diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 94dabf82aec..6001f222e95 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 1cd8f9294bd..46ba523bd76 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b0b412879cb..53bc1c6d9b0 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -380,9 +380,9 @@ }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", - "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", + "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", "type": "machine_learning", - "version": 105 + "version": 106 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", @@ -404,9 +404,9 @@ }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", + "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", "type": "threat_match", - "version": 6 + "version": 7 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", @@ -651,9 +651,9 @@ }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", - "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", + "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", "type": "machine_learning", - "version": 104 + "version": 105 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", @@ -785,33 +785,33 @@ }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", - "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", + "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", - "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", + "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", - "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", + "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", + "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", + "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", "type": "machine_learning", - "version": 103 + "version": 104 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", @@ -827,9 +827,9 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", + "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", "type": "machine_learning", - "version": 103 + "version": 104 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", @@ -858,9 +858,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "13724ccfbad7645a55a6148fd2331a0f15181aca09d104bc269cddfeb702bb7d", + "sha256": "328df92dbc73dc43154f8b6998e6a2201211089ea4fca02386b1d1180d51cf36", "type": "eql", - "version": 1 + "version": 2 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -870,9 +870,9 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", + "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", "type": "machine_learning", - "version": 208 + "version": 209 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", @@ -1068,9 +1068,9 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", + "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", "type": "machine_learning", - "version": 103 + "version": 104 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", @@ -1086,9 +1086,9 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", + "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", "type": "machine_learning", - "version": 103 + "version": 104 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", @@ -1232,6 +1232,13 @@ "type": "new_terms", "version": 1 }, + "23f18264-2d6d-11ef-9413-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "68aeb823e4de7c8e670285a009dd7c9fc39ae2a9abf83f65c35df1d9818dd586", + "type": "esql", + "version": 1 + }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", @@ -1586,11 +1593,20 @@ "version": 2 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.10", + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 100, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "type": "threshold", + "version": 1 + } + }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", - "type": "threshold", - "version": 1 + "sha256": "46d05336c091b15f5411222d6025f5b05a2712ed0cdad1ae60eda64282563004", + "type": "esql", + "version": 101 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -1820,9 +1836,9 @@ }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", + "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", "type": "machine_learning", - "version": 103 + "version": 104 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -1964,6 +1980,12 @@ "type": "eql", "version": 8 }, + "3a657da0-1df2-11ef-a327-f661ea17fbcc": { + "rule_name": "Rapid7 Threat Command CVEs Correlation", + "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", + "type": "threat_match", + "version": 1 + }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", @@ -2025,9 +2047,9 @@ }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", + "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", "type": "machine_learning", - "version": 103 + "version": 104 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", @@ -2233,9 +2255,9 @@ }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", + "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", "type": "machine_learning", - "version": 103 + "version": 104 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -2257,9 +2279,9 @@ }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", - "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", + "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", "type": "machine_learning", - "version": 104 + "version": 105 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -2311,9 +2333,9 @@ }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", + "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", "type": "machine_learning", - "version": 104 + "version": 105 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "Potential Persistence Through init.d Detected", @@ -2389,9 +2411,9 @@ }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", + "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", "type": "threshold", - "version": 101 + "version": 102 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", @@ -2652,9 +2674,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", + "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", "type": "machine_learning", - "version": 103 + "version": 104 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -2857,6 +2879,12 @@ "type": "eql", "version": 3 }, + "57bfa0a9-37c0-44d6-b724-54bf16787492": { + "rule_name": "DNS Global Query Block List Modified or Disabled", + "sha256": "c31bbb3334b07220c4b6cef2aa9a19eab7c31d95eb16d2aa4e9238bee56e8c23", + "type": "eql", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "f0266b580614dbb0c7ec5ff4505f577f89518b4141c2b2c116082bbf595986e5", @@ -2907,9 +2935,9 @@ }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", + "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", "type": "machine_learning", - "version": 104 + "version": 105 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -3010,9 +3038,9 @@ }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", + "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", "type": "machine_learning", - "version": 103 + "version": 104 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", @@ -3050,6 +3078,12 @@ "type": "eql", "version": 108 }, + "5d676480-9655-4507-adc6-4eec311efff8": { + "rule_name": "Unsigned DLL loaded by DNS Service", + "sha256": "ff6aae20990da6a915ef2a0f93547eabc6c109425ad02e3ee30fbad6a7fcf19c", + "type": "eql", + "version": 1 + }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", @@ -3208,9 +3242,9 @@ }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", + "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", "type": "machine_learning", - "version": 104 + "version": 105 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", @@ -3420,6 +3454,13 @@ "type": "query", "version": 106 }, + "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM User Created Access Keys For Another User", + "sha256": "47b579b9a56ed6ea73b213367dcfbd08587402835edd04fc34313a9314a6cd79", + "type": "esql", + "version": 1 + }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", @@ -3511,9 +3552,9 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "1259847bc59ec8a6f2558f519c3d33e6a2166fa18da8ef169a7d2de8a08225c6", + "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", "type": "machine_learning", - "version": 108 + "version": 109 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", @@ -3529,9 +3570,9 @@ }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", - "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", + "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", "type": "machine_learning", - "version": 105 + "version": 106 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", @@ -3725,15 +3766,15 @@ }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", - "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", + "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", "type": "machine_learning", - "version": 104 + "version": 105 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", + "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", "type": "machine_learning", - "version": 103 + "version": 104 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -3856,9 +3897,9 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", + "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", "type": "machine_learning", - "version": 208 + "version": 209 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.13", @@ -4068,9 +4109,9 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", + "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", "type": "machine_learning", - "version": 208 + "version": 209 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -4285,6 +4326,12 @@ "type": "eql", "version": 108 }, + "894326d2-56c0-4342-b553-4abfaf421b5b": { + "rule_name": "Potential WPAD Spoofing via DNS Record Creation", + "sha256": "e31ebc9b2e2d37078a625aed023401808117893b3d430c3d1efa9613c4c25e8b", + "type": "eql", + "version": 1 + }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", @@ -4526,21 +4573,21 @@ }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", + "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", + "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", + "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", "type": "machine_learning", - "version": 103 + "version": 104 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -4577,10 +4624,11 @@ "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", + "sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c", "type": "query", - "version": 206 + "version": 207 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", @@ -4653,6 +4701,13 @@ "type": "eql", "version": 8 }, + "94e734c0-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "58ae4c29b8169b66911606add6b41d931703e9b60ab61eeeed2c2199d336378e", + "type": "esql", + "version": 1 + }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", @@ -4677,6 +4732,13 @@ "type": "query", "version": 108 }, + "95b99adc-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "22d8f8f7b3a1f49d8a20f6a8689d8b956724b24cc7694994859ce03c6909068d", + "type": "esql", + "version": 1 + }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", @@ -4867,9 +4929,9 @@ }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", - "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", + "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", "type": "machine_learning", - "version": 104 + "version": 105 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", @@ -5007,9 +5069,9 @@ }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", + "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", "type": "machine_learning", - "version": 103 + "version": 104 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -5177,9 +5239,9 @@ }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", + "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", "type": "threat_match", - "version": 6 + "version": 7 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", @@ -5292,9 +5354,9 @@ }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", + "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", "type": "threat_match", - "version": 7 + "version": 8 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", @@ -5304,9 +5366,9 @@ }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", + "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", "type": "machine_learning", - "version": 103 + "version": 104 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", @@ -5339,9 +5401,9 @@ }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", + "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", "type": "machine_learning", - "version": 208 + "version": 209 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", @@ -5508,9 +5570,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", + "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", "type": "machine_learning", - "version": 103 + "version": 104 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", @@ -5532,9 +5594,9 @@ }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", + "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", "type": "machine_learning", - "version": 103 + "version": 104 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -5625,6 +5687,12 @@ "type": "eql", "version": 1 }, + "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { + "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", + "sha256": "8af473db73fdf2cb22badcbf84c85a6ad922b4d8122fe10962a2210d0e73f2d4", + "type": "eql", + "version": 1 + }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", @@ -5777,9 +5845,9 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", + "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", "type": "machine_learning", - "version": 103 + "version": 104 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", @@ -6007,9 +6075,9 @@ }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", + "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", "type": "machine_learning", - "version": 103 + "version": 104 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", @@ -6195,9 +6263,9 @@ }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", + "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", "type": "machine_learning", - "version": 104 + "version": 105 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", @@ -6384,9 +6452,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", + "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", "type": "machine_learning", - "version": 103 + "version": 104 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -6598,15 +6666,15 @@ }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", + "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", + "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", @@ -6729,9 +6797,9 @@ }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", + "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", "type": "machine_learning", - "version": 103 + "version": 104 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -6751,6 +6819,12 @@ "type": "query", "version": 209 }, + "d93e61db-82d6-4095-99aa-714988118064": { + "rule_name": "NTDS Dump via Wbadmin", + "sha256": "84e3ebcc0dbbee2d61dda40d2f1a217ec6da8bdd5a345ae29b4efc42a3ba7883", + "type": "eql", + "version": 1 + }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", @@ -6837,9 +6911,9 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", + "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", "type": "machine_learning", - "version": 208 + "version": 209 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", @@ -6904,9 +6978,9 @@ }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", + "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", "type": "machine_learning", - "version": 103 + "version": 104 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", @@ -7035,9 +7109,9 @@ }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", + "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", "type": "machine_learning", - "version": 104 + "version": 105 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", @@ -7365,9 +7439,9 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", + "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", "type": "machine_learning", - "version": 103 + "version": 104 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", @@ -7706,9 +7780,9 @@ }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", - "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", + "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", "type": "threat_match", - "version": 6 + "version": 7 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", @@ -7888,9 +7962,9 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", + "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", "type": "machine_learning", - "version": 104 + "version": 105 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 481da84d70c..67cba8e1c68 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -41,7 +41,8 @@ 'system', 'windows', 'sentinel_one_cloud_funnel', - 'ti_rapid7_threat_command'] + 'ti_rapid7_threat_command', + 'm365_defender'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/hunting/generate_markdown.py b/hunting/generate_markdown.py index f71faec5880..fa5dad3b35e 100644 --- a/hunting/generate_markdown.py +++ b/hunting/generate_markdown.py @@ -28,12 +28,13 @@ class Hunt: """Dataclass to represent a hunt.""" author: str + description: str integration: list[str] uuid: str name: str language: str license: str - query: str + query: list[str] notes: Optional[List[str]] = field(default_factory=list) mitre: Optional[List[str]] = field(default_factory=list) references: Optional[List[str]] = field(default_factory=list) @@ -81,11 +82,13 @@ def convert_toml_to_markdown(hunt_config: Hunt, file_path: Path) -> str: markdown = f"# {hunt_config.name}\n\n---\n\n" markdown += "## Metadata\n\n" markdown += f"- **Author:** {hunt_config.author}\n" + markdown += f"- **Description:** {hunt_config.description}\n" markdown += f"- **UUID:** `{hunt_config.uuid}`\n" markdown += f"- **Integration:** {", ".join(generate_integration_links(hunt_config.integration))}\n" markdown += f"- **Language:** `{hunt_config.language}`\n\n" markdown += "## Query\n\n" - markdown += f"```sql\n{hunt_config.query}```\n\n" + for query in hunt_config.query: + markdown += f"```sql\n{query}```\n\n" if hunt_config.notes: markdown += "## Notes\n\n" + "\n".join(f"- {note}" for note in hunt_config.notes) diff --git a/hunting/index.md b/hunting/index.md index eb6207e4337..33bb3d17c8b 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -3,9 +3,9 @@ Here are the queries currently available: ## llm -- [Denial of Service or Resource Exhaustion Attacks Detection](./llm/docs/llm_dos_resource_exhaustion_detection.md) (ES|QL) -- [Monitoring for Latency Anomalies](./llm/docs/llm_latency_anomalies_detection.md) (ES|QL) -- [Sensitive Content Refusal Detection](./llm/docs/llm_sensitive_content_refusal_detection.md) (ES|QL) +- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](./llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md) (ES|QL) +- [AWS Bedrock LLM Latency Anomalies](./llm/docs/aws_bedrock_latency_anomalies_detection.md) (ES|QL) +- [AWS Bedrock LLM Sensitive Content Refusals](./llm/docs/aws_bedrock_sensitive_content_refusal_detection.md) (ES|QL) ## macos @@ -13,55 +13,36 @@ Here are the queries currently available: ## windows -- [CreateRemoteThread by source process with low occurrence](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL) -- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md) (ES|QL) -- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md) (ES|QL) -- [Detect masquerading attempts as native Windows binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL) -- [Detect Rare DLL SideLoad by Occurrence - Elastic Defend](./windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md) (ES|QL) -- [Detect Rare DLL SideLoad by Occurrence - Sysmon](./windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md) (ES|QL) -- [Detect Rare LSASS Process Access Attempts - Elastic Defend](./windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md) (ES|QL) -- [Detect Rare LSASS Process Access Attempts - Sysmon](./windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md) (ES|QL) -- [Doamin Names queries via Lolbins and with low occurence frequency](./windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Elastic Defend](./windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Sysmon](./windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Windows 7045](./windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md) (ES|QL) -- [Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md) (ES|QL) -- [Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md) (ES|QL) -- [Excessive SMB Network Activity by process Id](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL) -- [Executable File creation by an Unusual Microsoft Binary - Elastic Defend](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md) (ES|QL) -- [Executable File creation by an Unusual Microsoft Binary - Sysmon](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md) (ES|QL) -- [Execution via Network Logon by occurrence frequency](./windows/docs/execution_via_network_logon_by_occurrence_frequency.md) (ES|QL) -- [Execution via Network Logon by occurrence frequency by top Source IP](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL) +- [Low Occurrence Rate of CreateRemoteThread by Source Process](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL) +- [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL) +- [Masquerading Attempts as Native Windows Binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL) +- [Rare DLL Side-Loading by Occurrence](./windows/docs/detect_rare_dll_sideload_by_occurrence.md) (ES|QL) +- [Rare LSASS Process Access Attempts](./windows/docs/detect_rare_lsass_process_access_attempts.md) (ES|QL) +- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL) +- [Low Occurrence of Drivers Loaded on Unique Hosts](./windows/docs/drivers_load_with_low_occurrence_frequency.md) (ES|QL) +- [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL) +- [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL) +- [Executable File Creation by an Unusual Microsoft Binary](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md) (ES|QL) +- [Frequency of Process Execution via Network Logon by Source Address](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL) - [Execution via Remote Services by Client Address](./windows/docs/execution_via_remote_services_by_client_address.md) (ES|QL) -- [Execution via Startup with low occurrence frequency](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md) (ES|QL) -- [Execution via Windows Scheduled Task with low occurrence frequency](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL) -- [Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Services with low occurrence frequency - Windows Security](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend Network](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend Network - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md) (ES|QL) -- [Libraries loaded by svchost with low occurrence frequency - Elastic Defend](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Libraries loaded by svchost with low occurrence frequency - Sysmon](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Microsoft Office Child Processes with low occurrence frequency](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL) -- [Network Discovery via sensitive ports by unusual process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL) -- [PE File Transfer via SMB_Admin Shares by Agent](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL) -- [PE File Transfer via SMB_Admin Shares by User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md) (ES|QL) -- [Persistence via Run Key with low occurrence frequency - Elastic Defend](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Persistence via Run Key with low occurrence frequency - Sysmon](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Persistence via Startup with low occurrence frequency](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL) -- [Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL) -- [Potential Exfiltration by process total egress bytes](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL) -- [Rundll32 execution aggregated by cmdline](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL) -- [Scheduled tasks creation by action via registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL) -- [Scheduled tasks creation with low occurrence frequency](./windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md) (ES|QL) -- [Suspicious Base64 Encoded PowerShell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL) -- [Suspicious DNS TXT Record lookups by process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Windows Security 4697](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Windows Security 7045](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md) (ES|QL) -- [Windows Command and Scripting Interpreter from unusual parent](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL) -- [Windows logon activity by source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL) +- [Startup