and `device_detail_device_id`: Determine if a single device is spraying multiple accounts. +- Check `conditional_access_status`: If "notApplied", determine whether conditional access is properly scoped. +- Correlate `user_principal_name` with successful sign-ins: Investigate surrounding logs for lateral movement or privilege abuse. + + +*False positive analysis* + + +- Developer automation (e.g., CI/CD logins) or mobile sync errors may create noisy but benign login failures. +- Red team exercises or pentesting can resemble brute-force patterns. +- Legacy protocols or misconfigured service principals may trigger repeated login failures from the same IP or session. + + +*Response and remediation* + + +- Notify identity or security operations teams to investigate further. +- Lock or reset affected user accounts if compromise is suspected. +- Block the source IP(s) or ASN temporarily using conditional access or firewall rules. +- Review tenant-wide MFA and conditional access enforcement. +- Audit targeted accounts for password reuse across systems or tenants. +- Enable lockout or throttling policies for repeated failed login attempts. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* + +| EVAL + time_window = DATE_TRUNC(15 minutes, @timestamp), + user_id = TO_LOWER(azure.signinlogs.properties.user_principal_name), + ip = source.ip, + login_error = azure.signinlogs.result_description, + error_code = azure.signinlogs.properties.status.error_code, + request_type = TO_LOWER(azure.signinlogs.properties.incoming_token_type), + app_name = TO_LOWER(azure.signinlogs.properties.app_display_name), + asn_org = source.`as`.organization.name, + country = source.geo.country_name, + user_agent = user_agent.original, + event_time = @timestamp + +| WHERE event.dataset == "azure.signinlogs" + AND event.category == "authentication" + AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs") + AND azure.signinlogs.properties.resource_display_name RLIKE "(.*)365|SharePoint|Exchange|Teams|Office(.*)" + AND event.outcome == "failure" + AND error_code != 50053 + AND azure.signinlogs.properties.status.error_code IN ( + 50034, // UserAccountNotFound + 50126, // InvalidUsernameOrPassword + 50055, // PasswordExpired + 50056, // InvalidPassword + 50057, // UserDisabled + 50064, // CredentialValidationFailure + 50076, // MFARequiredButNotPassed + 50079, // MFARegistrationRequired + 50105, // EntitlementGrantsNotFound + 70000, // InvalidGrant + 70008, // ExpiredOrRevokedRefreshToken + 70043, // BadTokenDueToSignInFrequency + 80002, // OnPremisePasswordValidatorRequestTimedOut + 80005, // OnPremisePasswordValidatorUnpredictableWebException + 50144, // InvalidPasswordExpiredOnPremPassword + 50135, // PasswordChangeCompromisedPassword + 50142, // PasswordChangeRequiredConditionalAccess + 120000, // PasswordChangeIncorrectCurrentPassword + 120002, // PasswordChangeInvalidNewPasswordWeak + 120020 // PasswordChangeFailure + ) + AND user_id IS NOT NULL AND user_id != "" + AND user_agent != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0" + +| STATS + authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + client_app_id = VALUES(azure.signinlogs.properties.app_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + target_resource_id = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser), + device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id), + device_detail_operating_system = VALUES(azure.signinlogs.properties.device_detail.operating_system), + incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + session_id = VALUES(azure.signinlogs.properties.session_id), + user_id = VALUES(azure.signinlogs.properties.user_id), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + result_description = VALUES(azure.signinlogs.result_description), + result_signature = VALUES(azure.signinlogs.result_signature), + result_type = VALUES(azure.signinlogs.result_type), + + unique_users = COUNT_DISTINCT(user_id), + user_id_list = VALUES(user_id), + login_errors = VALUES(login_error), + unique_login_errors = COUNT_DISTINCT(login_error), + error_codes = VALUES(error_code), + unique_error_codes = COUNT_DISTINCT(error_code), + request_types = VALUES(request_type), + app_names = VALUES(app_name), + ip_list = VALUES(ip), + unique_ips = COUNT_DISTINCT(ip), + source_orgs = VALUES(asn_org), + countries = VALUES(country), + unique_country_count = COUNT_DISTINCT(country), + unique_asn_orgs = COUNT_DISTINCT(asn_org), + first_seen = MIN(event_time), + last_seen = MAX(event_time), + total_attempts = COUNT() +BY time_window + +| EVAL + duration_seconds = DATE_DIFF("seconds", first_seen, last_seen), + bf_type = CASE( + // Many users, relatively few distinct login errors, distributed over multiple IPs (but not too many), + // and happens quickly. Often bots using leaked credentials. + unique_users >= 10 AND total_attempts >= 30 AND unique_login_errors <= 3 + AND unique_ips >= 5 + AND duration_seconds <= 600 + AND unique_users > unique_ips, + "credential_stuffing", + + // One password against many users. Single error (e.g., "InvalidPassword"), not necessarily fast. + unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 15 AND duration_seconds <= 1800, + "password_spraying", + + // One user targeted repeatedly (same error), OR extremely noisy pattern from many IPs. + (unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 30 AND duration_seconds <= 300) + OR (unique_users <= 3 AND unique_ips > 30 AND total_attempts >= 100), + "password_guessing", + + // everything else + "other" + ) + +| KEEP + time_window, bf_type, duration_seconds, total_attempts, first_seen, last_seen, + unique_users, user_id_list, login_errors, unique_login_errors, + unique_error_codes, error_codes, request_types, app_names, + ip_list, unique_ips, source_orgs, countries, + unique_country_count, unique_asn_orgs, + authentication_requirement, client_app_id, client_app_display_name, + target_resource_id, target_resource_display_name, conditional_access_status, + device_detail_browser, device_detail_device_id, device_detail_operating_system, + incoming_token_type, risk_state, session_id, user_id, + user_principal_name, result_description, result_signature, result_type + +| WHERE bf_type != "other" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Sub-technique: +** Name: Credential Stuffing +** ID: T1110.004 +** Reference URL: https://attack.mitre.org/techniques/T1110/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc new file mode 100644 index 0000000000..a6f5f4d37a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-exccessive-account-lockouts-detected.asciidoc @@ -0,0 +1,202 @@ +[[microsoft-entra-id-exccessive-account-lockouts-detected]] +=== Microsoft Entra ID Exccessive Account Lockouts Detected + +Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray +* https://www.sprocketsecurity.com/blog/exploring-modern-password-spraying +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties +* https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes +* https://github.com/0xZDH/Omnispray +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Entra ID Exccessive Account Lockouts Detected* + + +This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users. + + +*Possible investigation steps* + + +- Review `user_id_list` and `user_principal_name`: Check if targeted users include high-value accounts such as administrators, service principals, or shared inboxes. +- Check `error_codes` and `result_description`: Validate that `50053` (account locked) is the consistent failure type. Messages indicating "malicious IP" activity suggest Microsoft’s backend flagged the source. +- Analyze `ip_list` and `source_orgs`: Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers). In the example, traffic originates from `MASSCOM`, which should be validated. +- Inspect `device_detail_browser` and `user_agent`: Clients like `"Python Requests"` indicate scripted automation rather than legitimate login attempts. +- Evaluate `unique_users` vs. `total_attempts`: A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying. +- Correlate `client_app_display_name` and `incoming_token_type`: PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass. +- Review `conditional_access_status` and `risk_state`: If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed. +- Validate time range (`first_seen`, `last_seen`): Determine whether the attack is a short burst or part of a longer campaign. + + +*False positive analysis* + + +- Misconfigured clients, scripts, or services with outdated credentials may inadvertently cause lockouts. +- Repeated lockouts from known internal IPs or during credential rotation windows could be benign. +- Legacy applications without modern auth support may repeatedly fail and trigger Smart Lockout. +- Specific known user agents (e.g., corporate service accounts). +- Internal IPs or cloud-hosted automation with expected failure behavior. + + +*Response and remediation* + + +- Investigate locked accounts immediately. Confirm if the account was successfully accessed prior to lockout. +- Reset credentials for impacted users and enforce MFA before re-enabling accounts. +- Block malicious IPs or ASN at the firewall, identity provider, or Conditional Access level. +- Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols. +- Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients. +- Conduct credential hygiene audits to assess reuse and rotation for targeted accounts. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* + +| EVAL + time_window = DATE_TRUNC(30 minutes, @timestamp), + user_id = TO_LOWER(azure.signinlogs.properties.user_principal_name), + ip = source.ip, + login_error = azure.signinlogs.result_description, + error_code = azure.signinlogs.properties.status.error_code, + request_type = TO_LOWER(azure.signinlogs.properties.incoming_token_type), + app_name = TO_LOWER(azure.signinlogs.properties.app_display_name), + asn_org = source.`as`.organization.name, + country = source.geo.country_name, + user_agent = user_agent.original, + event_time = @timestamp + +| WHERE event.dataset == "azure.signinlogs" + AND event.category == "authentication" + AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs") + AND event.outcome == "failure" + AND azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" + AND error_code == 50053 + AND user_id IS NOT NULL AND user_id != "" + AND asn_org != "MICROSOFT-CORP-MSN-AS-BLOCK" + +| STATS + authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + client_app_id = VALUES(azure.signinlogs.properties.app_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + target_resource_id = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser), + device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id), + device_detail_operating_system = VALUES(azure.signinlogs.properties.device_detail.operating_system), + incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + session_id = VALUES(azure.signinlogs.properties.session_id), + user_id = VALUES(azure.signinlogs.properties.user_id), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + result_description = VALUES(azure.signinlogs.result_description), + result_signature = VALUES(azure.signinlogs.result_signature), + result_type = VALUES(azure.signinlogs.result_type), + + unique_users = COUNT_DISTINCT(user_id), + user_id_list = VALUES(user_id), + login_errors = VALUES(login_error), + unique_login_errors = COUNT_DISTINCT(login_error), + error_codes = VALUES(error_code), + unique_error_codes = COUNT_DISTINCT(error_code), + request_types = VALUES(request_type), + app_names = VALUES(app_name), + ip_list = VALUES(ip), + unique_ips = COUNT_DISTINCT(ip), + source_orgs = VALUES(asn_org), + countries = VALUES(country), + unique_country_count = COUNT_DISTINCT(country), + unique_asn_orgs = COUNT_DISTINCT(asn_org), + first_seen = MIN(event_time), + last_seen = MAX(event_time), + total_attempts = COUNT() +BY time_window +| WHERE unique_users >= 15 AND total_attempts >= 20 +| KEEP + time_window, total_attempts, first_seen, last_seen, + unique_users, user_id_list, login_errors, unique_login_errors, + unique_error_codes, error_codes, request_types, app_names, + ip_list, unique_ips, source_orgs, countries, + unique_country_count, unique_asn_orgs, + authentication_requirement, client_app_id, client_app_display_name, + target_resource_id, target_resource_display_name, conditional_access_status, + device_detail_browser, device_detail_device_id, device_detail_operating_system, + incoming_token_type, risk_state, session_id, user_id, + user_principal_name, result_description, result_signature, result_type + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Sub-technique: +** Name: Credential Stuffing +** ID: T1110.004 +** Reference URL: https://attack.mitre.org/techniques/T1110/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-sign-in-brute-force-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-sign-in-brute-force-activity.asciidoc new file mode 100644 index 0000000000..42b814a5f0 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-entra-id-sign-in-brute-force-activity.asciidoc @@ -0,0 +1,248 @@ +[[microsoft-entra-id-sign-in-brute-force-activity]] +=== Microsoft Entra ID Sign-In Brute Force Activity + +Identifies potential brute-force attacks targeting user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to applications integrated with Entra ID or to compromise valid user accounts. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ +* https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying +* https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties +* https://securityscorecard.com/research/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks/ +* https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes +* https://github.com/0xZDH/Omnispray +* https://github.com/0xZDH/o365spray + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Entra ID Sign-In Brute Force Activity* + + +This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response. + + +*Possible investigation steps* + + +- Review `bf_type`: Determines the brute-force technique being used (`password_spraying`, `credential_stuffing`, or `password_guessing`). +- Examine `user_id_list`: Identify if high-value accounts (e.g., administrators, service principals, federated identities) are being targeted. +- Review `login_errors`: Repetitive error types like `"Invalid Grant"` or `"User Not Found"` suggest automated attacks. +- Check `ip_list` and `source_orgs`: Investigate if the activity originates from suspicious infrastructure (VPNs, hosting providers, etc.). +- Validate `unique_ips` and `countries`: Geographic diversity and IP volume may indicate distributed or botnet-based attacks. +- Compare `total_attempts` vs `duration_seconds`: High rate of failures in a short time period implies automation. +- Analyze `user_agent.original` and `device_detail_browser`: User agents like `curl`, `Python`, or generic libraries may indicate scripting tools. +- Investigate `client_app_display_name` and `incoming_token_type`: Detect potential abuse of legacy or unattended login mechanisms. +- Inspect `target_resource_display_name`: Understand what application or resource the attacker is trying to access. +- Pivot using `session_id` and `device_detail_device_id`: Determine if a device is targeting multiple accounts. +- Review `conditional_access_status`: If not enforced, ensure Conditional Access policies are scoped correctly. + + +*False positive analysis* + + +- Legitimate automation (e.g., misconfigured scripts, sync processes) can trigger repeated failures. +- Internal red team activity or penetration tests may mimic brute-force behaviors. +- Certain service accounts or mobile clients may generate repetitive sign-in noise if not properly configured. + + +*Response and remediation* + + +- Notify your identity security team for further analysis. +- Investigate and lock or reset impacted accounts if compromise is suspected. +- Block offending IPs or ASNs at the firewall, proxy, or using Conditional Access. +- Confirm MFA and Conditional Access are enforced for all user types. +- Audit targeted accounts for credential reuse across services. +- Implement account lockout or throttling for failed sign-in attempts where possible. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* + +// Define a time window for grouping and maintain the original event timestamp +| EVAL + time_window = DATE_TRUNC(15 minutes, @timestamp), + event_time = @timestamp + +// Filter relevant failed authentication events with specific error codes +| WHERE event.dataset == "azure.signinlogs" + AND event.category == "authentication" + AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs") + AND event.outcome == "failure" + AND azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" + AND azure.signinlogs.properties.status.error_code IN ( + 50034, // UserAccountNotFound + 50126, // InvalidUsernameOrPassword + 50055, // PasswordExpired + 50056, // InvalidPassword + 50057, // UserDisabled + 50064, // CredentialValidationFailure + 50076, // MFARequiredButNotPassed + 50079, // MFARegistrationRequired + 50105, // EntitlementGrantsNotFound + 70000, // InvalidGrant + 70008, // ExpiredOrRevokedRefreshToken + 70043, // BadTokenDueToSignInFrequency + 80002, // OnPremisePasswordValidatorRequestTimedOut + 80005, // OnPremisePasswordValidatorUnpredictableWebException + 50144, // InvalidPasswordExpiredOnPremPassword + 50135, // PasswordChangeCompromisedPassword + 50142, // PasswordChangeRequiredConditionalAccess + 120000, // PasswordChangeIncorrectCurrentPassword + 120002, // PasswordChangeInvalidNewPasswordWeak + 120020 // PasswordChangeFailure + ) + AND azure.signinlogs.properties.user_principal_name IS NOT NULL AND azure.signinlogs.properties.user_principal_name != "" + AND user_agent.original != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0" + AND source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" + +// Aggregate statistics for behavioral pattern analysis +| STATS + authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + client_app_id = VALUES(azure.signinlogs.properties.app_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + target_resource_id = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser), + device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id), + device_detail_operating_system = VALUES(azure.signinlogs.properties.device_detail.operating_system), + incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + session_id = VALUES(azure.signinlogs.properties.session_id), + user_id = VALUES(azure.signinlogs.properties.user_id), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + result_description = VALUES(azure.signinlogs.result_description), + result_signature = VALUES(azure.signinlogs.result_signature), + result_type = VALUES(azure.signinlogs.result_type), + + unique_users = COUNT_DISTINCT(azure.signinlogs.properties.user_id), + user_id_list = VALUES(azure.signinlogs.properties.user_id), + login_errors = VALUES(azure.signinlogs.result_description), + unique_login_errors = COUNT_DISTINCT(azure.signinlogs.result_description), + error_codes = VALUES(azure.signinlogs.properties.status.error_code), + unique_error_codes = COUNT_DISTINCT(azure.signinlogs.properties.status.error_code), + request_types = VALUES(azure.signinlogs.properties.incoming_token_type), + app_names = VALUES(azure.signinlogs.properties.app_display_name), + ip_list = VALUES(source.ip), + unique_ips = COUNT_DISTINCT(source.ip), + source_orgs = VALUES(source.`as`.organization.name), + countries = VALUES(source.geo.country_name), + unique_country_count = COUNT_DISTINCT(source.geo.country_name), + unique_asn_orgs = COUNT_DISTINCT(source.`as`.organization.name), + first_seen = MIN(@timestamp), + last_seen = MAX(@timestamp), + total_attempts = COUNT() +BY time_window + +// Determine brute force behavior type based on statistical thresholds +| EVAL + duration_seconds = DATE_DIFF("seconds", first_seen, last_seen), + bf_type = CASE( + // Many users, relatively few distinct login errors, distributed over multiple IPs (but not too many), + // and happens quickly. Often bots using leaked credentials. + unique_users >= 10 AND total_attempts >= 30 AND unique_login_errors <= 3 + AND unique_ips >= 5 + AND duration_seconds <= 600 + AND unique_users > unique_ips, + "credential_stuffing", + + // One password against many users. Single error (e.g., "InvalidPassword"), not necessarily fast. + unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 15 AND duration_seconds <= 1800, + "password_spraying", + + // One user targeted repeatedly (same error), OR extremely noisy pattern from many IPs. + (unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 30 AND duration_seconds <= 300) + OR (unique_users <= 3 AND unique_ips > 30 AND total_attempts >= 100), + "password_guessing", + + // everything else + "other" + ) + +// Only keep columns necessary for detection output/reporting +| KEEP + time_window, bf_type, duration_seconds, total_attempts, first_seen, last_seen, + unique_users, user_id_list, login_errors, unique_login_errors, + unique_error_codes, error_codes, request_types, app_names, + ip_list, unique_ips, source_orgs, countries, + unique_country_count, unique_asn_orgs, + authentication_requirement, client_app_id, client_app_display_name, + target_resource_id, target_resource_display_name, conditional_access_status, + device_detail_browser, device_detail_device_id, device_detail_operating_system, + incoming_token_type, risk_state, session_id, user_id, + user_principal_name, result_description, result_signature, result_type + +// Remove anything not classified as credential attack activity +| WHERE bf_type != "other" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Sub-technique: +** Name: Credential Stuffing +** ID: T1110.004 +** Reference URL: https://attack.mitre.org/techniques/T1110/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/outlook-home-page-registry-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/outlook-home-page-registry-modification.asciidoc index c65cbe573b..1b13b65ba1 100644 --- a/docs/detections/prebuilt-rules/rule-details/outlook-home-page-registry-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/outlook-home-page-registry-modification.asciidoc @@ -43,7 +43,7 @@ Identifies modifications in registry keys associated with abuse of the Outlook H * Data Source: SentinelOne * Resources: Investigation Guide -*Version*: 204 +*Version*: 205 *Rule authors*: @@ -107,12 +107,9 @@ The Outlook Home Page feature allows users to set a webpage as the default view ---------------------------------- registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and registry.path : ( - "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL" - ) and registry.data.strings : "*http*" + "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*", + "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*" + ) and registry.data.strings : "*://*" ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-cve-2025-33053-exploitation.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-cve-2025-33053-exploitation.asciidoc new file mode 100644 index 0000000000..f9a7d5ab02 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-cve-2025-33053-exploitation.asciidoc @@ -0,0 +1,136 @@ +[[potential-cve-2025-33053-exploitation]] +=== Potential CVE-2025-33053 Exploitation + +Identifies a suspicious Diagnostics Utility for Internet Explorer child process. This may indicate the successful exploitation of the vulnerability CVE-2025-33053. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2025/stealth-falcon-zero-day/ +* https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Microsoft Defender for Endpoint +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential CVE-2025-33053 Exploitation* + + + +*Possible investigation steps* + + +- Review the process details to confirm the suspicious child process was indeed started by iediagcmd.exe. +- Check any URL file type creation before the alert and review the source of those files. +- Investigate the process tree and make sure all descendant processes are terminated. +- Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses. +- Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack. + + +*False positive analysis* + + +- This behavior is very rare and should be highly suspicious. + + +*Response and remediation* + + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious child process identified in the alert. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. +- Review and update endpoint security policies to restrict the execution of potentially malicious URL files. + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "C:\\Program Files\\Internet Explorer\\iediagcmd.exe" and + process.name : ("route.exe", "netsh.exe", "ipconfig.exe", "dxdiag.exe", "conhost.exe", "makecab.exe") and + process.executable != null and + not process.executable : ("C:\\Windows\\System32\\route.exe", + "C:\\Windows\\System32\\netsh.exe", + "C:\\Windows\\System32\\ipconfig.exe", + "C:\\Windows\\System32\\dxdiag.exe", + "C:\\Windows\\System32\\conhost.exe", + "C:\\Windows\\System32\\makecab.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc new file mode 100644 index 0000000000..dcb4c4ac4a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-kerberos-coercion-via-dns-based-spn-spoofing.asciidoc @@ -0,0 +1,149 @@ +[[potential-kerberos-coercion-via-dns-based-spn-spoofing]] +=== Potential Kerberos Coercion via DNS-Based SPN Spoofing + +Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback. + +*Rule type*: query + +*Rule indices*: + +* logs-system.security* +* logs-windows.forwarded* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +* https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ +* https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +* https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md +* https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Active Directory +* Use Case: Active Directory Monitoring +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Kerberos Coercion via DNS-Based SPN Spoofing* + + + +*Possible investigation steps* + + +- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. +- Inspect the ObjectDN field to identify the full distinguished name of the created DNS record. Look for entries containing Base64-encoded segments matching UWhRCA...BAAAA, which are indicative of an embedded CREDENTIAL_TARGET_INFORMATION payload used in SPN spoofing. +- Validate the associated user or computer account responsible for the DNS record creation. Investigate whether the account has legitimate administrative access to modify DNS zones or whether it may have been compromised. +- Correlate with DNS query logs and network telemetry to determine if the suspicious DNS hostname was later queried or resolved by other hosts on the network. A match suggests the attacker moved forward with the coercion attempt. +- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. + + +*Response and remediation* + + +- Review and remove the malicious DNS record containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone. +- Identify the source of the DNS modification by correlating the event with user context and host activity. Investigate whether the account used was compromised or misused. +- Audit Kerberos