Execution with Low Occurrence Frequency by Unique Host](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL) +- [Low Frequency of Process Execution via WMI by Unique Agent](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md) (ES|QL) +- [Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL) +- [Low Occurence of Process Execution via Windows Services with Unique Agent](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md) (ES|QL) +- [High Count of Network Connection Over Extended Period by Process](./windows/docs/high_count_of_network_connection_over_extended_period_by_process.md) (ES|QL) +- [Libraries Loaded by svchost with Low Occurrence Frequency](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md) (ES|QL) +- [Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL) +- [Network Discovery via Sensitive Ports by Unusual Process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL) +- [PE File Transfer via SMB_Admin Shares by Agent or User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL) +- [Persistence via Run Key with Low Occurrence Frequency](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md) (ES|QL) +- [Persistence via Startup with Low Occurrence Frequency by Unique Host](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL) +- [Low Occurrence of Suspicious Launch Agent or Launch Daemon](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL) +- [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL) +- [Rundll32 Execution Aggregated by Command Line](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL) +- [Scheduled tasks Creation by Action via Registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL) +- [Scheduled Tasks Creation for Unique Hosts by Task Command](./windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md) (ES|QL) +- [Suspicious Base64 Encoded Powershell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL) +- [Suspicious DNS TXT Record Lookups by Process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL) +- [Unique Windows Services Creation by Service File Name](./windows/docs/unique_windows_services_creation_by_servicefilename.md) (ES|QL) +- [Windows Command and Scripting Interpreter from Unusual Parent Process](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL) +- [Windows Logon Activity by Source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL) diff --git a/hunting/llm/docs/llm_dos_resource_exhaustion_detection.md b/hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md similarity index 79% rename from hunting/llm/docs/llm_dos_resource_exhaustion_detection.md rename to hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md index fd01b23659d..0f373c33cbb 100644 --- a/hunting/llm/docs/llm_dos_resource_exhaustion_detection.md +++ b/hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md @@ -1,10 +1,12 @@ -# Denial of Service or Resource Exhaustion Attacks Detection +# AWS Bedrock LLM Denial-of-Service or Resource Exhaustion --- ## Metadata - **Author:** Elastic +- **Description:** This hunting query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. + - **UUID:** `dc181967-c32c-46c9-b84b-ec4c8811c6a0` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -29,7 +31,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. - Consider reviewing the context of high token requests to differentiate between legitimate heavy usage and potential abuse. Monitor the source of requests and patterns over time for better assessment. - Ensure logging and monitoring are correctly configured to capture detailed metrics on token usage. This will facilitate accurate detection and allow for a quick response to potential threats. - Collect evidence from logs that detail the timestamp, user ID, session information, and token counts for incidents flagged by this analytic. This information will be crucial for forensic analysis in the event of a security incident. @@ -40,7 +41,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Denial of Service or Resource Exhaustion Attacks Detection](../queries/llm_dos_resource_exhaustion_detection.toml) +- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](../queries/aws_bedrock_dos_resource_exhaustion_detection.toml) ## License diff --git a/hunting/llm/docs/llm_latency_anomalies_detection.md b/hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md similarity index 80% rename from hunting/llm/docs/llm_latency_anomalies_detection.md rename to hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md index 5073e1e3000..8c3c9b791a7 100644 --- a/hunting/llm/docs/llm_latency_anomalies_detection.md +++ b/hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md @@ -1,10 +1,12 @@ -# Monitoring for Latency Anomalies +# AWS Bedrock LLM Latency Anomalies --- ## Metadata - **Author:** Elastic +- **Description:** This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. + - **UUID:** `3708787b-811b-43b1-b2e7-c7276b8db48c` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -24,7 +26,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. - Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures. - Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives. - Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents. @@ -35,7 +36,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Monitoring for Latency Anomalies](../queries/llm_latency_anomalies_detection.toml) +- [AWS Bedrock LLM Latency Anomalies](../queries/aws_bedrock_latency_anomalies_detection.toml) ## License diff --git a/hunting/llm/docs/llm_sensitive_content_refusal_detection.md b/hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md similarity index 78% rename from hunting/llm/docs/llm_sensitive_content_refusal_detection.md rename to hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md index b828a10a922..4def0245222 100644 --- a/hunting/llm/docs/llm_sensitive_content_refusal_detection.md +++ b/hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md @@ -1,10 +1,11 @@ -# Sensitive Content Refusal Detection +# AWS Bedrock LLM Sensitive Content Refusals --- ## Metadata - **Author:** Elastic +- **Description:** This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards. - **UUID:** `8fabae86-7ed2-4006-9623-5db28164f374` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -24,7 +25,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards. - Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries. - Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements. - Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams. @@ -35,7 +35,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Sensitive Content Refusal Detection](../queries/llm_sensitive_content_refusal_detection.toml) +- [AWS Bedrock LLM Sensitive Content Refusals](../queries/aws_bedrock_sensitive_content_refusal_detection.toml) ## License diff --git a/hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml b/hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml similarity index 82% rename from hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml rename to hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml index 8e693d42f26..1288ca5f0a5 100644 --- a/hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml +++ b/hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml @@ -1,11 +1,15 @@ [hunt] author = "Elastic" +description = """ +This hunting query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. +""" integration = ["aws_bedrock.invocation"] uuid = "dc181967-c32c-46c9-b84b-ec4c8811c6a0" -name = "Denial of Service or Resource Exhaustion Attacks Detection" +name = "AWS Bedrock LLM Denial-of-Service or Resource Exhaustion" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY AND ( @@ -20,8 +24,8 @@ from logs-aws_bedrock.invocation-* | WHERE request_count > 1 | SORT max_prompt_tokens, max_request_tokens, max_completion_tokens DESC ''' +] notes = [ - "This query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks.", "Consider reviewing the context of high token requests to differentiate between legitimate heavy usage and potential abuse. Monitor the source of requests and patterns over time for better assessment.", "Ensure logging and monitoring are correctly configured to capture detailed metrics on token usage. This will facilitate accurate detection and allow for a quick response to potential threats.", "Collect evidence from logs that detail the timestamp, user ID, session information, and token counts for incidents flagged by this analytic. This information will be crucial for forensic analysis in the event of a security incident." diff --git a/hunting/llm/queries/llm_latency_anomalies_detection.toml b/hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml similarity index 82% rename from hunting/llm/queries/llm_latency_anomalies_detection.toml rename to hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml index 96e3253cbb4..52ef8b35674 100644 --- a/hunting/llm/queries/llm_latency_anomalies_detection.toml +++ b/hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml @@ -1,11 +1,15 @@ [hunt] author = "Elastic" +description = """ +This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. +""" integration = ["aws_bedrock.invocation"] uuid = "3708787b-811b-43b1-b2e7-c7276b8db48c" -name = "Monitoring for Latency Anomalies" +name = "AWS Bedrock LLM Latency Anomalies" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY | EVAL response_delay_seconds = gen_ai.performance.start_response_time / 1000 @@ -15,8 +19,8 @@ from logs-aws_bedrock.invocation-* | WHERE request_count > 3 | SORT max_response_delay DESC ''' +] notes = [ - "This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies.", "Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures.", "Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives.", "Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents." diff --git a/hunting/llm/queries/llm_sensitive_content_refusal_detection.toml b/hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml similarity index 82% rename from hunting/llm/queries/llm_sensitive_content_refusal_detection.toml rename to hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml index 535f8879c54..ed5c16deca7 100644 --- a/hunting/llm/queries/llm_sensitive_content_refusal_detection.toml +++ b/hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml @@ -1,11 +1,13 @@ [hunt] author = "Elastic" +description = "This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards." integration = ["aws_bedrock.invocation"] uuid = "8fabae86-7ed2-4006-9623-5db28164f374" -name = "Sensitive Content Refusal Detection" +name = "AWS Bedrock LLM Sensitive Content Refusals" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY AND ( @@ -15,8 +17,8 @@ from logs-aws_bedrock.invocation-* | STATS user_request_count = count() BY gen_ai.user.id | WHERE user_request_count >= 3 ''' +] notes = [ - "This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards.", "Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries.", "Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements.", "Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams." diff --git a/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md b/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md index 9d689608af4..1296c555893 100644 --- a/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md +++ b/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md @@ -5,6 +5,8 @@ ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates by process ID and destination IP by the number of connections per hour over a period of time greater than a defined threshold. This may indicate suspicious network connections by unsigned Mach-O binaries. + - **UUID:** `44aff0e3-e0d7-4dca-a94f-2dd0b96f18bd` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -14,8 +16,8 @@ ```sql from logs-endpoint.events.network-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "network" and - (process.code_signature.exists == false or process.code_signature.trusted != true) and +| where host.os.family == "macos" and event.category == "network" and + (process.code_signature.exists == false or process.code_signature.trusted != true) and /* excluding private IP ranges */ not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.name, process.entity_id, @timestamp @@ -29,8 +31,8 @@ from logs-endpoint.events.network-* ## Notes -- This hunt aggregates by process ID and destination IP the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. -- Hunt can be extended by adding suspicious process paths or lolbins. +- This hunt returns a list of processes by entity_id and name that have a high number of connections per hour over a period of time greater than a defined threshold. +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml b/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml index b8987070cd7..1335175eb9c 100644 --- a/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml +++ b/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml @@ -1,20 +1,24 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates by process ID and destination IP by the number of connections per hour over a period of time greater than a defined threshold. This may indicate suspicious network connections by unsigned Mach-O binaries. +""" integration = ["endpoint"] uuid = "44aff0e3-e0d7-4dca-a94f-2dd0b96f18bd" name = "Suspicious Network Connections by Unsigned Mach-O" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregates by process ID and destination IP the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process.", "Hunt can be extended by adding suspicious process paths or lolbins.", + "This hunt returns a list of processes by entity_id and name that have a high number of connections per hour over a period of time greater than a defined threshold.", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] mitre = ["T1071"] - -query = ''' +query = [ +''' from logs-endpoint.events.network-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "network" and - (process.code_signature.exists == false or process.code_signature.trusted != true) and +| where host.os.family == "macos" and event.category == "network" and + (process.code_signature.exists == false or process.code_signature.trusted != true) and /* excluding private IP ranges */ not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.name, process.entity_id, @timestamp @@ -24,4 +28,5 @@ from logs-endpoint.events.network-* | keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour /* threshold is set to 120 connections per minute, you can adjust it to your env/FP rate */ | where duration_hours >= 8 and number_of_con_per_hour >= 120 -''' \ No newline at end of file +''' +] diff --git a/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md b/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md index ed7e810f929..f2972c3a436 100644 --- a/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md +++ b/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md @@ -1,10 +1,11 @@ -# CreateRemoteThread by source process with low occurrence +# Low Occurrence Rate of CreateRemoteThread by Source Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host. - **UUID:** `0545f23f-84a7-4b88-9b5b-b8cfcfdc9276` - **Integration:** [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,7 +13,7 @@ ## Query ```sql -from logs-windows.sysmon_operational-* +from logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") @@ -23,8 +24,7 @@ from logs-windows.sysmon_operational-* ## Notes -- This hunt aggregates Sysmon CreateRemoteThread events by source process and returns the ones that we observed in only one unique host. This may indicate remote process injection. -- Adding winlog.event_data.TargetImage to the group by clause can be beneficial but may introduce more legit hits. +- Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives. ## MITRE ATT&CK Techniques - [T1055](https://attack.mitre.org/techniques/T1055) diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md new file mode 100644 index 00000000000..554a41cdbd4 --- /dev/null +++ b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md @@ -0,0 +1,62 @@ +# DLL Hijack via Masquerading as Microsoft Native Libraries + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies when a process loads a DLL normally located in `System32` or `SysWOW64` folders from an unusual path. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. The host count also should help exclude false-positives by looking at low occurrences when this abnormal behavior is limited to unique agents. +- **UUID:** `87c97865-fdaa-48b2-bfa6-67bed7cf56ef` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and + not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id + /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ +| ENRICH libs-policy-defend + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 +| sort host_count asc +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep file.name, file.path, file.hash.sha256, process.executable, host.id + /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ +| ENRICH libs-policy-sysmon + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 +| sort host_count asc +``` + +## Notes + +- This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data. +- This hunt requires the creation of an [enrichment policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html) to use with the ES|QL (ENRICH command). +- The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose. +- Paths like `C:\Users\Public and C:\ProgramData\` are often observed in malware employing DLL side-loading. +## MITRE ATT&CK Techniques + +- [T1574](https://attack.mitre.org/techniques/T1574) +- [T1574.001](https://attack.mitre.org/techniques/T1574/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md deleted file mode 100644 index c145a5cd474..00000000000 --- a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md +++ /dev/null @@ -1,43 +0,0 @@ -# Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `87c97865-fdaa-48b2-bfa6-67bed7cf56ef` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and - not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id - /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ -| ENRICH libs-policy-defend - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 -| sort host_count asc -``` - -## Notes - -- This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command). -- The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose. -- Paths like C:\Users\Public and C:\ProgramData\ are often observed in malware employing DLL side-loading. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.001](https://attack.mitre.org/techniques/T1574/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md deleted file mode 100644 index eea9bcfc381..00000000000 --- a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md +++ /dev/null @@ -1,44 +0,0 @@ -# Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `68314691-1460-4ac5-ae0d-6b3514e43254` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep file.name, file.path, file.hash.sha256, process.executable, host.id - /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ -| ENRICH libs-policy-sysmon - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 -| sort host_count asc -``` - -## Notes - -- This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command). -- Using dll.hash.sha256 for Elastic Defend or file.hash.sha256 for Sysmon you can pivot to further investigate the DLL origin and purpose. -- Paths like C:\Users\Public and C:\ProgramData\ are often observed in malware employing DLL side-loading. -- Process code signature information is not captured in Sysmon Image Load Events (not present in the ES|QL hunt). -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.001](https://attack.mitre.org/techniques/T1574/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md b/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md index 88ce8654b4c..0060613108e 100644 --- a/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md +++ b/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md @@ -1,10 +1,11 @@ -# Detect masquerading attempts as native Windows binaries +# Masquerading Attempts as Native Windows Binaries --- ## Metadata - **Author:** Elastic +- **Description:** This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. - **UUID:** `93a72542-a1f7-4407-9175-8f066343db60` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -27,8 +28,8 @@ from logs-endpoint.events.process-* ## Notes -- Output of the query is the process.name and host.id, you can pivot by host.id and process.name(non Microsoft signed) to find the specific suspicious instances. -- Potential false positives include processes with missing code signature details due to enrichment bugs. +- Output of the query is the `process.name` and `host.id` where you can pivot by `host.id` and `process.name` (non Microsoft signed) to find the specific suspicious instances. +- Potential false-positives include processes with missing code signature details due to enrichment bugs. - The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported). ## MITRE ATT&CK Techniques diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md new file mode 100644 index 00000000000..af1dc7fbfcd --- /dev/null +++ b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md @@ -0,0 +1,58 @@ +# Rare DLL Side-Loading by Occurrence + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies instances where a signed Windows process attempts to load an unsigned DLL from the same process folder. Matches are limited to a unique host with low library load occurrence. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. +- **UUID:** `bcdb7c29-1312-4974-8f2e-10ddeb09cf5c` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name +/* paths normalization by removing random patterns */ +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 +| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 +``` + +## Notes + +- This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data. +- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. +- Paths like `C:\\Users\\Public` and `C:\\ProgramData\\` are often observed in malware employing DLL side-loading. +- Elastic Defned DLL Events include `dll.Ext.relative_file_creation_time` which help us limit the hunt to recently dropped DLLs. +## MITRE ATT&CK Techniques + +- [T1574](https://attack.mitre.org/techniques/T1574) +- [T1574.002](https://attack.mitre.org/techniques/T1574/002) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md deleted file mode 100644 index eed842ad621..00000000000 --- a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md +++ /dev/null @@ -1,40 +0,0 @@ -# Detect Rare DLL SideLoad by Occurrence - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `bcdb7c29-1312-4974-8f2e-10ddeb09cf5c` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 -``` - -## Notes - -- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. -- Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading. -- Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.002](https://attack.mitre.org/techniques/T1574/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md deleted file mode 100644 index 6056a0cc5cd..00000000000 --- a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md +++ /dev/null @@ -1,42 +0,0 @@ -# Detect Rare DLL SideLoad by Occurrence - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `0df1e142-7d70-4112-be8d-6c60ac812883` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name -/* paths normalization by removing random patterns */ -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 -| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 -``` - -## Notes - -- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. -- Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading. -- Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.002](https://attack.mitre.org/techniques/T1574/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md new file mode 100644 index 00000000000..f00621d8408 --- /dev/null +++ b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md @@ -0,0 +1,52 @@ +# Rare LSASS Process Access Attempts + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. + +- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.api* +| where @timestamp > NOW() - 7 day +| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and + Target.process.name == "lsass.exe" +| keep process.executable.caseless, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats occurences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurences <= 10 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and + winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") +| keep process.executable, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurences <= 10 +``` + +## Notes + +- Based on the process.executable and process.name you can pivot and investigate further for the matching instances. +- Potential false-positives include rare legitimate conditions that may trigger this behavior due to third-party software or LSASS crashing. +## MITRE ATT&CK Techniques + +- [T1003](https://attack.mitre.org/techniques/T1003) +- [T1003.001](https://attack.mitre.org/techniques/T1003/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md deleted file mode 100644 index eb78c28acb0..00000000000 --- a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md +++ /dev/null @@ -1,37 +0,0 @@ -# Detect Rare LSASS Process Access Attempts - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.api* -| where @timestamp > NOW() - 7 day -| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and - Target.process.name == "lsass.exe" -| keep process.executable.caseless, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Based on the process.executable and process.name you can pivot and investigate further the matching instances. -- Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash. -## MITRE ATT&CK Techniques - -- [T1003](https://attack.mitre.org/techniques/T1003) -- [T1003.001](https://attack.mitre.org/techniques/T1003/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md deleted file mode 100644 index 90a1d7097d0..00000000000 --- a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md +++ /dev/null @@ -1,38 +0,0 @@ -# Detect Rare LSASS Process Access Attempts - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and - winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") -| keep process.executable, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Based on the process.executable and process.name you can pivot and investigate further the matching instances. -- Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash. -## MITRE ATT&CK Techniques - -- [T1003](https://attack.mitre.org/techniques/T1003) -- [T1003.001](https://attack.mitre.org/techniques/T1003/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md similarity index 62% rename from hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md rename to hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md index 4f395303679..9ca5fde9043 100644 --- a/hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md +++ b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md @@ -1,10 +1,12 @@ -# Doamin Names queries via Lolbins and with low occurence frequency +# DNS Queries via LOLBins with Low Occurence Frequency --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for DNS queries performed by commonly abused Microsoft binaries that perform remote file transfer or binary proxy execution. Aggregations for the number of occurrences is limited to one host to reduce the number of potentially legitimate hits. + - **UUID:** `ebf8eb13-c98a-4d2c-8bdb-3f72a3a3961b` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" +| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and + process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" | keep process.name, dns.question.name, host.id | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name | where hosts == 1 @@ -23,8 +25,8 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* ## Notes -- Utilities like curl and SSL verification web-servvices are noisy, while others are rare like scripting utilities and are worth further investigation. -- Connection to legit domains like github, discord, telegram and many other legit web-services by lolbins is still suspicious and require further investigation. +- Utilities like curl and SSL verification for web services are noisy, while others are rare such as scripting utilities and are worth further investigation. +- Connection to legit domains like Github, Discord, Telegram and many other legit web services by LOLBins is still suspicious and require further investigation. ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..8167a99d2a8 --- /dev/null +++ b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md @@ -0,0 +1,57 @@ +# Low Occurrence of Drivers Loaded on Unique Hosts + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt helps identify drivers loaded once on a unique host and with a unique hash over a 15 day period of time. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. + +- **UUID:** `99818ad6-c242-4da7-a41a-df64fe7314d6` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash +| where host_count == 1 and total_count == 1 and hash_count == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name +| where host_count == 1 and total_count == 1 and hash_count == 1 +``` + +```sql +from logs-system.system-* +| where @timestamp > now() - 15day +| where host.os.family == "windows" and event.code == "7045" and + winlog.event_data.ServiceType == "kernel mode driver" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt has three optional queries, one for Elastic Defend data, another for Sysmon data and the last one for Windows 7045 events. +- Further investigation can be done pivoting by `dll.pe.imphash` or `dll.name.` +- `dll.Ext.relative_file_creation_time` is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). +- Aggregation can also be done by `dll.hash.sha256` / `file.hash.sha256` but will return more results. +- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). +## MITRE ATT&CK Techniques + +- [T1068](https://attack.mitre.org/techniques/T1068) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index 3ea91098b8e..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,34 +0,0 @@ -# Drivers Load with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `99818ad6-c242-4da7-a41a-df64fe7314d6` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash -| where host_count == 1 and total_count == 1 and hash_count == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index 8fbd8a21b2c..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Drivers Load with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `6bb90aba-af6b-4128-a9b2-160e164a15ff` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name -| where host_count == 1 and total_count == 1 and hash_count == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md deleted file mode 100644 index 4dbfe25f8ad..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md +++ /dev/null @@ -1,38 +0,0 @@ -# Drivers Load with low occurrence frequency - Windows 7045 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `bc4848ce-5323-42b4-a559-3333c11ca938` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.system-* -| where @timestamp > now() - 15day -| where host.os.family == "windows" and event.code == "7045" and - winlog.event_data.ServiceType == "kernel mode driver" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md deleted file mode 100644 index e518b168b99..00000000000 --- a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md +++ /dev/null @@ -1,37 +0,0 @@ -# Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `fe01a8a5-6367-4c4c-a57b-be513ab80e42` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| keep destination.ip, host.id, user.name -| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where count_unique_dst >= 10 -``` - -## Notes - -- This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol. -- Further investigation can done pivoting by host.id and user name. -- Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.001](https://attack.mitre.org/techniques/T1021/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md new file mode 100644 index 00000000000..8fb9f6ab98b --- /dev/null +++ b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md @@ -0,0 +1,48 @@ +# Excessive RDP Network Activity by Host and User + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for a high occurrence of remote desktop connections from the same host and user. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol (RDP). + +- **UUID:** `fe01a8a5-6367-4c4c-a57b-be513ab80e42` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| keep destination.ip, host.id, user.name +| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where count_unique_dst >= 10 +``` + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| stats agents = count_distinct(host.id) by source.ip +| where agents >= 10 +``` + +## Notes + +- Further investigation can done pivoting by `host.id` and `user.name`. +- Depending on normal SysAdmin RDP activity, the threshold of 10 can be adjusted to reduce normal noisy activity. +- The second query uses Windows Security log event ID 4624 to summarize numbers of RDP connections by `source.ip` and `user.name` and duration. +## MITRE ATT&CK Techniques + +- [T1021](https://attack.mitre.org/techniques/T1021) +- [T1021.001](https://attack.mitre.org/techniques/T1021/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md deleted file mode 100644 index b44024fb79d..00000000000 --- a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md +++ /dev/null @@ -1,35 +0,0 @@ -# Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `6ff3a518-3bf4-4e7d-9a66-2ef7aaa68cfc` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| stats agents = count_distinct(host.id) by source.ip -| where agents >= 10 -``` - -## Notes - -- This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol. -- Further investigation can done pivoting by host.id and user name. -- Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.001](https://attack.mitre.org/techniques/T1021/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md b/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md index f02bee6dcf5..27b6f75bfb7 100644 --- a/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md +++ b/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md @@ -1,10 +1,12 @@ -# Excessive SMB Network Activity by process Id +# Excessive SMB Network Activity by Process ID --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for a high occurrence of SMB connections from the same process by unique destination IP addresses. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of SMB scanning or lateral movement via remote services that depend on the SMB protocol. + - **UUID:** `6949135b-76d7-47a3-ae95-ef482508fb7c` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,9 +14,9 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "network" and network.direction == "egress" and +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "network" and network.direction == "egress" and network.transport == "tcp"and destination.port == 445 and source.port >= 49152 and process.pid == 4 | keep destination.ip, process.entity_id, host.id | stats count_unique_dst = count_distinct(destination.ip) by process.entity_id, host.id @@ -24,9 +26,8 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* ## Notes -- This hunt looks for high number of SMB connections from same process to more than a defined threshold of unique destination Ip addresses. This could be a sign of SMB scanning or some lateral movement via remote services that depend on SMB protocol. -- Further investigation can done pivoting by process.entity_id and host.id. -- Maximum number of unique destination.ip by process can be adjusted to your environment to reduce normal noisy hosts by Id. +- Further investigation can done pivoting by `process.entity_id` and `host.id.` +- Maximum number of unique `destination.ip` by process can be adjusted to your environment to reduce normal noisy hosts by process ID. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md new file mode 100644 index 00000000000..60e64eddaed --- /dev/null +++ b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md @@ -0,0 +1,51 @@ +# Executable File Creation by an Unusual Microsoft Binary + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies executable file creation by an unusual Microsoft native binary. This could be the result of +code injection or some other form of exploitation for defense evasion. + +- **UUID:** `3b2900fe-74d9-4c49-b3df-cbeceb02e841` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and + starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and + starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and + file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +``` + +## Notes + +- This hunt includes two optional queries, one for Elastic Defend data and another for Sysmon data. +- Sysmon file events don't populate file header and process code signature information thus we use `file.extension`. +- Some exploits may result in the creation of an executable file by the exploited process. +- Further investigation can be done by pivoting on `process.executable` and filtering for executable file creation. +## MITRE ATT&CK Techniques + +- [T1211](https://attack.mitre.org/techniques/T1211) +- [T1055](https://attack.mitre.org/techniques/T1055) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md deleted file mode 100644 index 630befd5396..00000000000 --- a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md +++ /dev/null @@ -1,37 +0,0 @@ -# Executable File creation by an Unusual Microsoft Binary - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3b2900fe-74d9-4c49-b3df-cbeceb02e841` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.file-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and - starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and - starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Sysmon file event don't populate file header and process code signature information thus the use of file.extension. -- Some exploits may result in the creation of an executable file by the exploited process. -- Further investigation can be done pivoting by process.executable and filter for executable file creation. -## MITRE ATT&CK Techniques - -- [T1211](https://attack.mitre.org/techniques/T1211) -- [T1055](https://attack.mitre.org/techniques/T1055) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md deleted file mode 100644 index 2a0ef394a9b..00000000000 --- a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Executable File creation by an Unusual Microsoft Binary - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `36c94354-9d6e-4dc5-b2aa-a7cf578a4169` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and - file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Sysmon file event don't populate file header and process code signature information thus the use of file.extension. -- Some exploits may result in the creation of an executable file by the exploited process. -- Further investigation can be done pivoting by process.executable and filter for executable file creation. -## MITRE ATT&CK Techniques - -- [T1211](https://attack.mitre.org/techniques/T1211) -- [T1055](https://attack.mitre.org/techniques/T1055) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md deleted file mode 100644 index 0626e574e55..00000000000 --- a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md +++ /dev/null @@ -1,36 +0,0 @@ -# Execution via Network Logon by occurrence frequency - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `fd3f9982-fd8c-4f0f-bbe6-e589752c34db` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and - /* network logon type and the execution is within 30 seconds of the logon time */ - process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 -| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name - /* unique hash limited to one host and number of execution is 1 */ -| where hosts == 1 and total == 1 -``` - -## Notes - -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. -- Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line. -- Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md index fc27d3f52ea..818f73aea8d 100644 --- a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md +++ b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md @@ -1,10 +1,12 @@ -# Execution via Network Logon by occurrence frequency by top Source IP +# Frequency of Process Execution via Network Logon by Source Address --- ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates process execution and remote network logons by source address, account name and process hash. It then limits the results by unique host within a 7 day period. This may indicate lateral movement via remote services. + - **UUID:** `ae07c580-290e-4421-add8-d6ca30509b6a` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,8 +15,8 @@ ```sql from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type and the execution is within 30 seconds of the logon time */ process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 | stats total = count(*) by process.Ext.session_info.client_address, user.name @@ -22,11 +24,23 @@ from logs-endpoint.events.process-* | sort total desc ``` +```sql +from logs-endpoint.events.process-* +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and + /* network logon type and the execution is within 30 seconds of the logon time */ + process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 +| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name + /* unique hash limited to one host and number of execution is 1 */ +| where hosts == 1 and total == 1 +``` + ## Notes -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. -- Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line. -- Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex. +- The second query highest occurrence of source addresses/accounts performing remote process execution +- `process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+ and above. +- Execution via legitimate Microsoft processes for PowerShell and cmd need to be further investigated via aggregation by `process.command_line`. +- Aggregation can be also done by `process.executable`, normalizing process path by removing random patterns using the ES|QL REPLACE function. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/execution_via_remote_services_by_client_address.md b/hunting/windows/docs/execution_via_remote_services_by_client_address.md index 91f0d2c55e9..94dc4e1dd54 100644 --- a/hunting/windows/docs/execution_via_remote_services_by_client_address.md +++ b/hunting/windows/docs/execution_via_remote_services_by_client_address.md @@ -5,6 +5,8 @@ ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates process execution via remote network logon by source address, account name and where the parent process is related to remote services such as WMI, WinRM, DCOM and remote PowerShell. This may indicate lateral movement via remote services. + - **UUID:** `e6e54717-2676-4785-a4a6-503577bfb0ea` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,10 +15,10 @@ ```sql from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type */ - process.Ext.session_info.logon_type == "Network" and + process.Ext.session_info.logon_type == "Network" and (process.parent.name .caseless in ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") or (process.parent.name == "svchost.exe" and process.parent.args == "DcomLaunch")) | stats total = count(*), hosts = count_distinct(host.id) by process.Ext.session_info.client_address, user.name, process.parent.name /* sort by top source.ip and account */ @@ -25,7 +27,7 @@ from logs-endpoint.events.process-* ## Notes -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. +- `process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md index 6b2c4a68d07..845b308f98f 100644 --- a/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Execution via Startup with low occurrence frequency +# Startup Execution with Low Occurrence Frequency by Unique Host --- ## Metadata - **Author:** Elastic +- **Description:** This hunt identifies programs started shortly after user logon and presence limited to a unique host. Run registry key and Startup folder cause programs to run each time that a user logs on and are often abused by malwares to maintain persistence on an endpoint. + - **UUID:** `a447df80-d3d5-48b3-a175-a864264ec487` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,10 +15,10 @@ ```sql from logs-endpoint.events.process-* -| where host.os.family == "windows" and event.category == "process" and event.action == "start" and +| where host.os.family == "windows" and event.category == "process" and event.action == "start" and /* programs started shortly after user logon like startup items */ - process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and - not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and + process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and + not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and /* this hunt is scoped to unsigned or untrusted code-sig or Microsoft signed binaries to not miss lolbins */ (process.code_signature.exists == false or process.code_signature.trusted == false or starts_with(process.code_signature.subject_name, "Microsoft")) | keep process.executable, host.id, process.hash.sha256 @@ -28,8 +30,8 @@ from logs-endpoint.events.process-* ## Notes -- Items set to persist via Startup like Run key and Startup folder will be executed by Explorer.exe shortly after user logon (process.Ext.session_info.relative_logon_time help us to capture that time difference). -- Pay close attention to unknown hashes, suspicious paths and lolbins. +- Items set to persist via Startup such as Run keys and Startup folder will be executed by `Explorer.exe` shortly after user logon (`process.Ext.session_info.relative_logon_time` helps us to capture that time difference). +- Special attention to unknown hashes, suspicious paths and LOLBins should be given. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md new file mode 100644 index 00000000000..7df963b1f81 --- /dev/null +++ b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md @@ -0,0 +1,58 @@ +# Low Frequency of Process Execution via WMI by Unique Agent + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for unique process execution via Windows Management Instrumentation (WMI) by removing random patterns from `process.command_line` and aggregating execution by count of agents with the same command line to limit results to unique ones. + +- **UUID:** `b5efeb92-9b51-45b9-839f-be4cdc054ef4` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + to_lower(process.parent.name) == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.name +| where agents == 1 +``` + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation", "created-process") and + process.parent.name.caseless == "wmiprvse.exe" +| keep process.command_line, host.id +| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats agents = count_distinct(host.id) by cmdline +| where agents == 1 +``` + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.hash.sha256 +| where agents == 1 +``` + +## Notes + +- This hunt contains three queries for Elastic Defend, Sysmon, and Windows Security event 4688. +## MITRE ATT&CK Techniques + +- [T1047](https://attack.mitre.org/techniques/T1047) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md deleted file mode 100644 index 5244065f615..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `b5efeb92-9b51-45b9-839f-be4cdc054ef4` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.name -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md deleted file mode 100644 index 740578c5fcb..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `958a9027-2c6f-4eb0-a9ca-d1116a3bec76` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.hash.sha256 -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md deleted file mode 100644 index 60167350755..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md +++ /dev/null @@ -1,37 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `793d5655-d7d9-422a-ba9d-1fa75029265e` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless == "wmiprvse.exe" -| keep process.command_line, host.id -| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats agents = count_distinct(host.id) by cmdline -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md index 04a951fb142..88d56835902 100644 --- a/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Execution via Windows Scheduled Task with low occurrence frequency +# Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent --- ## Metadata - **Author:** Elastic +- **Description:** Aggregating by paths/hash, this hunt identifies rare instances where a program executes as a child process of the Tasks Scheduler service. This could be the result of persistence as a Windows Scheduled Task. + - **UUID:** `96d5afc8-1f25-4265-8a0e-9998091a2e1f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation") and process.code_signature.trusted != true and +| where @timestamp > now(-) - 7 day +| where host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation") and process.code_signature.trusted != true and /* child process of the Tasks Schedule service */ process.parent.name == "svchost.exe" and ends_with(process.parent.command_line, "Schedule") | stats hosts = count_distinct(host.id) by process.hash.sha256, process.name @@ -25,8 +27,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* ## Notes -- Windows security event 4688 lacks process.parent.command_line needed for this hunt to identify the Schedule svchost instance. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. +- Windows security event 4688 lacks `process.parent.command_line` needed for this hunt to identify the Schedule `svchost` instance. +- Unique `process.hash.sha256` and agent is not necessarily malicious, however this helps surface signals worth further investigation. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..37878a0a063 --- /dev/null +++ b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md @@ -0,0 +1,51 @@ +# Low Occurence of Process Execution via Windows Services with Unique Agent + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for a low occurrence of process execution via the Windows Services Control Manager by unique agent. The Services Control Manager is responsible for starting, stopping, and interacting with system services. This could be a sign of persistence as a Windows service. + +- **UUID:** `858b7022-b587-4b95-afd6-8ce597bedce3` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "services.exe" and process.code_signature.trusted != true +| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name + /* unique hash observed in one unique agent */ +| where hosts == 1 +``` + +```sql +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and + event.action == "created-process" and process.parent.name == "services.exe" +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id) by process_path + /* unique path observed in one unique agent */ +| where hosts == 1 +``` + +## Notes + +- This hunt contains two queries for Elastic Defend and Windows Security event 4688. +- Windows security event 4688 lacks code signature and hash information, hence the use of `process.executable` for aggregation. +- Unique `process.hash.sha256` and agent is not necessarily malicious, this help surface ones worth further investigation. +- Suspicious `process.executable` paths and LOLBins should be reviewed further. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md deleted file mode 100644 index 9f0bda9cd57..00000000000 --- a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `858b7022-b587-4b95-afd6-8ce597bedce3` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name == "services.exe" and process.code_signature.trusted != true -| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name - /* unique hash observed in one unique agent */ -| where hosts == 1 -``` - -## Notes - -- Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md deleted file mode 100644 index 0fd0f5425d8..00000000000 --- a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md +++ /dev/null @@ -1,38 +0,0 @@ -# Execution via Windows Services with low occurrence frequency - Windows Security - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `5fdc9f73-c6a4-4ea4-8e16-347ed675e236` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and - event.action == "created-process" and process.parent.name == "services.exe" -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id) by process_path - /* unique path observed in one unique agent */ -| where hosts == 1 -``` - -## Notes - -- Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md new file mode 100644 index 00000000000..ed98002ee6d --- /dev/null +++ b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md @@ -0,0 +1,77 @@ +# High Count of Network Connection Over Extended Period by Process + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address, limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. + +- **UUID:** `ed254a22-e7bb-4a36-9291-196b77762dd8` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and + /* excluding DNS */ + destination.port != 53 and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id + /* calc total duration and the number of connections per hour */ +| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ +| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 +``` + +```sql +from logs-endpoint.events.network-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and +(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +``` + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and +/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ +not (process.name == "svchost.exe" and user.id == "S-1-5-18") and +/* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour +/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +``` + +## Notes + +- This hunt includes three queries for Elastic Defend and Sysmon data sources. +## MITRE ATT&CK Techniques + +- [T1071](https://attack.mitre.org/techniques/T1071) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md deleted file mode 100644 index 537f6322638..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md +++ /dev/null @@ -1,40 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend Network - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `76843f1f-404d-42b8-9c25-fcc14e270240` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and -(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -``` - -## Notes - -- This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. Scoped for unsigned processes or ones running from suspicious paths, the Sysmon network events don't include process code signature information -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md deleted file mode 100644 index 4bf9f5d39ed..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md +++ /dev/null @@ -1,40 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend Network - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ed254a22-e7bb-4a36-9291-196b77762dd8` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and - /* excluding DNS */ - destination.port != 53 and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id - /* calc total duration and the number of connections per hour */ -| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ -| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 -``` - -## Notes - -- This hunt identify browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address and this is limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md deleted file mode 100644 index 823e4121932..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md +++ /dev/null @@ -1,41 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `7ee9a5a7-3ce1-47eb-b15a-1b148299fcf0` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and -/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ -not (process.name == "svchost.exe" and user.id == "S-1-5-18") and -/* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour -/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -``` - -## Notes - -- This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..db39a5dfe9c --- /dev/null +++ b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md @@ -0,0 +1,60 @@ +# Libraries Loaded by svchost with Low Occurrence Frequency + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt returns the SHA256 hash and the `dll.path` of unsigned libraries loaded by svchost where the presence of unique path/hash is limited to a unique host. Adversaries may use Windows service DLLs to maintain persistence or run with System privileges. + +- **UUID:** `e37fe0b9-1b70-4800-8989-58bac5a0a9bb` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "library" and event.action == "load" and + process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and + (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) +| keep dll.name, dll.path, dll.hash.sha256, host.id +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) + /* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and + process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" +| keep file.name, file.path, file.hash.sha256, host.id +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +/* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +``` + +## Notes + +- This hunt includes two queries to cover both Sysmon and Elastic Defend data sources. +- The hunt uses Elastic Defend library events for an extra optional condition `dll.Ext.relative_file_creation_time` to scope if for recently dropped DLLs. +- The `count_dlls_per_folder` variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). +- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like `%programfiles%` and `system32/syswow64`. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index ddadc0d6540..00000000000 --- a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,42 +0,0 @@ -# Libraries loaded by svchost with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `e37fe0b9-1b70-4800-8989-58bac5a0a9bb` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "library" and event.action == "load" and - process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and - (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) -| keep dll.name, dll.path, dll.hash.sha256, host.id -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) - /* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -``` - -## Notes - -- The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs. -- The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). -- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index cb61f28d407..00000000000 --- a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,41 +0,0 @@ -# Libraries loaded by svchost with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1ae6bfd7-34ce-4d7b-b956-f12d3797ac68` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and - process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" -| keep file.name, file.path, file.hash.sha256, host.id -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -/* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -``` - -## Notes - -- The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs. -- The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). -- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md b/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md index 362d216fb9c..16074a0d3cd 100644 --- a/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Microsoft Office Child Processes with low occurrence frequency +# Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for Microsoft Office child processes with low occurrence frequency. This could be a normal rare behavior as well as potential execution via a malicious document. Adversaries may use Microsoft Office applications to execute malicious code, such as macros, scripts, or other payloads. + - **UUID:** `74b2e54b-7002-4201-83d6-7fd9bd5dcf0f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -13,18 +15,18 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where host.os.family == "windows" and @timestamp > NOW() - 15 day and - event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") +| where host.os.family == "windows" and @timestamp > NOW() - 15 day and + event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.parent.name) in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") // normalize user home profile paths -| eval process_path = replace(process.executable.caseless, """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") -| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name +| eval process_path = replace(to_lower(process.executable), """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") +| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name | where occurrences == 1 and agents == 1 ``` ## Notes -- Certain processes like WerFault.exe, dw20.exe and dwwin.exe are often related to application crash. +- Certain processes like `WerFault.exe`, `dw20.exe` and `dwwin.exe` are often related to application crash. - Closer attention should be attributed to lolbins and unsigned executables (Windows 4688 is not capturing process code signature information). ## MITRE ATT&CK Techniques diff --git a/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md b/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md index 4525f0e7a14..0fc9f746203 100644 --- a/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md +++ b/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md @@ -1,10 +1,12 @@ -# Network Discovery via sensitive ports by unusual process +# Network Discovery via Sensitive Ports by Unusual Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for either processes connecting to multiple sensitive TCP ports (SMB, RDP, LDAP, Kerberos and ADWS), a high number of SMB/RDP connections to unique destinations or the same process connecting to both RDP and SMB (should be rare). + - **UUID:** `e0acab7d-30bd-4be0-9682-5c3457bbeb4f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,10 +14,10 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and process.pid != 4 | keep process.executable, destination.port, destination.ip, process.entity_id /* network events with SMB or RDP as a target */ diff --git a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md index 6abb434239c..7652222b096 100644 --- a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md +++ b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md @@ -1,10 +1,12 @@ -# PE File Transfer via SMB_Admin Shares by Agent +# PE File Transfer via SMB_Admin Shares by Agent or User --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for a high number of executable file transfers via the SMB protocol by the same user or agent to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. + - **UUID:** `3e66fc1a-2ea0-43a6-ba51-0280c693d152` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,17 +15,26 @@ ```sql from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) | stats agents = count_distinct(host.id), total = count(*) by user.name | where agents == 1 and total <= 3 ``` +```sql +from logs-endpoint.events.file-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| stats agents = count_distinct(host.id), total = count(*) by user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where agents >= 10 +``` + ## Notes -- This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. -- Further investigation can done pivoting by host.id and user name. +- Further investigation can done pivoting by `host.id` and `user.name`. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md deleted file mode 100644 index 0721eb43ebc..00000000000 --- a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md +++ /dev/null @@ -1,35 +0,0 @@ -# PE File Transfer via SMB_Admin Shares by User - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ef9def35-0671-4599-8a18-5a1b833ef4c4` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) -| stats agents = count_distinct(host.id), total = count(*) by user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where agents >= 10 -``` - -## Notes - -- This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. -- PE File Transfer via SMB/Admin Shares by User -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.002](https://attack.mitre.org/techniques/T1021/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..3131f94a0a0 --- /dev/null +++ b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md @@ -0,0 +1,57 @@ +# Persistence via Run Key with Low Occurrence Frequency + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** Leveraging frequency based analysis and random values normalization, this hunt identifies instances where a program adds a persistence entry with rare values or are imited to unique hosts. Run registry key cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. + +- **UUID:** `1078e906-0485-482e-bcf3-7ee939e07020` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.registry-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and + (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt includes two queries to cover both Sysmon and Elastic Defend data sources. +- Sysmon registry events do not populate process code signature information (hence the separation of the queries). +- Suspicious paths and LOLBins in the `registry.data.strings` value should be reviewed further. +## MITRE ATT&CK Techniques + +- [T1547](https://attack.mitre.org/techniques/T1547) +- [T1547.001](https://attack.mitre.org/techniques/T1547/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index 4d900190b5d..00000000000 --- a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,40 +0,0 @@ -# Persistence via Run Key with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1078e906-0485-482e-bcf3-7ee939e07020` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and - (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -``` - -## Notes - -- Sysmon registry event don't populate process code signature information (hence the separation of the queries). -- Suspicious paths and lolbins in the registry.data.strings value should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1547](https://attack.mitre.org/techniques/T1547) -- [T1547.001](https://attack.mitre.org/techniques/T1547/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index 3f59ef9ac20..00000000000 --- a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,39 +0,0 @@ -# Persistence via Run Key with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `cb2d8acc-123a-4578-bd33-7004c2be9843` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -``` - -## Notes - -- Sysmon registry event don't populate process code signature information (hence the separation of the queries). -- Suspicious paths and lolbins in the registry.data.strings value should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1547](https://attack.mitre.org/techniques/T1547) -- [T1547.001](https://attack.mitre.org/techniques/T1547/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md b/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md index 31d4d40ce4c..962e473921f 100644 --- a/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md @@ -1,10 +1,11 @@ -# Persistence via Startup with low occurrence frequency +# Persistence via Startup with Low Occurrence Frequency by Unique Host --- ## Metadata - **Author:** Elastic +- **Description:** Leveraging frequency based analysis and path normalization, this hunt identifies rare instances where a program adds a Startup persistence via file creation. Startup entries cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. - **UUID:** `9d8c79fd-0006-4988-8aaa-d5f9b9a7df8e` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -14,7 +15,7 @@ ```sql from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and +| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)""" | keep process.executable, host.id, file.name /* Paths normalization in registry.data.strings to ease aggregation */ @@ -26,9 +27,9 @@ from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* ## Notes -- Elastic Defend file event captures the process.code_signature information, this can be added to the hunt to limit to unsigned and Microsoft signed programs. -- Unique file.name and limited to 1 agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. +- Elastic Defend file event captures the `process.code_signature` information, this can be added to the hunt to limit to unsigned and Microsoft signed programs. +- Unique `file.name` and limited to one agent is not necessarily malicious, however helps surface ones worth further investigation. +- Suspicious `process.executable` paths and LOLBins should be reviewed further. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md b/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md index 2a9cc267e44..51661b8cfb1 100644 --- a/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md +++ b/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md @@ -1,10 +1,12 @@ -# Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence +# Low Occurrence of Suspicious Launch Agent or Launch Daemon --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. + - **UUID:** `a7dcd1a1-2860-491e-8802-31169a607167` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -14,7 +16,7 @@ ```sql from logs-endpoint.events.file-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and +| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and (Persistence.runatload == true or Persistence.keepalive == true) and process.executable is not null | eval args = MV_CONCAT(Persistence.args, ",") /* normalizing users home profile */ @@ -25,8 +27,7 @@ from logs-endpoint.events.file-* ## Notes -- This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. -- Further investigation can done pivoting by Persistence.name and args. +- Further investigation can done pivoting by `Persistence.name` and `args`. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md b/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md index 6bebfef6981..ea5970208be 100644 --- a/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md +++ b/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md @@ -1,10 +1,12 @@ -# Potential Exfiltration by process total egress bytes +# Egress Network Connections with Total Bytes Greater than Threshold --- ## Metadata - **Author:** Elastic +- **Description:** Using aggregation and the ES|QL `SUM` function, this hunt identifies processes that performed egress connections with total bytes greater or equal to a defined maximum threshold. This may indicate exfiltration or long term command and control activity. + - **UUID:** `977d77f9-86e0-4df6-bdc7-aed87c048290` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.network-* -| where @timestamp > now() - 8 hour -| where host.os.family == "windows" and event.category == "network" and - event.action == "disconnect_received" and +| where @timestamp > now() - 8 hour +| where host.os.family == "windows" and event.category == "network" and + event.action == "disconnect_received" and not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.executable, process.entity_id | stats total_bytes_out = sum(source.bytes) by process.entity_id, destination.address, process.executable @@ -25,10 +27,10 @@ from logs-endpoint.events.network-* ## Notes -- This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log source.bytes. -- The use of host.os.family is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.) +- This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log `source.bytes`. +- The use of `host.os.family` is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.) - Based on limited testing it's recommended to set the query time window to 8 hours. -- Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.). +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md b/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md index cc20e15371d..6c7a77c7097 100644 --- a/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md +++ b/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md @@ -1,10 +1,12 @@ -# Rundll32 execution aggregated by cmdline +# Rundll32 Execution Aggregated by Command Line --- ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregate Rundll32 execution by normalized `process.command_line` and returns instances that are unique by frequency. Rundll32 is one of the most abused binaries to proxy execution of malicious commands and modules. + - **UUID:** `30f37cd2-c1d8-4554-bb4a-ed76de9e6857` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,8 +16,8 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless == "rundll32.exe" and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.name) == "rundll32.exe" and not process.command_line rlike """.*(zzzzInvokeManagedCustomActionOutOfProc|GeneralTel.dll,RunInUserCxt|ShOpenVerbApplication|davclnt.dll,DavSetCookie|FileProtocolHandler|EDGEHTML.dll|FirewallControlPanel.dll,ShowNotificationDialog|printui.dll,PrintUIEntryDPIAware|Program Files|SHCreateLocalServerRunDll|ImageView_Fullscreen|StatusMonitorEntryPoint|Control_RunDLL|HotPlugSafeRemovalDriveNotification|AppxDeploymentClient.dll|acproxy.dll,PerformAutochkOperations|CapabilityAccessManagerDoStoreMaintenance|dfshim.dll|display.dll,ShowAdapterSettings|ForceProxyDetectionOnNextRun|PfSvWsSwapAssessmentTask|acmigration.dll,ApplyMigrationShims|LenovoBatteryGaugePackage.dll|-localserver|DriverStore|CnmDxPEntryPoint|DeferredDelete|DeviceProperties_RunDLL|AppxDeploymentClient.dll|spool\\DRIVERS|printui.dll,PrintUIEntry|DfdGetDefaultPolicyAndSMART|cryptext.dll,CryptExt|WininetPlugin.dll|ClearMyTracksByProcess|SusRunTask|OpenURL|CleanupTemporaryState).*""" | keep process.parent.name, process.command_line, host.id | eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") @@ -27,7 +29,7 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes - Execution of DLLs from suspicious paths or with suspicious export function names or from suspicious parent should be further reviewed. -- Parents such as svchost, explorer.exe, wmiprvse.exe, winword.exe and others should be carefully reviewed. +- Parents such as svchost, `explorer.exe`, `wmiprvse.exe`, `winword.exe` and others should be carefully reviewed. ## MITRE ATT&CK Techniques - [T1127](https://attack.mitre.org/techniques/T1127) diff --git a/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md b/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md index 58f74c3f7ed..7e5f3769c62 100644 --- a/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md +++ b/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md @@ -1,10 +1,12 @@ -# Scheduled tasks creation by action via registry +# Scheduled tasks Creation by Action via Registry --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for scheduled tasks creation by action using registry events. Scheduled tasks actions are saved under the TaskCache registry key in base64 encoded blob. Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. + - **UUID:** `344c0690-ebc3-4794-b123-272a5c09c57b` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -28,8 +30,7 @@ from logs-endpoint.events.registry-* ## Notes -- This hunt aggregate created scheduled tasks by action using registry events. -- Malware often abuse lolbins to proxy execution or run executables from unusual paths, you can add more patterns to the query. +- Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md b/hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md similarity index 76% rename from hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md rename to hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md index 75e25e80ec8..685fcae5eb2 100644 --- a/hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md @@ -1,10 +1,12 @@ -# Scheduled tasks creation with low occurrence frequency +# Scheduled Tasks Creation for Unique Hosts by Task Command --- ## Metadata - **Author:** Elastic +- **Description:** Using aggregation and strings extraction, this hunt identifies instances where a scheduled task is created and set to run a command unique to a specific host. This could be the result of persistence as a Windows Scheduled Task. + - **UUID:** `75804319-122c-4bdc-976e-d6355bca0d78` - **Integration:** [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -16,23 +18,23 @@ from logs-system.security-default-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created" /* parsing unstructured data from winlog message to extract a scheduled task Exec command */ -| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") +| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") | where Command is not null /* normalise task name by removing usersid and uuid string patterns */ -| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") +| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") /* normalise task name by removing random patterns in a file path */ | eval Task_Command = replace(Command, """(ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") /* normalize user home profile path */ | eval Task_Command = replace(Task_Command, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") | where Task_Command like "?*" and not starts_with(Task_Command, "C:\\Program Files") and not starts_with(Task_Command, "\"C:\\Program Files") -| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName +| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName | where hosts_count == 1 ``` ## Notes - This hunt returns the aggregation of created tasks by task name, command to execute and number of hosts where this task is present. -- Close attention should be paid to suspicious paths like C:\Users\Public and C:\ProgramData\ as well as lolbins. +- Close attention should be paid to suspicious paths like `C:\Users\Public and C:\ProgramData\` as well as LOLBins. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md b/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md index 5d9bd80da3c..eb3ed872e2e 100644 --- a/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md +++ b/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md @@ -1,10 +1,12 @@ -# Suspicious Base64 Encoded PowerShell Command +# Suspicious Base64 Encoded Powershell Command --- ## Metadata - **Author:** Elastic +- **Description:** This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands. + - **UUID:** `8bf800de-b3a2-4b36-9484-7d9dae2a1992` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -27,7 +29,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes -- This hunt decode base64 obfuscated powershell commands in process start events and filter ones with suspicious keywords like downloaders and evasion related commands. +- This hunt can be expanded to include more evasion techniques and downloaders. +- Pivoting by `agent.id` can provide more context on the affected hosts. ## MITRE ATT&CK Techniques - [T1059](https://attack.mitre.org/techniques/T1059) diff --git a/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md b/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md index 72943cfdb0c..77291923421 100644 --- a/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md +++ b/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md @@ -1,10 +1,13 @@ -# Suspicious DNS TXT Record lookups by process +# Suspicious DNS TXT Record Lookups by Process --- ## Metadata - **Author:** Elastic +- **Description:** Leveraging aggregation by process executable entities, this hunt identifies identifies a high number of DNS TXT record queries from same process. +Adversaries may leverage DNS TXT queries to stage malicious content or exfiltrate data. + - **UUID:** `0b7343f7-2d16-43c7-af28-9d1f012b1093` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,20 +15,1583 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - (dns.question.type == "TXT" or dns.answers.type == "TXT") and process.executable != "C:\\Windows\\system32\\svchost.exe" -| keep process.executable, process.entity_id -| stats occurrences = count(*) by process.entity_id, process.executable - /* threshold can be adjusted to your env */ -| where occurrences >= 50 +f``` + +```sql +r``` + +```sql +o``` + +```sql +m``` + +```sql + ``` + +```sql +l``` + +```sql +o``` + +```sql +g``` + +```sql +s``` + +```sql +-``` + +```sql +e``` + +```sql +n``` + +```sql +d``` + +```sql +p``` + +```sql +o``` + +```sql +i``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +s``` + +```sql +.``` + +```sql +n``` + +```sql +e``` + +```sql +t``` + +```sql +w``` + +```sql +o``` + +```sql +r``` + +```sql +k``` + +```sql +-``` + +```sql +*``` + +```sql +,``` + +```sql + ``` + +```sql +l``` + +```sql +o``` + +```sql +g``` + +```sql +s``` + +```sql +-``` + +```sql +w``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +.``` + +```sql +s``` + +```sql +y``` + +```sql +s``` + +```sql +m``` + +```sql +o``` + +```sql +n``` + +```sql +_``` + +```sql +o``` + +```sql +p``` + +```sql +e``` + +```sql +r``` + +```sql +a``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql +a``` + +```sql +l``` + +```sql +-``` + +```sql +*``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +w``` + +```sql +h``` + +```sql +e``` + +```sql +r``` + +```sql +e``` + +```sql + ``` + +```sql +h``` + +```sql +o``` + +```sql +s``` + +```sql +t``` + +```sql +.``` + +```sql +o``` + +```sql +s``` + +```sql +.``` + +```sql +f``` + +```sql +a``` + +```sql +m``` + +```sql +i``` + +```sql +l``` + +```sql +y``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +w``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +"``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + ``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +c``` + +```sql +a``` + +```sql +t``` + +```sql +e``` + +```sql +g``` + +```sql +o``` + +```sql +r``` + +```sql +y``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +n``` + +```sql +e``` + +```sql +t``` + +```sql +w``` + +```sql +o``` + +```sql +r``` + +```sql +k``` + +```sql +"``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + +``` + +```sql + ``` + +```sql + ``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +a``` + +```sql +c``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql + ``` + +```sql +i``` + +```sql +n``` + +```sql + ``` + +```sql +(``` + +```sql +"``` + +```sql +l``` + +```sql +o``` + +```sql +o``` + +```sql +k``` + +```sql +u``` + +```sql +p``` + +```sql +_``` + +```sql +r``` + +```sql +e``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +d``` + +```sql +"``` + +```sql +,``` + +```sql + ``` + +```sql +"``` + +```sql +D``` + +```sql +N``` + +```sql +S``` + +```sql +E``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql + ``` + +```sql +(``` + +```sql +D``` + +```sql +N``` + +```sql +S``` + +```sql + ``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +r``` + +```sql +y``` + +```sql +)``` + +```sql +"``` + +```sql +)``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + +``` + +```sql + ``` + +```sql + ``` + +```sql +(``` + +```sql +d``` + +```sql +n``` + +```sql +s``` + +```sql +.``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +s``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql +.``` + +```sql +t``` + +```sql +y``` + +```sql +p``` + +```sql +e``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +T``` + +```sql +X``` + +```sql +T``` + +```sql +"``` + +```sql + ``` + +```sql +o``` + +```sql +r``` + +```sql + ``` + +```sql +d``` + +```sql +n``` + +```sql +s``` + +```sql +.``` + +```sql +a``` + +```sql +n``` + +```sql +s``` + +```sql +w``` + +```sql +e``` + +```sql +r``` + +```sql +s``` + +```sql +.``` + +```sql +t``` + +```sql +y``` + +```sql +p``` + +```sql +e``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +T``` + +```sql +X``` + +```sql +T``` + +```sql +"``` + +```sql +)``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql + ``` + +```sql +!``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +C``` + +```sql +:``` + +```sql +\``` + +```sql +\``` + +```sql +W``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +\``` + +```sql +\``` + +```sql +s``` + +```sql +y``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +m``` + +```sql +3``` + +```sql +2``` + +```sql +\``` + +```sql +\``` + +```sql +s``` + +```sql +v``` + +```sql +c``` + +```sql +h``` + +```sql +o``` + +```sql +s``` + +```sql +t``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +"``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +k``` + +```sql +e``` + +```sql +e``` + +```sql +p``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql +,``` + +```sql + ``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +i``` + +```sql +t``` + +```sql +y``` + +```sql +_``` + +```sql +i``` + +```sql +d``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +s``` + +```sql +t``` + +```sql +a``` + +```sql +t``` + +```sql +s``` + +```sql + ``` + +```sql +o``` + +```sql +c``` + +```sql +c``` + +```sql +u``` + +```sql +r``` + +```sql +r``` + +```sql +e``` + +```sql +n``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql + ``` + +```sql +=``` + +```sql + ``` + +```sql +c``` + +```sql +o``` + +```sql +u``` + +```sql +n``` + +```sql +t``` + +```sql +(``` + +```sql +*``` + +```sql +)``` + +```sql + ``` + +```sql +b``` + +```sql +y``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +i``` + +```sql +t``` + +```sql +y``` + +```sql +_``` + +```sql +i``` + +```sql +d``` + +```sql +,``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql + +``` + +```sql + ``` + +```sql +/``` + +```sql +*``` + +```sql + ``` + +```sql +t``` + +```sql +h``` + +```sql +r``` + +```sql +e``` + +```sql +s``` + +```sql +h``` + +```sql +o``` + +```sql +l``` + +```sql +d``` + +```sql + ``` + +```sql +c``` + +```sql +a``` + +```sql +n``` + +```sql + ``` + +```sql +b``` + +```sql +e``` + +```sql + ``` + +```sql +a``` + +```sql +d``` + +```sql +j``` + +```sql +u``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +d``` + +```sql + ``` + +```sql +t``` + +```sql +o``` + +```sql + ``` + +```sql +y``` + +```sql +o``` + +```sql +u``` + +```sql +r``` + +```sql + ``` + +```sql +e``` + +```sql +n``` + +```sql +v``` + +```sql + ``` + +```sql +*``` + +```sql +/``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +w``` + +```sql +h``` + +```sql +e``` + +```sql +r``` + +```sql +e``` + +```sql + ``` + +```sql +o``` + +```sql +c``` + +```sql +c``` + +```sql +u``` + +```sql +r``` + +```sql +r``` + +```sql +e``` + +```sql +n``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql + ``` + +```sql +>``` + +```sql +=``` + +```sql + ``` + +```sql +5``` + +```sql +0``` + +```sql + ``` ## Notes -- This hunt returns a list of processes unique pids and executable path that performs a high number of DNS TXT lookups. -- Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.). +- This hunt returns a list of processes unique pids and executable paths that performs a high number of DNS TXT lookups. +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md new file mode 100644 index 00000000000..3a98c902341 --- /dev/null +++ b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md @@ -0,0 +1,77 @@ +# Unique Windows Services Creation by Service File Name + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the ES|QL `Replace` command we can also further remove random patterns to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and LOLBins. + +- **UUID:** `ebf79207-16dc-44f8-b10c-317d4a034bad` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + process.executable != "C:\\Windows\\System32\\services.exe" +| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path +/* unique process.executable found in one agent */ +| where hosts == 1 and occurrences == 1 +``` + +```sql +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName + /* unique ServiceFileName observed in 1 host*/ +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and + not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-system.system-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.code == "7045" and + not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt also identifies services registry modification by unusual process based on number of hosts and occurrences history. +- Windows event IDs 4697 and 7045 are used to identify service creation and modification. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md deleted file mode 100644 index 1a5002562fa..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ebf79207-16dc-44f8-b10c-317d4a034bad` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - process.executable != "C:\\Windows\\System32\\services.exe" -| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path -/* unique process.executable found in one agent */ -| where hosts == 1 and occurrences == 1 -``` - -## Notes - -- This hunt identify services registry modification by unusual process based on number of hosts and occurrences history. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md deleted file mode 100644 index 9d156cac125..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md +++ /dev/null @@ -1,38 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `688dc79d-f52a-49ad-829d-89343e68b0f7` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName - /* unique ServiceFileName observed in 1 host*/ -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md deleted file mode 100644 index fcc0dbd89bf..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Windows Security 4697 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `b6b14385-4ed2-44af-98fe-dad5b1581174` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and - not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md deleted file mode 100644 index 0a4813198a7..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Windows Security 7045 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1749a45b-98f0-4b27-8c2f-2287230e52b7` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.system-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.code == "7045" and - not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md b/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md index 3fd574ca4c3..bd5755a4943 100644 --- a/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md +++ b/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md @@ -1,10 +1,12 @@ -# Windows Command and Scripting Interpreter from unusual parent +# Windows Command and Scripting Interpreter from Unusual Parent Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for unusual Microsoft native processes spawning `cmd.exe`, `powershell.exe` or `conhost.exe` and limited to a unique host. This could be normal rare behavior as well as an interactive shell activity from an injected parent process to execute system commands. + - **UUID:** `de929347-c04a-4a94-8be2-cbe87b25bb25` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,9 +16,9 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and - (starts_with(process.parent.executable.caseless, "c:\\windows\\system32") or starts_with(process.parent.executable.caseless, "c:\\windows\\syswow64")) +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.name) in ("cmd.exe", "powershell.exe", "conhost.exe") and + (starts_with(to_lower(process.parent.executable), "c:\\windows\\system32") or starts_with(to_lower(process.parent.executable), "c:\\windows\\syswow64")) | keep process.name, process.parent.name, host.id | stats hosts = count_distinct(host.id), cc = count(*) by process.parent.name | where cc <= 10 and hosts == 1 @@ -24,8 +26,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes -- Pivoting can be done via process.parent.name. -- Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn cmd.exe powershell.exe or conhost.exe, if so it's highly likely malicious. +- Further pivoting can be done via `process.parent.name`. +- Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn `cmd.exe`, `powershell.exe` or `conhost.exe`, if so it's highly likely malicious. ## MITRE ATT&CK Techniques - [T1059](https://attack.mitre.org/techniques/T1059) diff --git a/hunting/windows/docs/windows_logon_activity_by_source_ip.md b/hunting/windows/docs/windows_logon_activity_by_source_ip.md index f19f53ff9af..5c71659eeca 100644 --- a/hunting/windows/docs/windows_logon_activity_by_source_ip.md +++ b/hunting/windows/docs/windows_logon_activity_by_source_ip.md @@ -1,10 +1,12 @@ -# Windows logon activity by source IP +# Windows Logon Activity by Source IP --- ## Metadata - **Author:** Elastic +- **Description:** This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is. + - **UUID:** `7bdea198-eb09-4eca-ae3d-bfc3b52c89a9` - **Integration:** [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,10 +16,10 @@ ```sql from logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and - event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and - source.ip is not null and - /* noisy failure status codes often associated to authentication misconfiguration */ +| where host.os.family == "windows" and + event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and + source.ip is not null and + /* noisy failure status codes often associated to authentication misconfiguration */ not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")) | eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null) | stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip @@ -27,8 +29,7 @@ from logs-system.security-* ## Notes -- This hunt returns the total number of failed logons, successful ones and the number of unique account names grouped by source.ip. -- Pay close attention to IP addresses source of a high number of failures associated with low success attempts and high number of used accounts. +- Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts. ## MITRE ATT&CK Techniques - [T1110](https://attack.mitre.org/techniques/T1110) diff --git a/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml b/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml index a59a13ddad0..4fea380c3ba 100644 --- a/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml +++ b/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml @@ -1,22 +1,23 @@ [hunt] author = "Elastic" +description = "This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host." integration = ["windows"] uuid = "0545f23f-84a7-4b88-9b5b-b8cfcfdc9276" -name = "CreateRemoteThread by source process with low occurrence" +name = "Low Occurrence Rate of CreateRemoteThread by Source Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregates Sysmon CreateRemoteThread events by source process and returns the ones that we observed in only one unique host. This may indicate remote process injection.", - "Adding winlog.event_data.TargetImage to the group by clause can be beneficial but may introduce more legit hits.", + "Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives.", ] mitre = ["T1055"] - -query = ''' -from logs-windows.sysmon_operational-* +query = [ +''' +from logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | stats cc = count(*), hosts = count_distinct(host.id) by source_process /* unique source and target processes combined and observed in 1 host */ | where hosts == 1 and cc == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml new file mode 100644 index 00000000000..cdbfab8145e --- /dev/null +++ b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml @@ -0,0 +1,50 @@ +[hunt] +author = "Elastic" +description = "This hunt identifies when a process loads a DLL normally located in `System32` or `SysWOW64` folders from an unusual path. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. The host count also should help exclude false-positives by looking at low occurrences when this abnormal behavior is limited to unique agents." +integration = ["endpoint", "windows"] +uuid = "87c97865-fdaa-48b2-bfa6-67bed7cf56ef" +name = "DLL Hijack via Masquerading as Microsoft Native Libraries" +language = "ES|QL" +license = "Elastic License v2" +mitre = ["T1574", "T1574.001"] +notes = [ + "This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data.", + "This hunt requires the creation of an [enrichment policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html) to use with the ES|QL (ENRICH command).", + "The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose.", + "Paths like `C:\\Users\\Public and C:\\ProgramData\\` are often observed in malware employing DLL side-loading.", +] + +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and + not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id + /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ +| ENRICH libs-policy-defend + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 +| sort host_count asc +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep file.name, file.path, file.hash.sha256, process.executable, host.id + /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ +| ENRICH libs-policy-sysmon + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 +| sort host_count asc +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml deleted file mode 100644 index cc5b45c0138..00000000000 --- a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml +++ /dev/null @@ -1,30 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "87c97865-fdaa-48b2-bfa6-67bed7cf56ef" -name = "Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command).", - "The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose.", - "Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.", -] -mitre = ["T1574", "T1574.001"] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and - not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id - /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ -| ENRICH libs-policy-defend - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 -| sort host_count asc -''' \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml deleted file mode 100644 index f88d93c97b6..00000000000 --- a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml +++ /dev/null @@ -1,31 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "68314691-1460-4ac5-ae0d-6b3514e43254" -name = "Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command).", - "Using dll.hash.sha256 for Elastic Defend or file.hash.sha256 for Sysmon you can pivot to further investigate the DLL origin and purpose.", - "Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.", - "Process code signature information is not captured in Sysmon Image Load Events (not present in the ES|QL hunt).", -] -mitre = [ "T1574", "T1574.001",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep file.name, file.path, file.hash.sha256, process.executable, host.id - /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ -| ENRICH libs-policy-sysmon - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 -| sort host_count asc -''' \ No newline at end of file diff --git a/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml b/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml index 2b3f0ab80e6..96f9ef336ce 100644 --- a/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml +++ b/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml @@ -1,11 +1,13 @@ [hunt] author = "Elastic" +description = "This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. " integration = ["endpoint"] uuid = "93a72542-a1f7-4407-9175-8f066343db60" -name = "Detect masquerading attempts as native Windows binaries" +mitre = ["T1036"] +name = "Masquerading Attempts as Native Windows Binaries" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [''' from logs-endpoint.events.process-* | where @timestamp > NOW() - 7 day | where event.type == "start" and event.action == "start" and host.os.name == "Windows" and not starts_with(process.executable, "C:\\Program Files\\WindowsApps\\") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\") and process.name != "setup.exe" @@ -17,10 +19,10 @@ from logs-endpoint.events.process-* | stats count_system_bin = count(system_bin), count_non_system_bin = count(non_system_bin) by process.name.caseless, host.id /* filter where the same process.name is present in both system_bin and non_system_bin */ | where count_system_bin >= 1 and count_non_system_bin >= 1 -''' +'''] notes = [ - "Output of the query is the process.name and host.id, you can pivot by host.id and process.name(non Microsoft signed) to find the specific suspicious instances.", - "Potential false positives include processes with missing code signature details due to enrichment bugs.", + "Output of the query is the `process.name` and `host.id` where you can pivot by `host.id` and `process.name` (non Microsoft signed) to find the specific suspicious instances.", + "Potential false-positives include processes with missing code signature details due to enrichment bugs.", "The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported).", ] -mitre = ["T1036"] + diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml new file mode 100644 index 00000000000..9374520bda0 --- /dev/null +++ b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """This hunt identifies instances where a signed Windows process attempts to load an unsigned DLL from the same process folder. Matches are limited to a unique host with low library load occurrence. Adversaries may execute their own malicious payloads by side-loading malicious DLLs.""" +integration = ["endpoint", "windows"] +uuid = "bcdb7c29-1312-4974-8f2e-10ddeb09cf5c" +name = "Rare DLL Side-Loading by Occurrence" +language = "ES|QL" +license = "Elastic License v2" +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name +/* paths normalization by removing random patterns */ +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 +| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 +''' +] +notes = [ + 'This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data.', + 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', + 'Paths like `C:\\Users\\Public` and `C:\\ProgramData\\` are often observed in malware employing DLL side-loading.', + 'Elastic Defned DLL Events include `dll.Ext.relative_file_creation_time` which help us limit the hunt to recently dropped DLLs.' +] +mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml deleted file mode 100644 index 8764dffaa13..00000000000 --- a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "bcdb7c29-1312-4974-8f2e-10ddeb09cf5c" -name = "Detect Rare DLL SideLoad by Occurrence - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 -''' -notes = [ - 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', - 'Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.', - 'Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs.' -] -mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml deleted file mode 100644 index 37dfd5e9229..00000000000 --- a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "0df1e142-7d70-4112-be8d-6c60ac812883" -name = "Detect Rare DLL SideLoad by Occurrence - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name -/* paths normalization by removing random patterns */ -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 -| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 -''' -notes = [ - 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', - 'Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.', - 'Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs.' -] -mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml new file mode 100644 index 00000000000..60e6a54b734 --- /dev/null +++ b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml @@ -0,0 +1,40 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. +""" +integration = ["endpoint", "windows"] +uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" +name = "Rare LSASS Process Access Attempts" +language = "ES|QL" +license = "Elastic License v2" +query = [ +''' +from logs-endpoint.events.api* +| where @timestamp > NOW() - 7 day +| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and + Target.process.name == "lsass.exe" +| keep process.executable.caseless, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats occurences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurences <= 10 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and + winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") +| keep process.executable, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurences <= 10 +''' +] +notes = [ + "Based on the process.executable and process.name you can pivot and investigate further for the matching instances.", + "Potential false-positives include rare legitimate conditions that may trigger this behavior due to third-party software or LSASS crashing.", +] +mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml deleted file mode 100644 index 2fab804ef9b..00000000000 --- a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" -name = "Detect Rare LSASS Process Access Attempts - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-endpoint.events.api* -| where @timestamp > NOW() - 7 day -| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and - Target.process.name == "lsass.exe" -| keep process.executable.caseless, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 -''' -notes = [ - "Based on the process.executable and process.name you can pivot and investigate further the matching instances.", - "Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash.", -] -mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml deleted file mode 100644 index b74087bdf1a..00000000000 --- a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" -name = "Detect Rare LSASS Process Access Attempts - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and - winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") -| keep process.executable, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 -''' -notes = [ - "Based on the process.executable and process.name you can pivot and investigate further the matching instances.", - "Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash.", -] -mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml similarity index 56% rename from hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml rename to hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml index 67486279d51..d14755d19d5 100644 --- a/hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml +++ b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml @@ -1,22 +1,26 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for DNS queries performed by commonly abused Microsoft binaries that perform remote file transfer or binary proxy execution. Aggregations for the number of occurrences is limited to one host to reduce the number of potentially legitimate hits. +""" integration = ["endpoint", "windows"] uuid = "ebf8eb13-c98a-4d2c-8bdb-3f72a3a3961b" -name = "Doamin Names queries via Lolbins and with low occurence frequency" +name = "DNS Queries via LOLBins with Low Occurence Frequency" language = "ES|QL" license = "Elastic License v2" notes = [ - "Utilities like curl and SSL verification web-servvices are noisy, while others are rare like scripting utilities and are worth further investigation.", - "Connection to legit domains like github, discord, telegram and many other legit web-services by lolbins is still suspicious and require further investigation.", + "Utilities like curl and SSL verification for web services are noisy, while others are rare such as scripting utilities and are worth further investigation.", + "Connection to legit domains like Github, Discord, Telegram and many other legit web services by LOLBins is still suspicious and require further investigation.", ] -mitre = [ "T1071",] - -query = ''' +mitre = [ "T1071"] +query = [ +''' from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" +| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and + process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" | keep process.name, dns.question.name, host.id | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name | where hosts == 1 -''' \ No newline at end of file +''', +] \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..e4c7d0a2346 --- /dev/null +++ b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +This hunt helps identify drivers loaded once on a unique host and with a unique hash over a 15 day period of time. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. +""" +integration = ["endpoint", "windows", "system"] +uuid = "99818ad6-c242-4da7-a41a-df64fe7314d6" +name = "Low Occurrence of Drivers Loaded on Unique Hosts" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt has three optional queries, one for Elastic Defend data, another for Sysmon data and the last one for Windows 7045 events.", + "Further investigation can be done pivoting by `dll.pe.imphash` or `dll.name.`", + "`dll.Ext.relative_file_creation_time` is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", + "Aggregation can also be done by `dll.hash.sha256` / `file.hash.sha256` but will return more results.", + "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", +] +mitre = [ "T1068"] +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash +| where host_count == 1 and total_count == 1 and hash_count == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name +| where host_count == 1 and total_count == 1 and hash_count == 1 +''', +''' +from logs-system.system-* +| where @timestamp > now() - 15day +| where host.os.family == "windows" and event.code == "7045" and + winlog.event_data.ServiceType == "kernel mode driver" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index baa16b71231..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "99818ad6-c242-4da7-a41a-df64fe7314d6" -name = "Drivers Load with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash -| where host_count == 1 and total_count == 1 and hash_count == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 3e9ed78776d..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "6bb90aba-af6b-4128-a9b2-160e164a15ff" -name = "Drivers Load with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name -| where host_count == 1 and total_count == 1 and hash_count == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml deleted file mode 100644 index 6fe4224aede..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "bc4848ce-5323-42b4-a559-3333c11ca938" -name = "Drivers Load with low occurrence frequency - Windows 7045" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-system.system-* -| where @timestamp > now() - 15day -| where host.os.family == "windows" and event.code == "7045" and - winlog.event_data.ServiceType == "kernel mode driver" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml deleted file mode 100644 index d57b7cd5131..00000000000 --- a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "fe01a8a5-6367-4c4c-a57b-be513ab80e42" -name = "Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol.", - "Further investigation can done pivoting by host.id and user name.", - "Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity.", -] -mitre = [ "T1021", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| keep destination.ip, host.id, user.name -| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where count_unique_dst >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml new file mode 100644 index 00000000000..607fc20fa45 --- /dev/null +++ b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml @@ -0,0 +1,37 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for a high occurrence of remote desktop connections from the same host and user. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol (RDP). +""" +integration = ["endpoint", "windows"] +uuid = "fe01a8a5-6367-4c4c-a57b-be513ab80e42" +name = "Excessive RDP Network Activity by Host and User" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "Further investigation can done pivoting by `host.id` and `user.name`.", + "Depending on normal SysAdmin RDP activity, the threshold of 10 can be adjusted to reduce normal noisy activity.", + "The second query uses Windows Security log event ID 4624 to summarize numbers of RDP connections by `source.ip` and `user.name` and duration." +] +mitre = [ "T1021", "T1021.001"] + +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| keep destination.ip, host.id, user.name +| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where count_unique_dst >= 10 +''', +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| stats agents = count_distinct(host.id) by source.ip +| where agents >= 10 +''' +] diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml deleted file mode 100644 index 3b5d03a41de..00000000000 --- a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml +++ /dev/null @@ -1,21 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "6ff3a518-3bf4-4e7d-9a66-2ef7aaa68cfc" -name = "Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol.", - "Further investigation can done pivoting by host.id and user name.", - "Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity.",] -mitre = [ "T1021", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| stats agents = count_distinct(host.id) by source.ip -| where agents >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml b/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml index 5ca5fce97b9..8292137ebd3 100644 --- a/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml +++ b/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml @@ -1,23 +1,26 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for a high occurrence of SMB connections from the same process by unique destination IP addresses. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of SMB scanning or lateral movement via remote services that depend on the SMB protocol. +""" integration = ["endpoint", "windows"] uuid = "6949135b-76d7-47a3-ae95-ef482508fb7c" -name = "Excessive SMB Network Activity by process Id" +name = "Excessive SMB Network Activity by Process ID" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for high number of SMB connections from same process to more than a defined threshold of unique destination Ip addresses. This could be a sign of SMB scanning or some lateral movement via remote services that depend on SMB protocol.", - "Further investigation can done pivoting by process.entity_id and host.id.", - "Maximum number of unique destination.ip by process can be adjusted to your environment to reduce normal noisy hosts by Id.",] + "Further investigation can done pivoting by `process.entity_id` and `host.id.`", + "Maximum number of unique `destination.ip` by process can be adjusted to your environment to reduce normal noisy hosts by process ID.",] mitre = [ "T1021", "T1021.002",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "network" and network.direction == "egress" and +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "network" and network.direction == "egress" and network.transport == "tcp"and destination.port == 445 and source.port >= 49152 and process.pid == 4 | keep destination.ip, process.entity_id, host.id | stats count_unique_dst = count_distinct(destination.ip) by process.entity_id, host.id /* threshold set to 20 but can be adjusted to reduce normal baseline in your env */ | where count_unique_dst >= 20 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml new file mode 100644 index 00000000000..94df6676a50 --- /dev/null +++ b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml @@ -0,0 +1,39 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies executable file creation by an unusual Microsoft native binary. This could be the result of +code injection or some other form of exploitation for defense evasion. +""" +integration = ["endpoint", "windows"] +uuid = "3b2900fe-74d9-4c49-b3df-cbeceb02e841" +name = "Executable File Creation by an Unusual Microsoft Binary" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two optional queries, one for Elastic Defend data and another for Sysmon data.", + "Sysmon file events don't populate file header and process code signature information thus we use `file.extension`.", + "Some exploits may result in the creation of an executable file by the exploited process.", + "Further investigation can be done by pivoting on `process.executable` and filtering for executable file creation.", +] +mitre = [ "T1211", "T1055",] +query = [ +''' +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and + starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and + starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and + file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml deleted file mode 100644 index 12708944beb..00000000000 --- a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "3b2900fe-74d9-4c49-b3df-cbeceb02e841" -name = "Executable File creation by an Unusual Microsoft Binary - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon file event don't populate file header and process code signature information thus the use of file.extension.", - "Some exploits may result in the creation of an executable file by the exploited process.", - "Further investigation can be done pivoting by process.executable and filter for executable file creation.", -] -mitre = [ "T1211", "T1055",] - -query = ''' -from logs-endpoint.events.file-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and - starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and - starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml deleted file mode 100644 index e8454e89c89..00000000000 --- a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "36c94354-9d6e-4dc5-b2aa-a7cf578a4169" -name = "Executable File creation by an Unusual Microsoft Binary - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon file event don't populate file header and process code signature information thus the use of file.extension.", - "Some exploits may result in the creation of an executable file by the exploited process.", - "Further investigation can be done pivoting by process.executable and filter for executable file creation.", -] -mitre = [ "T1211", "T1055",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and - file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml deleted file mode 100644 index 5da7f9f9bab..00000000000 --- a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "fd3f9982-fd8c-4f0f-bbe6-e589752c34db" -name = "Execution via Network Logon by occurrence frequency" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", - "Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line.", - "Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex.", -] -mitre = [ "T1021",] - -query = ''' -from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and - /* network logon type and the execution is within 30 seconds of the logon time */ - process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 -| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name - /* unique hash limited to one host and number of execution is 1 */ -| where hosts == 1 and total == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml index ab7da37ec48..0f05183e689 100644 --- a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml +++ b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml @@ -1,24 +1,40 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates process execution and remote network logons by source address, account name and process hash. It then limits the results by unique host within a 7 day period. This may indicate lateral movement via remote services. +""" integration = ["endpoint"] uuid = "ae07c580-290e-4421-add8-d6ca30509b6a" -name = "Execution via Network Logon by occurrence frequency by top Source IP" +name = "Frequency of Process Execution via Network Logon by Source Address" language = "ES|QL" license = "Elastic License v2" notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", - "Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line.", - "Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex.", + "The second query highest occurrence of source addresses/accounts performing remote process execution", + "`process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+ and above.", + "Execution via legitimate Microsoft processes for PowerShell and cmd need to be further investigated via aggregation by `process.command_line`.", + "Aggregation can be also done by `process.executable`, normalizing process path by removing random patterns using the ES|QL REPLACE function.", ] mitre = [ "T1021",] -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type and the execution is within 30 seconds of the logon time */ process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 | stats total = count(*) by process.Ext.session_info.client_address, user.name /* sort by top source.ip and account */ | sort total desc -''' \ No newline at end of file +''', +''' +from logs-endpoint.events.process-* +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and + /* network logon type and the execution is within 30 seconds of the logon time */ + process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 +| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name + /* unique hash limited to one host and number of execution is 1 */ +| where hosts == 1 and total == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_remote_services_by_client_address.toml b/hunting/windows/queries/execution_via_remote_services_by_client_address.toml index 6235064514b..b84ccd6668f 100644 --- a/hunting/windows/queries/execution_via_remote_services_by_client_address.toml +++ b/hunting/windows/queries/execution_via_remote_services_by_client_address.toml @@ -1,23 +1,28 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates process execution via remote network logon by source address, account name and where the parent process is related to remote services such as WMI, WinRM, DCOM and remote PowerShell. This may indicate lateral movement via remote services. +""" integration = ["endpoint"] uuid = "e6e54717-2676-4785-a4a6-503577bfb0ea" name = "Execution via Remote Services by Client Address" language = "ES|QL" license = "Elastic License v2" notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", + "`process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+.", ] -mitre = [ "T1021", "T1021.003", "T1021.006", "T1047",] +mitre = [ "T1021", "T1021.003", "T1021.006", "T1047"] -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type */ - process.Ext.session_info.logon_type == "Network" and + process.Ext.session_info.logon_type == "Network" and (process.parent.name .caseless in ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") or (process.parent.name == "svchost.exe" and process.parent.args == "DcomLaunch")) | stats total = count(*), hosts = count_distinct(host.id) by process.Ext.session_info.client_address, user.name, process.parent.name /* sort by top source.ip and account */ | sort total desc -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml index b01195d192b..f31fe0239e2 100644 --- a/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml @@ -1,22 +1,25 @@ [hunt] author = "Elastic" +description = """ +This hunt identifies programs started shortly after user logon and presence limited to a unique host. Run registry key and Startup folder cause programs to run each time that a user logs on and are often abused by malwares to maintain persistence on an endpoint. +""" integration = ["endpoint"] uuid = "a447df80-d3d5-48b3-a175-a864264ec487" -name = "Execution via Startup with low occurrence frequency" +name = "Startup Execution with Low Occurrence Frequency by Unique Host" language = "ES|QL" license = "Elastic License v2" notes = [ - "Items set to persist via Startup like Run key and Startup folder will be executed by Explorer.exe shortly after user logon (process.Ext.session_info.relative_logon_time help us to capture that time difference).", - "Pay close attention to unknown hashes, suspicious paths and lolbins.", + "Items set to persist via Startup such as Run keys and Startup folder will be executed by `Explorer.exe` shortly after user logon (`process.Ext.session_info.relative_logon_time` helps us to capture that time difference).", + "Special attention to unknown hashes, suspicious paths and LOLBins should be given.", ] mitre = [ "T1547", "T1547.001",] - -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where host.os.family == "windows" and event.category == "process" and event.action == "start" and +| where host.os.family == "windows" and event.category == "process" and event.action == "start" and /* programs started shortly after user logon like startup items */ - process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and - not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and + process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and + not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and /* this hunt is scoped to unsigned or untrusted code-sig or Microsoft signed binaries to not miss lolbins */ (process.code_signature.exists == false or process.code_signature.trusted == false or starts_with(process.code_signature.subject_name, "Microsoft")) | keep process.executable, host.id, process.hash.sha256 @@ -24,4 +27,5 @@ from logs-endpoint.events.process-* | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~' ]+\\""", "C:\\\\users\\\\user\\\\") | stats hosts = count_distinct(host.id) by process_path, process.hash.sha256 | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml new file mode 100644 index 00000000000..41aa38bf7d9 --- /dev/null +++ b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for unique process execution via Windows Management Instrumentation (WMI) by removing random patterns from `process.command_line` and aggregating execution by count of agents with the same command line to limit results to unique ones. +""" +integration = ["endpoint", "windows", "system"] +uuid = "b5efeb92-9b51-45b9-839f-be4cdc054ef4" +name = "Low Frequency of Process Execution via WMI by Unique Agent" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt contains three queries for Elastic Defend, Sysmon, and Windows Security event 4688."] +mitre = [ "T1047"] +query = [ +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "WmiPrvSE.exe" and starts_with(process.code_signature.subject_name, "Microsoft") +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.name +| where agents == 1 +''', +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation", "created-process") and + to_lower(process.parent.name) == "wmiprvse.exe" +| keep process.command_line, host.id +| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats agents = count_distinct(host.id) by cmdline +| where agents == 1 +''', +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.hash.sha256 +| where agents == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml deleted file mode 100644 index 54b18862334..