ticket activity following the DNS record creation. Look for suspicious service ticket requests (Event ID 4769) or authentication attempts that could indicate a relay or privilege escalation attempt. +- Temporarily isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. + + +==== Setup + + + +*Setup* + + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. + +``` +Set-AuditRule -AdObjectPath 'AD:\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` + + +==== Rule query + + +[source, js] +---------------------------------- +(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or +(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc new file mode 100644 index 0000000000..3102a2af35 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-kerberos-spn-spoofing-via-suspicious-dns-query.asciidoc @@ -0,0 +1,124 @@ +[[potential-kerberos-spn-spoofing-via-suspicious-dns-query]] +=== Potential Kerberos SPN Spoofing via Suspicious DNS Query + +Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity), enabling attacks such as NTLM reflection. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.network-* +* logs-sentinel_one_cloud_funnel.* +* logs-windows.sysmon_operational-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +* https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ +* https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +* https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md +* https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Data Source: Sysmon +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Kerberos SPN Spoofing via Suspicious DNS Query* + + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the system that issued the DNS query for the suspicious hostname. Determine whether it is a server or an end user device. This technique is typically only relevant against server systems, but queries originating from workstations may indicate compromise or misuse. +- Identify attacker-controlled system by getting the IP addresses (`dns.resolved_ip`) that this DNS query resolved to by looking for the related `lookup_result` events. + - !{investigate{"label":"Show the related DNS events","providers":[[{"excluded":false,"field":"dns.question.name","queryType":"phrase","value":"{{dns.question.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- If this alert was triggered on a domain controller, escalate the investigation to involve the incident response team to determine the full scope of the breach as soon as possible. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. + + +*Response and remediation* + + +- Review and remove malicious DNS records containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone. +- Isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-machine-account-relay-attack-via-smb.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-machine-account-relay-attack-via-smb.asciidoc new file mode 100644 index 0000000000..e7902d4714 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-machine-account-relay-attack-via-smb.asciidoc @@ -0,0 +1,129 @@ +[[potential-machine-account-relay-attack-via-smb]] +=== Potential Machine Account Relay Attack via SMB + +Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.security* +* logs-windows.forwarded* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/p0dalirius/windows-coerced-authentication-methods +* https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications +* https://attack.mitre.org/techniques/T1187/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Active Directory +* Use Case: Active Directory Monitoring +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Machine Account Relay Attack via SMB* + + + +*Possible investigation steps* + +- Compare the source.ip to the target server host.ip addresses to make sure it's indeed a remote use of the machine account. +- Examine the source.ip activities as this is the attacker IP address used to relay. +- Review all relevant activities such as services creation, file and process events on the target server within the same period. +- Verify the machine account names that end with a dollar sign ($) to ensure they match the expected hostnames, and investigate any discrepancies. +- Check the network logon types to confirm if they align with typical usage patterns for the identified machine accounts. +- Investigate the context of the source IP addresses that do not match the host IP, looking for any signs of unauthorized access or unusual network activity. +- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack. + + +*False positive analysis* + + +- Machine accounts performing legitimate network logons from different IP addresses can trigger false positives. To manage this, identify and whitelist known IP addresses associated with legitimate administrative tasks or automated processes. +- Scheduled tasks or automated scripts that use machine accounts for network operations may be flagged. Review and document these tasks, then create exceptions for their associated IP addresses and hostnames. +- Load balancers or proxy servers that alter the source IP address of legitimate authentication requests can cause false alerts. Ensure these devices are accounted for in the network architecture and exclude their IP addresses from the rule. +- Temporary network reconfigurations or migrations might result in machine accounts appearing to log in from unexpected hosts. During such events, temporarily adjust the rule parameters or disable the rule to prevent unnecessary alerts. +- Regularly review and update the list of exceptions to ensure they reflect current network configurations and operational practices, minimizing the risk of overlooking genuine threats. + + +*Response and remediation* + + +- Coordinate isolation of the affected domain controller with infrastructure and identity teams to contain the threat while preserving service availability and forensic evidence. Prioritize this step if active compromise or attacker persistence is confirmed. +- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable. +- Analyze recent authentication logs, event logs, and network traffic, focusing on suspicious activity and the source IPs referenced in the alert. Correlate findings to identify any lateral movement or additional compromised systems. +- Strengthen network segmentation, especially between domain controllers, administrative workstations, and critical infrastructure. This limits the attack surface and impedes credential relay or reuse across systems. +- Escalate the incident to the SOC or incident response team to coordinate a full investigation, containment, and recovery plan. Ensure stakeholders are kept informed throughout the response. +- Enhance detection mechanisms by tuning alerts and deploying additional telemetry focused on credential relay patterns, anomalous authentication, and NTLM-related activity. +- Conduct a structured post-incident review, documenting findings, identifying control gaps, and updating playbooks, configurations, or security policies to reduce the likelihood of similar incidents in the future. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.code == "5145" and endswith(user.name, "$") and + + /* compare computername with user.name and make sure they match */ + startswith~(winlog.computer_name, substring(user.name, 0, -1)) and + + /* exclude local access */ + not endswith(string(source.ip), string(host.ip)) and + source.ip != "::" and source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Forced Authentication +** ID: T1187 +** Reference URL: https://attack.mitre.org/techniques/T1187/ +* Technique: +** Name: Adversary-in-the-Middle +** ID: T1557 +** Reference URL: https://attack.mitre.org/techniques/T1557/ +* Sub-technique: +** Name: LLMNR/NBT-NS Poisoning and SMB Relay +** ID: T1557.001 +** Reference URL: https://attack.mitre.org/techniques/T1557/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc index 232ab49496..d1d304c850 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc @@ -24,6 +24,7 @@ Detects known PowerShell offensive tooling functions names in PowerShell scripts * https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md * https://github.com/BC-SECURITY/Empire +* https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/ *Tags*: @@ -34,7 +35,7 @@ Detects known PowerShell offensive tooling functions names in PowerShell scripts * Data Source: PowerShell Logs * Resources: Investigation Guide -*Version*: 216 +*Version*: 217 *Rule authors*: @@ -199,7 +200,7 @@ event.category:process and host.os.type:windows and "Get-GPPInnerFields" or "Get-GPPPassword" or "Get-GptTmpl" or "Get-GroupsXML" or "Get-HttpStatus" or "Get-ImageNtHeaders" or - "Get-Keystrokes" or "New-SOASerialNumberArray" or + "Get-Keystrokes" or "New-SOASerialNumberArray" or "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or @@ -329,7 +330,8 @@ event.category:process and host.os.type:windows and "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or - "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or + "Invoke-AzureHound" or "Invoke-SharpHound" ) and not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc index 6b86eb7540..52a15f79bb 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-high-numeric-character-proportion.asciidoc @@ -27,7 +27,7 @@ Identifies PowerShell scripts with a disproportionately high number of numeric c * Tactic: Defense Evasion * Data Source: PowerShell Logs -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -83,8 +83,12 @@ FROM logs-windows.powershell_operational* metadata _id, _version, _index // Keep the fields relevant to the query, although this is not needed as the alert is populated using _id | KEEP special_count, script_len, proportion, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id -// Filter for scripts with a 25%+ proportion of numbers -| WHERE proportion > 0.25 +// Filter for scripts with a 30%+ proportion of numbers +| WHERE proportion > 0.30 + +// Exclude noisy patterns +| WHERE + NOT powershell.file.script_block_text RLIKE """.*\"[a-fA-F0-9]{64}\"\,.*""" ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc index fe38f1c2d1..47732819ce 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-invalid-escape-sequences.asciidoc @@ -27,7 +27,7 @@ Identifies PowerShell scripts that use invalid escape sequences as a form of obf * Tactic: Defense Evasion * Data Source: PowerShell Logs -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -82,6 +82,10 @@ FROM logs-windows.powershell_operational* metadata _id, _version, _index // Filter FPs, and due to the behavior of the LIKE operator, allow null values | WHERE (file.name NOT LIKE "TSS_*.psm1" or file.name IS NULL) +| WHERE + // VSCode Shell integration + NOT powershell.file.script_block_text LIKE "*$([char]0x1b)]633*" + ---------------------------------- *Framework*: MITRE ATT&CK^TM^ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-special-character-overuse.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-special-character-overuse.asciidoc index 178d4c4d39..468654eed6 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-special-character-overuse.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-special-character-overuse.asciidoc @@ -27,7 +27,7 @@ Identifies PowerShell scripts with an unusually high proportion of whitespace an * Tactic: Defense Evasion * Data Source: PowerShell Logs -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -68,20 +68,23 @@ reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" FROM logs-windows.powershell_operational* metadata _id, _version, _index | WHERE event.code == "4104" +// Replace repeated spaces used for formatting after a new line with a single space to reduce FPs +| EVAL dedup_space_script_block = REPLACE(powershell.file.script_block_text, """\n\s+""", "\n ") + // Look for scripts with more than 1000 chars that contain a related keyword -| EVAL script_len = LENGTH(powershell.file.script_block_text) +| EVAL script_len = LENGTH(dedup_space_script_block) | WHERE script_len > 1000 // Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for // The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 -| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """[\s\$\{\}\+\@\=\(\)\^\\\"~\[\]\?\.]""", "🔥") +| EVAL replaced_with_fire = REPLACE(dedup_space_script_block, """[\s\$\{\}\+\@\=\(\)\^\\\"~\[\]\?\.]""", "🔥") // Count the occurrence of numbers and their proportion to the total chars in the script | EVAL special_count = script_len - LENGTH(REPLACE(replaced_with_fire, "🔥", "")) | EVAL proportion = special_count::double / script_len::double // Keep the fields relevant to the query, although this is not needed as the alert is populated using _id -| KEEP special_count, script_len, proportion, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id +| KEEP special_count, script_len, proportion, dedup_space_script_block, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id // Filter for scripts with a 75%+ proportion of numbers | WHERE proportion > 0.75 diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-concatenation.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-concatenation.asciidoc index 782999edbc..ca3af6b015 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-concatenation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-concatenation.asciidoc @@ -7,9 +7,9 @@ Identifies PowerShell scripts that use string concatenation as a form of obfusca *Rule indices*: None -*Severity*: low +*Severity*: medium -*Risk score*: 21 +*Risk score*: 47 *Runs every*: 5m @@ -27,7 +27,7 @@ Identifies PowerShell scripts that use string concatenation as a form of obfusca * Tactic: Defense Evasion * Data Source: PowerShell Logs -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-reordering.