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml +++ /dev/null @@ -1,21 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "b5efeb92-9b51-45b9-839f-be4cdc054ef4" -name = "Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.",] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.name -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml deleted file mode 100644 index d56344cf542..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "958a9027-2c6f-4eb0-a9ca-d1116a3bec76" -name = "Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.", -] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.hash.sha256 -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml deleted file mode 100644 index 928f28637d2..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows", "system"] -uuid = "793d5655-d7d9-422a-ba9d-1fa75029265e" -name = "Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.", -] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless == "wmiprvse.exe" -| keep process.command_line, host.id -| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats agents = count_distinct(host.id) by cmdline -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml index 0602934bda3..edd5db88e09 100644 --- a/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml @@ -1,24 +1,28 @@ [hunt] author = "Elastic" +description = """ +Aggregating by paths/hash, this hunt identifies rare instances where a program executes as a child process of the Tasks Scheduler service. This could be the result of persistence as a Windows Scheduled Task. +""" integration = ["endpoint", "windows"] uuid = "96d5afc8-1f25-4265-8a0e-9998091a2e1f" -name = "Execution via Windows Scheduled Task with low occurrence frequency" +name = "Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent" language = "ES|QL" license = "Elastic License v2" notes = [ - "Windows security event 4688 lacks process.parent.command_line needed for this hunt to identify the Schedule svchost instance.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", + "Windows security event 4688 lacks `process.parent.command_line` needed for this hunt to identify the Schedule `svchost` instance.", + "Unique `process.hash.sha256` and agent is not necessarily malicious, however this helps surface signals worth further investigation.", ] -mitre = [ "T1053", "T1053.005",] - -query = ''' +mitre = [ "T1053", "T1053.005"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation") and process.code_signature.trusted != true and +| where @timestamp > now(-) - 7 day +| where host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation") and process.code_signature.trusted != true and /* child process of the Tasks Schedule service */ process.parent.name == "svchost.exe" and ends_with(process.parent.command_line, "Schedule") | stats hosts = count_distinct(host.id) by process.hash.sha256, process.name /* unique hash observed in one unique agent */ | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..bad8e38a795 --- /dev/null +++ b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml @@ -0,0 +1,39 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for a low occurrence of process execution via the Windows Services Control Manager by unique agent. The Services Control Manager is responsible for starting, stopping, and interacting with system services. This could be a sign of persistence as a Windows service. +""" +integration = ["endpoint", "windows", "system"] +uuid = "858b7022-b587-4b95-afd6-8ce597bedce3" +name = "Low Occurence of Process Execution via Windows Services with Unique Agent" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt contains two queries for Elastic Defend and Windows Security event 4688.", + "Windows security event 4688 lacks code signature and hash information, hence the use of `process.executable` for aggregation.", + "Unique `process.hash.sha256` and agent is not necessarily malicious, this help surface ones worth further investigation.", + "Suspicious `process.executable` paths and LOLBins should be reviewed further.", +] +mitre = [ "T1543", "T1543.003"] +query = [ +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "services.exe" and process.code_signature.trusted != true +| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name + /* unique hash observed in one unique agent */ +| where hosts == 1 +''', +''' +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and + event.action == "created-process" and process.parent.name == "services.exe" +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id) by process_path + /* unique path observed in one unique agent */ +| where hosts == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml deleted file mode 100644 index d9a1dae2780..00000000000 --- a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "858b7022-b587-4b95-afd6-8ce597bedce3" -name = "Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name == "services.exe" and process.code_signature.trusted != true -| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name - /* unique hash observed in one unique agent */ -| where hosts == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml deleted file mode 100644 index 621e174fc0a..00000000000 --- a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "5fdc9f73-c6a4-4ea4-8e16-347ed675e236" -name = "Execution via Windows Services with low occurrence frequency - Windows Security" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and - event.action == "created-process" and process.parent.name == "services.exe" -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id) by process_path - /* unique path observed in one unique agent */ -| where hosts == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml new file mode 100644 index 00000000000..44ae0c42423 --- /dev/null +++ b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml @@ -0,0 +1,65 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address, limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. +""" +integration = ["endpoint", "windows"] +uuid = "ed254a22-e7bb-4a36-9291-196b77762dd8" +name = "High Count of Network Connection Over Extended Period by Process" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes three queries for Elastic Defend and Sysmon data sources.", +] +mitre = [ "T1071"] +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and + /* excluding DNS */ + destination.port != 53 and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id + /* calc total duration and the number of connections per hour */ +| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ +| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 +''', +''' +from logs-endpoint.events.network-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and +(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +''', +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and +/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ +not (process.name == "svchost.exe" and user.id == "S-1-5-18") and +/* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour +/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml deleted file mode 100644 index 75556ed2372..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "76843f1f-404d-42b8-9c25-fcc14e270240" -name = "High count of network connection over extended period by process - Elastic Defend Network" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. Scoped for unsigned processes or ones running from suspicious paths, the Sysmon network events don't include process code signature information", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and -(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml deleted file mode 100644 index 9362fdb25e2..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "ed254a22-e7bb-4a36-9291-196b77762dd8" -name = "High count of network connection over extended period by process - Elastic Defend Network - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt identify browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address and this is limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint.", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and - /* excluding DNS */ - destination.port != 53 and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id - /* calc total duration and the number of connections per hour */ -| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ -| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml deleted file mode 100644 index 68aa9903d26..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml +++ /dev/null @@ -1,29 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "7ee9a5a7-3ce1-47eb-b15a-1b148299fcf0" -name = "High count of network connection over extended period by process - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process.", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and -/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ -not (process.name == "svchost.exe" and user.id == "S-1-5-18") and -/* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour -/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -''' \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..7858e90607f --- /dev/null +++ b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml @@ -0,0 +1,48 @@ +[hunt] +author = "Elastic" +description = """ +This hunt returns the SHA256 hash and the `dll.path` of unsigned libraries loaded by svchost where the presence of unique path/hash is limited to a unique host. Adversaries may use Windows service DLLs to maintain persistence or run with System privileges. +""" +integration = ["endpoint", "windows"] +uuid = "e37fe0b9-1b70-4800-8989-58bac5a0a9bb" +name = "Libraries Loaded by svchost with Low Occurrence Frequency" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two queries to cover both Sysmon and Elastic Defend data sources.", + "The hunt uses Elastic Defend library events for an extra optional condition `dll.Ext.relative_file_creation_time` to scope if for recently dropped DLLs.", + "The `count_dlls_per_folder` variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", + "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like `%programfiles%` and `system32/syswow64`.", +] +mitre = [ "T1543", "T1543.003"] +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "library" and event.action == "load" and + process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and + (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) +| keep dll.name, dll.path, dll.hash.sha256, host.id +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) + /* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and + process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" +| keep file.name, file.path, file.hash.sha256, host.id +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +/* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index 09a479e753d..00000000000 --- a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,29 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "e37fe0b9-1b70-4800-8989-58bac5a0a9bb" -name = "Libraries loaded by svchost with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs.", - "The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", - "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "library" and event.action == "load" and - process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and - (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) -| keep dll.name, dll.path, dll.hash.sha256, host.id -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) - /* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 593e75175f1..00000000000 --- a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "1ae6bfd7-34ce-4d7b-b956-f12d3797ac68" -name = "Libraries loaded by svchost with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs.", - "The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", - "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and - process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" -| keep file.name, file.path, file.hash.sha256, host.id -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -/* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml b/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml index ae4da0641ce..fe1709bbe9b 100644 --- a/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml @@ -1,23 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for Microsoft Office child processes with low occurrence frequency. This could be a normal rare behavior as well as potential execution via a malicious document. Adversaries may use Microsoft Office applications to execute malicious code, such as macros, scripts, or other payloads. +""" integration = ["endpoint", "windows", "system"] uuid = "74b2e54b-7002-4201-83d6-7fd9bd5dcf0f" -name = "Microsoft Office Child Processes with low occurrence frequency" +name = "Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent" language = "ES|QL" license = "Elastic License v2" notes = [ - "Certain processes like WerFault.exe, dw20.exe and dwwin.exe are often related to application crash.", + "Certain processes like `WerFault.exe`, `dw20.exe` and `dwwin.exe` are often related to application crash.", "Closer attention should be attributed to lolbins and unsigned executables (Windows 4688 is not capturing process code signature information).", ] -mitre = [ "T1566", "T1566.001",] - -query = ''' +mitre = [ "T1566", "T1566.001"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where host.os.family == "windows" and @timestamp > NOW() - 15 day and - event.category == "process" and event.action in ("start", "Process creation", "created-process") and +| where host.os.family == "windows" and @timestamp > NOW() - 15 day and + event.category == "process" and event.action in ("start", "Process creation", "created-process") and process.parent.name.caseless in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") // normalize user home profile paths | eval process_path = replace(process.executable.caseless, """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") -| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name +| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name | where occurrences == 1 and agents == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml b/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml index 9275697792e..5f80401f4d2 100644 --- a/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml +++ b/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml @@ -1,8 +1,11 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for either processes connecting to multiple sensitive TCP ports (SMB, RDP, LDAP, Kerberos and ADWS), a high number of SMB/RDP connections to unique destinations or the same process connecting to both RDP and SMB (should be rare). +""" integration = ["endpoint", "windows"] uuid = "e0acab7d-30bd-4be0-9682-5c3457bbeb4f" -name = "Network Discovery via sensitive ports by unusual process" +name = "Network Discovery via Sensitive Ports by Unusual Process" language = "ES|QL" license = "Elastic License v2" notes = [ @@ -10,13 +13,13 @@ notes = [ "You can add more sensitive ports to the list like FTP, SSH and others.", "Elastic Network events include process code signature information, this can be added to filter out signed third party false positives.", ] -mitre = [ "T1021", "T1021.002", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +mitre = [ "T1021", "T1021.002", "T1021.001"] +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and process.pid != 4 | keep process.executable, destination.port, destination.ip, process.entity_id /* network events with SMB or RDP as a target */ @@ -24,4 +27,5 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* /* unique count by destination.port, number of distinct SMB and RDP destinations */ | stats count_unique_ports = count_distinct(destination.port), count_smb_dst = count_distinct(smb_dip), count_rdp_dst = count_distinct(rdp_dip) by process.entity_id, process.executable | where count_unique_ports >= 3 or count_rdp_dst >= 10 or count_smb_dst >= 10 or (count_rdp_dst >= 1 and count_rdp_dst >= 1) -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml index 243b98600ed..39a2bc1d874 100644 --- a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml +++ b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml @@ -1,21 +1,33 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for a high number of executable file transfers via the SMB protocol by the same user or agent to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. +""" integration = ["endpoint"] uuid = "3e66fc1a-2ea0-43a6-ba51-0280c693d152" -name = "PE File Transfer via SMB_Admin Shares by Agent" +name = "PE File Transfer via SMB_Admin Shares by Agent or User" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares.", - "Further investigation can done pivoting by host.id and user name.", + "Further investigation can done pivoting by `host.id` and `user.name`.", ] -mitre = [ "T1021", "T1021.002",] - -query = ''' +mitre = [ "T1021", "T1021.002"] +query = [ +''' from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) | stats agents = count_distinct(host.id), total = count(*) by user.name | where agents == 1 and total <= 3 -''' \ No newline at end of file +''', +''' +from logs-endpoint.events.file-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| stats agents = count_distinct(host.id), total = count(*) by user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where agents >= 10 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml deleted file mode 100644 index c55b0243f9f..00000000000 --- a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "ef9def35-0671-4599-8a18-5a1b833ef4c4" -name = "PE File Transfer via SMB_Admin Shares by User" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares.", - "PE File Transfer via SMB/Admin Shares by User", -] -mitre = [ "T1021", "T1021.002",] - -query = ''' -from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) -| stats agents = count_distinct(host.id), total = count(*) by user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where agents >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..28cdf428567 --- /dev/null +++ b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +Leveraging frequency based analysis and random values normalization, this hunt identifies instances where a program adds a persistence entry with rare values or are imited to unique hosts. Run registry key cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. +""" +integration = ["endpoint", "windows"] +uuid = "1078e906-0485-482e-bcf3-7ee939e07020" +name = "Persistence via Run Key with Low Occurrence Frequency" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two queries to cover both Sysmon and Elastic Defend data sources.", + "Sysmon registry events do not populate process code signature information (hence the separation of the queries).", + "Suspicious paths and LOLBins in the `registry.data.strings` value should be reviewed further.", +] +mitre = [ "T1547", "T1547.001"] +query = [ +''' +from logs-endpoint.events.registry-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and + (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index c0a26f9a9bf..00000000000 --- a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,27 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "1078e906-0485-482e-bcf3-7ee939e07020" -name = "Persistence via Run Key with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon registry event don't populate process code signature information (hence the separation of the queries).", - "Suspicious paths and lolbins in the registry.data.strings value should be reviewed further.", -] -mitre = [ "T1547", "T1547.001",] - -query = ''' -from logs-endpoint.events.registry-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and - (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 1ec10dc553b..00000000000 --- a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "cb2d8acc-123a-4578-bd33-7004c2be9843" -name = "Persistence via Run Key with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon registry event don't populate process code signature information (hence the separation of the queries).", - "Suspicious paths and lolbins in the registry.data.strings value should be reviewed further.", -] -mitre = [ "T1547", "T1547.001",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml b/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml index a1019041f57..65e1ed4704f 100644 --- a/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml @@ -1,21 +1,22 @@ [hunt] author = "Elastic" +description = "Leveraging frequency based analysis and path normalization, this hunt identifies rare instances where a program adds a Startup persistence via file creation. Startup entries cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint." integration = ["endpoint", "windows"] uuid = "9d8c79fd-0006-4988-8aaa-d5f9b9a7df8e" -name = "Persistence via Startup with low occurrence frequency" +name = "Persistence via Startup with Low Occurrence Frequency by Unique Host" language = "ES|QL" license = "Elastic License v2" notes = [ - "Elastic Defend file event captures the process.code_signature information, this can be added to the hunt to limit to unsigned and Microsoft signed programs.", - "Unique file.name and limited to 1 agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", + "Elastic Defend file event captures the `process.code_signature` information, this can be added to the hunt to limit to unsigned and Microsoft signed programs.", + "Unique `file.name` and limited to one agent is not necessarily malicious, however helps surface ones worth further investigation.", + "Suspicious `process.executable` paths and LOLBins should be reviewed further.", ] -mitre = [ "T1547", "T1547.001",] - -query = ''' +mitre = [ "T1547", "T1547.001"] +query = [ +''' from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and +| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)""" | keep process.executable, host.id, file.name /* Paths normalization in registry.data.strings to ease aggregation */ @@ -23,4 +24,5 @@ from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | stats number_hosts = count_distinct(host.id) by process_path, file.name | where number_hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml b/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml index a11fc9dea5c..2e6cb02440d 100644 --- a/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml +++ b/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml @@ -1,24 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. +""" integration = ["endpoint"] uuid = "a7dcd1a1-2860-491e-8802-31169a607167" -name = "Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence" +name = "Low Occurrence of Suspicious Launch Agent or Launch Daemon" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host.", - "Further investigation can done pivoting by Persistence.name and args.", + "Further investigation can done pivoting by `Persistence.name` and `args`.", ] -mitre = [ "T1547", "T1547.011", "T1543", "T1543.001", "T1543.004",] - -query = ''' +mitre = [ "T1547", "T1547.011", "T1543", "T1543.001", "T1543.004"] +query = [ +''' from logs-endpoint.events.file-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and +| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and (Persistence.runatload == true or Persistence.keepalive == true) and process.executable is not null | eval args = MV_CONCAT(Persistence.args, ",") /* normalizing users home profile */ | eval args = replace(args, """/Users/[a-zA-Z0-9ñ\.