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-reordering.asciidoc index 66dbf224ab..5c9cfb2930 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-reordering.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscation-via-string-reordering.asciidoc @@ -27,7 +27,7 @@ Identifies PowerShell scripts that use string reordering and runtime reconstruct * Tactic: Defense Evasion * Data Source: PowerShell Logs -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -84,6 +84,20 @@ FROM logs-windows.powershell_operational* metadata _id, _version, _index | KEEP count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id | WHERE count > 3 +// Exclude Noisy Patterns + +// Icinga Framework +| WHERE (file.name NOT LIKE "framework_cache.psm1" or file.name IS NULL) +| WHERE NOT + // https://wtfbins.wtf/17 + ( + (powershell.file.script_block_text LIKE "*sentinelbreakpoints*" OR + powershell.file.script_block_text LIKE "*:::::\\\\windows\\\\sentinel*") + AND + (powershell.file.script_block_text LIKE "*$local:Bypassed*" OR + powershell.file.script_block_text LIKE "*origPSExecutionPolicyPreference*") + ) + ---------------------------------- *Framework*: MITRE ATT&CK^TM^ diff --git a/docs/detections/prebuilt-rules/rule-details/shell-configuration-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/shell-configuration-creation-or-modification.asciidoc index 935379fb2d..f8f0e41e22 100644 --- a/docs/detections/prebuilt-rules/rule-details/shell-configuration-creation-or-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/shell-configuration-creation-or-modification.asciidoc @@ -33,7 +33,7 @@ This rule monitors the creation/alteration of a shell configuration file. Unix s * Data Source: Elastic Defend * Resources: Investigation Guide -*Version*: 8 +*Version*: 9 *Rule authors*: @@ -140,10 +140,10 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an // root and user configurations "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.bash_profile", "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout", "/root/.bash_profile", - "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc", - "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout", - "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", - "/home/*/.kshrc", "/root/.kshrc" + "/root/.bash_aliases", "/home/*/.bash_aliases", "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", + "/root/.zshrc", "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", + "/root/.logout", "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", "/home/*/.kshrc", + "/root/.kshrc" ) and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc new file mode 100644 index 0000000000..5030bea37d --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-oauth-flow-via-auth-broker-to-drs.asciidoc @@ -0,0 +1,217 @@ +[[suspicious-microsoft-oauth-flow-via-auth-broker-to-drs]] +=== Suspicious Microsoft OAuth Flow via Auth Broker to DRS + +Identifies separate OAuth authorization flows in Microsoft Entra ID where the same user principal and session ID are observed across multiple IP addresses within a 5-minute window. These flows involve the Microsoft Authentication Broker (MAB) as the client application and the Device Registration Service (DRS) as the target resource. This pattern is highly indicative of OAuth phishing activity, where an adversary crafts a legitimate Microsoft login URL to trick a user into completing authentication and sharing the resulting authorization code, which is then exchanged for an access and refresh token by the attacker. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 60m + +*Searches indices from*: now-61m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://github.com/dirkjanm/ROADtools +* https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Entra ID +* Data Source: Entra ID Sign-in Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Resources: Investigation Guide +* Tactic: Initial Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Microsoft OAuth Flow via Auth Broker to DRS* + + +This rule identifies potential OAuth phishing behavior in Microsoft Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. + + +*Possible Investigation Steps:* + + +- `target`: The user principal name targeted by the authentication broker. Investigate whether this user has recently registered a device, signed in from new IPs, or had password resets or MFA changes. +- `session_id`: Used to correlate all events in the OAuth flow. All sign-ins in the alert share the same session, suggesting shared or hijacked state. +- `unique_token_id`: Lists tokens generated in the flow. If multiple IDs exist in the same session, this indicates token issuance from different locations. +- `source_ip`, `city_name`, `country_name`, `region_name`: Review the IPs and geolocations involved. A mismatch in geographic origin within minutes can signal adversary involvement. +- `user_agent`: Conflicting user agents (e.g., `python-requests` and `Chrome`) suggest one leg of the session was scripted or automated. +- `os`: If multiple operating systems are observed in the same short session (e.g., macOS and Windows), this may suggest activity from different environments. +- `incoming_token_type`: Look for values like `"none"` or `"refreshToken"` that can indicate abnormal or re-authenticated activity. +- `token_session_status`: A value of `"unbound"` means the issued token is not tied to a device or CAE session, making it reusable from another IP. +- `conditional_access_status`: If this is `"notApplied"`, it may indicate that expected access policies were not enforced. +- `auth_count`: Number of events in the session. More than one indicates the session was reused within the time window. +- `target_time_window`: Use this to pivot into raw sign-in logs to review the exact sequence and timing of the activity. +- Search `azure.auditlogs` for any device join or registration activity around the `target_time_window`. +- Review `azure.identityprotection` logs for anonymized IPs, impossible travel, or token replay alerts. +- Search for other activity from the same IPs across all users to identify horizontal movement. + + +*False Positive Analysis* + + +- A legitimate device join from a user switching networks (e.g., mobile hotspot to Wi-Fi) could explain multi-IP usage. +- Some identity management agents or EDR tools may use MAB for background device registration flows. +- Developers or IT administrators may access DRS across environments when testing. + + +*Response and Remediation* + + +- If confirmed unauthorized, revoke all refresh tokens for the user and disable any suspicious registered devices. +- Notify the user and verify if the authentication or device join was expected. +- Review Conditional Access policies for the Microsoft Authentication Broker (`29d9ed98-a469-4536-ade2-f981bc1d605e`) to ensure enforcement of MFA and device trust. +- Consider restricting token-based reauthentication from anonymized infrastructure or unusual user agents. +- Continue monitoring for follow-on activity, such as privilege escalation, token misuse, or lateral movement. + + +==== Setup + + + +*Required Microsoft Entra ID Sign-In Logs* + +This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled and configured to collect sign-in logs. In Entra ID, sign-in logs must be enabled and streaming to the Event Hub used for the Azure integration. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs* metadata _id, _version, _index + +// Filter for Microsoft Entra ID sign-in logs +| WHERE event.dataset == "azure.signinlogs" + AND event.outcome == "success" + AND azure.signinlogs.properties.user_type == "Member" + AND azure.signinlogs.identity IS NOT NULL + AND azure.signinlogs.properties.user_principal_name IS NOT NULL + AND source.address IS NOT NULL + + // Filter for MAB as client (app_id) and DRS as resource (resource_id) + AND azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" // MAB + AND azure.signinlogs.properties.resource_id == "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" // DRS + +// Normalize timestamps into 30-minute detection windows +| EVAL target_time_window = DATE_TRUNC(30 minutes, @timestamp) + +// Tag browser-based requests and extract session ID +| EVAL + session_id = azure.signinlogs.properties.session_id, + is_browser = CASE( + TO_LOWER(azure.signinlogs.properties.device_detail.browser) RLIKE "(chrome|firefox|edge|safari).*", 1, 0 + ) + +| STATS + // user & session identity + user_display_name = VALUES(azure.signinlogs.properties.user_display_name), + user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name), + session_id = VALUES(azure.signinlogs.properties.session_id), + unique_token_id = VALUES(azure.signinlogs.properties.unique_token_identifier), + + // geolocation + city_name = VALUES(source.geo.city_name), + country_name = VALUES(source.geo.country_name), + region_name = VALUES(source.geo.region_name), + source_ip = VALUES(source.address), + ip_count = COUNT_DISTINCT(source.address), + autonomous_system = VALUES(source.`as`.organization.name), + + // authentication context + auth_protocol = VALUES(azure.signinlogs.properties.authentication_protocol), + auth_requirement = VALUES(azure.signinlogs.properties.authentication_requirement), + is_interactive = VALUES(azure.signinlogs.properties.is_interactive), + + // token & app context + token_type = VALUES(azure.signinlogs.properties.incoming_token_type), + token_session_status = VALUES(azure.signinlogs.properties.token_protection_status_details.sign_in_session_status), + session_id_count = COUNT_DISTINCT(session_id), + client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name), + client_app_ids = VALUES(azure.signinlogs.properties.app_id), + target_resource_ids = VALUES(azure.signinlogs.properties.resource_id), + target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name), + + // tenant details + app_owner_tenant_id = VALUES(azure.signinlogs.properties.app_owner_tenant_id), + resource_owner_tenant_id = VALUES(azure.signinlogs.properties.resource_owner_tenant_id), + + // conditional access & risk signals + conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status), + risk_state = VALUES(azure.signinlogs.properties.risk_state), + risk_level_aggregated = VALUES(azure.signinlogs.properties.risk_level_aggregated), + + // user agent & device + browser = VALUES(azure.signinlogs.properties.device_detail.browser), + os = VALUES(azure.signinlogs.properties.device_detail.operating_system), + user_agent = VALUES(user_agent.original), + has_browser = MAX(is_browser), + + auth_count = COUNT(*) +BY + target_time_window, + azure.signinlogs.properties.user_principal_name, + session_id + +| KEEP + target_time_window, user_display_name, user_principal_name, session_id, unique_token_id, + city_name, country_name, region_name, source_ip, ip_count, autonomous_system, + auth_protocol, auth_requirement, is_interactive, + token_type, token_session_status, session_id_count, client_app_display_name, + client_app_ids, target_resource_ids, target_resource_display_name, + app_owner_tenant_id, resource_owner_tenant_id, + conditional_access_status, risk_state, risk_level_aggregated, + browser, os, user_agent, has_browser, auth_count + +| WHERE + ip_count >= 2 AND + session_id_count == 1 AND + has_browser >= 1 AND + auth_count >= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc index 245bafa253..871ed62a29 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc @@ -48,7 +48,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind * Data Source: SentinelOne * Data Source: Crowdstrike -*Version*: 318 +*Version*: 319 *Rule authors*: @@ -131,8 +131,8 @@ process.parent.name != null and ( /* suspicious parent processes */ (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or - (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or - (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe", "dwm.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:("svchost.exe", "Workplace Container Helper.exe")) or (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or @@ -144,15 +144,15 @@ process.parent.name != null and (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or (process.name:"services.exe" and not process.parent.name:"wininit.exe") or (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or - (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or + (process.name:"spoolsv.exe" and not process.parent.name:("services.exe", "Workplace Starter.exe")) or (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or - (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe", "KUsrInit.exe")) or (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or /* suspicious child processes */ - (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe")) or + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe", "ngentask.exe")) or (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or - (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe", "wpbbin.exe", "PvsVmBoot.exe", "SophosNA.exe", "omnissa-ic-nga.exe", "icarus_rvrt.exe", "poqexec.exe")) or (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) ) diff --git a/docs/index.asciidoc b/docs/index.asciidoc index ec8e9bd6b7..895c711255 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -109,3 +109,5 @@ include::detections/prebuilt-rules/downloadable-packages/8-17-11/prebuilt-rules- include::detections/prebuilt-rules/downloadable-packages/8-17-12/prebuilt-rules-8-17-12-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/8-17-13/prebuilt-rules-8-17-13-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/8-17-14/prebuilt-rules-8-17-14-appendix.asciidoc[]