\-\_\$~ ]+/""", "/Users/user/") | stats agents = count_distinct(host.id), total = count(*) by process.name, Persistence.name, args | where starts_with(args, "/") and agents == 1 and total == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml b/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml index 972a4437c0c..48f192b0f2b 100644 --- a/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml +++ b/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml @@ -1,26 +1,31 @@ [hunt] author = "Elastic" +description = """ +Using aggregation and the ES|QL `SUM` function, this hunt identifies processes that performed egress connections with total bytes greater or equal to a defined maximum threshold. This may indicate exfiltration or long term command and control activity. +""" integration = ["endpoint"] uuid = "977d77f9-86e0-4df6-bdc7-aed87c048290" -name = "Potential Exfiltration by process total egress bytes" +name = "Egress Network Connections with Total Bytes Greater than Threshold" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log source.bytes.", - "The use of host.os.family is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.)", + "This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log `source.bytes`.", + "The use of `host.os.family` is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.)", "Based on limited testing it's recommended to set the query time window to 8 hours.", - "Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.).", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] mitre = [ "T1071",] -query = ''' +query = [ +''' from logs-endpoint.events.network-* -| where @timestamp > now() - 8 hour -| where host.os.family == "windows" and event.category == "network" and - event.action == "disconnect_received" and +| where @timestamp > now() - 8 hour +| where host.os.family == "windows" and event.category == "network" and + event.action == "disconnect_received" and not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.executable, process.entity_id | stats total_bytes_out = sum(source.bytes) by process.entity_id, destination.address, process.executable /* more than 1GB out by same process.pid in 8 hours */ | where total_bytes_out >= 1073741824 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml b/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml index 0f970eb8958..c266a04ebf4 100644 --- a/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml +++ b/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml @@ -1,25 +1,29 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregate Rundll32 execution by normalized `process.command_line` and returns instances that are unique by frequency. Rundll32 is one of the most abused binaries to proxy execution of malicious commands and modules. +""" integration = ["endpoint", "windows", "system"] uuid = "30f37cd2-c1d8-4554-bb4a-ed76de9e6857" -name = "Rundll32 execution aggregated by cmdline" +name = "Rundll32 Execution Aggregated by Command Line" language = "ES|QL" license = "Elastic License v2" notes = [ "Execution of DLLs from suspicious paths or with suspicious export function names or from suspicious parent should be further reviewed.", - "Parents such as svchost, explorer.exe, wmiprvse.exe, winword.exe and others should be carefully reviewed.", + "Parents such as svchost, `explorer.exe`, `wmiprvse.exe`, `winword.exe` and others should be carefully reviewed.", ] -mitre = [ "T1127", "T1218", "T1218.011",] - -query = ''' +mitre = [ "T1127", "T1218", "T1218.011"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless == "rundll32.exe" and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + process.name.caseless == "rundll32.exe" and not process.command_line rlike """.*(zzzzInvokeManagedCustomActionOutOfProc|GeneralTel.dll,RunInUserCxt|ShOpenVerbApplication|davclnt.dll,DavSetCookie|FileProtocolHandler|EDGEHTML.dll|FirewallControlPanel.dll,ShowNotificationDialog|printui.dll,PrintUIEntryDPIAware|Program Files|SHCreateLocalServerRunDll|ImageView_Fullscreen|StatusMonitorEntryPoint|Control_RunDLL|HotPlugSafeRemovalDriveNotification|AppxDeploymentClient.dll|acproxy.dll,PerformAutochkOperations|CapabilityAccessManagerDoStoreMaintenance|dfshim.dll|display.dll,ShowAdapterSettings|ForceProxyDetectionOnNextRun|PfSvWsSwapAssessmentTask|acmigration.dll,ApplyMigrationShims|LenovoBatteryGaugePackage.dll|-localserver|DriverStore|CnmDxPEntryPoint|DeferredDelete|DeviceProperties_RunDLL|AppxDeploymentClient.dll|spool\\DRIVERS|printui.dll,PrintUIEntry|DfdGetDefaultPolicyAndSMART|cryptext.dll,CryptExt|WininetPlugin.dll|ClearMyTracksByProcess|SusRunTask|OpenURL|CleanupTemporaryState).*""" | keep process.parent.name, process.command_line, host.id | eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") | stats hosts =count_distinct(host.id), total = count() by cmdline, process.parent.name | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml b/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml index 5cea1a74587..f473169b0dd 100644 --- a/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml +++ b/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml @@ -1,17 +1,19 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for scheduled tasks creation by action using registry events. Scheduled tasks actions are saved under the TaskCache registry key in base64 encoded blob. Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. +""" integration = ["endpoint"] uuid = "344c0690-ebc3-4794-b123-272a5c09c57b" -name = "Scheduled tasks creation by action via registry" +name = "Scheduled tasks Creation by Action via Registry" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregate created scheduled tasks by action using registry events.", - "Malware often abuse lolbins to proxy execution or run executables from unusual paths, you can add more patterns to the query.", + "Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query.", ] mitre = [ "T1053", "T1053.005"] - -query = ''' +query = [ +''' from logs-endpoint.events.registry-* | where @timestamp > now() - 7 day | where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and @@ -25,3 +27,4 @@ from logs-endpoint.events.registry-* /* helps reduce result to instances limited to one agent */ | where count_agents == 1 ''' +] diff --git a/hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml b/hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml similarity index 70% rename from hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml rename to hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml index e6fc2b2887b..8d236b4c9be 100644 --- a/hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml @@ -1,30 +1,34 @@ [hunt] author = "Elastic" +description = """ +Using aggregation and strings extraction, this hunt identifies instances where a scheduled task is created and set to run a command unique to a specific host. This could be the result of persistence as a Windows Scheduled Task. +""" integration = ["system"] uuid = "75804319-122c-4bdc-976e-d6355bca0d78" -name = "Scheduled tasks creation with low occurrence frequency" +name = "Scheduled Tasks Creation for Unique Hosts by Task Command" language = "ES|QL" license = "Elastic License v2" notes = [ "This hunt returns the aggregation of created tasks by task name, command to execute and number of hosts where this task is present.", - "Close attention should be paid to suspicious paths like C:\\Users\\Public and C:\\ProgramData\\ as well as lolbins.", + "Close attention should be paid to suspicious paths like `C:\\Users\\Public and C:\\ProgramData\\` as well as LOLBins.", ] -mitre = [ "T1053", "T1053.005",] - -query = ''' +mitre = [ "T1053", "T1053.005"] +query = [ +''' from logs-system.security-default-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created" /* parsing unstructured data from winlog message to extract a scheduled task Exec command */ -| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") +| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") | where Command is not null /* normalise task name by removing usersid and uuid string patterns */ -| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") +| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") /* normalise task name by removing random patterns in a file path */ | eval Task_Command = replace(Command, """(ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") /* normalize user home profile path */ | eval Task_Command = replace(Task_Command, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") | where Task_Command like "?*" and not starts_with(Task_Command, "C:\\Program Files") and not starts_with(Task_Command, "\"C:\\Program Files") -| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName +| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName | where hosts_count == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml b/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml index 4f6957b3709..88e89486a6e 100644 --- a/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml +++ b/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml @@ -1,16 +1,20 @@ [hunt] author = "Elastic" +description = """ +This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands. +""" integration = ["endpoint", "windows", "system"] uuid = "8bf800de-b3a2-4b36-9484-7d9dae2a1992" name = "Suspicious Base64 Encoded Powershell Command" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt decode base64 obfuscated powershell commands in process start events and filter ones with suspicious keywords like downloaders and evasion related commands.", + "This hunt can be expanded to include more evasion techniques and downloaders.", + "Pivoting by `agent.id` can provide more context on the affected hosts." ] mitre = [ "T1059", "T1059.001", "T1027", "T1027.010"] - -query = ''' +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where host.os.type == "windows" and event.category == "process" and event.type == "start" and TO_LOWER(process.name) == "powershell.exe" and process.command_line rlike ".+ -(e|E).*" | keep agent.id, process.command_line @@ -23,3 +27,4 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys | where decoded_base64_cmdline rlike """.*(http|webclient|download|mppreference|sockets|bxor|.replace|reflection|assembly|load|bits|start-proc|iwr|frombase64).*""" | keep agent.id, process.command_line, decoded_base64_cmdline ''' +] diff --git a/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml b/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml index 9cbdc33cd53..344f9675a43 100644 --- a/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml +++ b/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml @@ -1,20 +1,23 @@ [hunt] author = "Elastic" +description = """ +Leveraging aggregation by process executable entities, this hunt identifies identifies a high number of DNS TXT record queries from same process. +Adversaries may leverage DNS TXT queries to stage malicious content or exfiltrate data. +""" integration = ["endpoint", "windows"] uuid = "0b7343f7-2d16-43c7-af28-9d1f012b1093" -name = "Suspicious DNS TXT Record lookups by process" +name = "Suspicious DNS TXT Record Lookups by Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt returns a list of processes unique pids and executable path that performs a high number of DNS TXT lookups.", - "Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.).", + "This hunt returns a list of processes unique pids and executable paths that performs a high number of DNS TXT lookups.", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] -mitre = [ "T1071", "T1071.004",] - +mitre = [ "T1071", "T1071.004"] query = ''' from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and +| where host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and (dns.question.type == "TXT" or dns.answers.type == "TXT") and process.executable != "C:\\Windows\\system32\\svchost.exe" | keep process.executable, process.entity_id | stats occurrences = count(*) by process.entity_id, process.executable diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml new file mode 100644 index 00000000000..8bc916f296f --- /dev/null +++ b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml @@ -0,0 +1,64 @@ +[hunt] +author = "Elastic" +description = """ +This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the ES|QL `Replace` command we can also further remove random patterns to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and LOLBins. +""" +integration = ["endpoint", "windows", "system"] +uuid = "ebf79207-16dc-44f8-b10c-317d4a034bad" +name = "Unique Windows Services Creation by Service File Name" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt also identifies services registry modification by unusual process based on number of hosts and occurrences history.", + "Windows event IDs 4697 and 7045 are used to identify service creation and modification.", +] +mitre = [ "T1543", "T1543.003"] + +query = [ +''' +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + process.executable != "C:\\Windows\\System32\\services.exe" +| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path +/* unique process.executable found in one agent */ +| where hosts == 1 and occurrences == 1 +''', +''' +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName + /* unique ServiceFileName observed in 1 host*/ +| where hosts == 1 and cc == 1 +''', +''' +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and + not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''', +''' +from logs-system.system-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.code == "7045" and + not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml deleted file mode 100644 index e7f69e6e181..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "ebf79207-16dc-44f8-b10c-317d4a034bad" -name = "Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt identify services registry modification by unusual process based on number of hosts and occurrences history.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - process.executable != "C:\\Windows\\System32\\services.exe" -| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path -/* unique process.executable found in one agent */ -| where hosts == 1 and occurrences == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml deleted file mode 100644 index f13c7927f2b..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "688dc79d-f52a-49ad-829d-89343e68b0f7" -name = "Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName - /* unique ServiceFileName observed in 1 host*/ -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml deleted file mode 100644 index 87d45175a2d..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "b6b14385-4ed2-44af-98fe-dad5b1581174" -name = "Unique Windows Services Creation by ServiceFileName - Windows Security 4697" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and - not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml deleted file mode 100644 index 3be2538e9c0..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "1749a45b-98f0-4b27-8c2f-2287230e52b7" -name = "Unique Windows Services Creation by ServiceFileName - Windows Security 7045" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.system-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.code == "7045" and - not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml b/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml index 2e0ba4e330c..a4d0d9a8c56 100644 --- a/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml +++ b/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml @@ -1,23 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for unusual Microsoft native processes spawning `cmd.exe`, `powershell.exe` or `conhost.exe` and limited to a unique host. This could be normal rare behavior as well as an interactive shell activity from an injected parent process to execute system commands. +""" integration = ["endpoint", "windows", "system"] uuid = "de929347-c04a-4a94-8be2-cbe87b25bb25" -name = "Windows Command and Scripting Interpreter from unusual parent" +name = "Windows Command and Scripting Interpreter from Unusual Parent Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "Pivoting can be done via process.parent.name.", - "Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn cmd.exe powershell.exe or conhost.exe, if so it's highly likely malicious.", + "Further pivoting can be done via `process.parent.name`.", + "Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn `cmd.exe`, `powershell.exe` or `conhost.exe`, if so it's highly likely malicious.", ] -mitre = [ "T1059", "T1059.001", "T1059.003",] - -query = ''' +mitre = [ "T1059", "T1059.001", "T1059.003"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and (starts_with(process.parent.executable.caseless, "c:\\windows\\system32") or starts_with(process.parent.executable.caseless, "c:\\windows\\syswow64")) | keep process.name, process.parent.name, host.id | stats hosts = count_distinct(host.id), cc = count(*) by process.parent.name | where cc <= 10 and hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/windows_logon_activity_by_source_ip.toml b/hunting/windows/queries/windows_logon_activity_by_source_ip.toml index 60049f10080..4547241284f 100644 --- a/hunting/windows/queries/windows_logon_activity_by_source_ip.toml +++ b/hunting/windows/queries/windows_logon_activity_by_source_ip.toml @@ -1,26 +1,29 @@ [hunt] author = "Elastic" +description = """ +This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is. +""" integration = ["system"] uuid = "7bdea198-eb09-4eca-ae3d-bfc3b52c89a9" -name = "Windows logon activity by source IP" +name = "Windows Logon Activity by Source IP" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt returns the total number of failed logons, successful ones and the number of unique account names grouped by source.ip.", - "Pay close attention to IP addresses source of a high number of failures associated with low success attempts and high number of used accounts.", + "Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.", ] -mitre = [ "T1110", "T1110.001", "T1110.003",] - -query = ''' +mitre = [ "T1110", "T1110.001", "T1110.003"] +query = [ +''' from logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and - event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and - source.ip is not null and - /* noisy failure status codes often associated to authentication misconfiguration */ +| where host.os.family == "windows" and + event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and + source.ip is not null and + /* noisy failure status codes often associated to authentication misconfiguration */ not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")) | eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null) | stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip /* below threshold should be adjusted to your env logon patterns */ | where count_failed >= 100 and count_success <= 10 and count_user >= 20 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 6019f522c45..0a5ee5c15a7 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.agent_id_status:* +event.agent_id_status:* and not tags:forwarded ''' diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 8b7f1512af9..2f004779966 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Spike in AWS Error Messages @@ -76,10 +97,6 @@ This rule uses a machine learning job to detect a significant spike in the rate - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 0ebbb531d76..e77ba2624e4 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Rare AWS Error Code @@ -78,10 +99,6 @@ Detection alerts from this rule indicate a rare and unusual error code that was - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 947265fdca3..be4f893c376 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual City For an AWS Command @@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 1cb446348cf..9a8b45d4c12 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual Country For an AWS Command @@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 88a65f6838a..f43c07ebbff 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual AWS Command for a User @@ -78,10 +99,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml new file mode 100644 index 00000000000..4daf2866a7f --- /dev/null +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -0,0 +1,138 @@ +[metadata] +creation_date = "2024/06/13" +integration = ["aws"] +maturity = "production" +updated_date = "2024/06/22" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by +creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation +to create new programatic access keys for another IAM user. +""" +false_positives = [ + """ + While this can be normal behavior, it should be investigated to ensure validity. + Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user. + """, +] +from = "now-10m" +language = "esql" +license = "Elastic License v2" +name = "AWS IAM User Created Access Keys For Another User" +note = """## Triage and analysis + +### Investigating AWS IAM User Created Access Keys For Another User + +AWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. +With access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new +set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) +to look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name. + + +#### Possible investigation steps + +- Identify both related accounts and their role in the environment. +- Review IAM permission policies for the user identities. +- Identify the applications or users that should use these accounts. +- Investigate other alerts associated with the accounts during the past 48 hours. +- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc. +- Contact the account owners and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + - Determine what other API calls were made by the user. + - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. + +### False positive analysis + +- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. + - Rotate user credentials + - Remove the newly created credentials from the affected user(s) +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. + - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. + - Work with your IT teams to minimize the impact on business operations during these actions. +- Remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +references = [ + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html", +] +risk_score = 47 +rule_id = "696015ef-718e-40ff-ac4a-cc2ba88dbeeb" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* +| where event.provider == "iam.amazonaws.com" and event.action == "CreateAccessKey" and event.outcome == "success" and user.name != user.target.name +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml new file mode 100644 index 00000000000..f7cca9246a5 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -0,0 +1,125 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Multiple Okta User Authentication Events with Client Address" +note = """## Triage and analysis + +### Investigating Multiple Okta User Authentication Events with Client Address + +This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action == "user.session.start" OR event.action RLIKE "user\\.authentication(.*)") + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + source_auth_count = COUNT_DISTINCT(okta.actor.id) + BY okta.client.ip, okta.actor.alternate_id +| WHERE + source_auth_count > 5 +| SORT + source_auth_count DESC +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml new file mode 100644 index 00000000000..e1ee710f552 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -0,0 +1,124 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Multiple Okta User Authentication Events with Same Device Token Hash" +note = """## Triage and analysis + +### Investigating Multiple Okta User Authentication Events with Same Device Token Hash + +This rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.debug_context.debug_data.dt_hash != "-" + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + target_auth_count = COUNT_DISTINCT(okta.actor.id) + BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id +| WHERE + target_auth_count > 20 +| SORT + target_auth_count DESC +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml new file mode 100644 index 00000000000..f9f9898d733 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -0,0 +1,127 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "High Number of Okta Device Token Cookies Generated for Authentication" +note = """## Triage and analysis + +### Investigating High Number of Okta Device Token Cookies Generated for Authentication + +This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "23f18264-2d6d-11ef-9413-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.debug_context.debug_data.request_uri == "/api/v1/authn" + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) + BY okta.client.ip, okta.actor.alternate_id +| WHERE + source_auth_count >= 30 +| SORT + source_auth_count DESC +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index 66d93c49bf5..d141880ba59 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,51 +2,99 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/18" - +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" [rule] author = ["Elastic"] description = """ -Detects when a specific Okta actor has multiple sessions started from different geolocations. +Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to +launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from +different locations. """ from = "now-30m" interval = "15m" -index = ["filebeat-*", "logs-okta*"] -language = "kuery" +language = "esql" license = "Elastic License v2" name = "Okta User Sessions Started from Different Geolocations" -note = """## Setup +note = """ + +## Triage and analysis + +### Investigating Okta User Sessions Started from Different Geolocations + +This rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations. -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame. + +### Response and remediation: +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", ] risk_score = 47 rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd" +setup = """ +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"] timestamp_override = "event.ingested" -type = "threshold" +type = "esql" + query = ''' -event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true - and okta.actor.id:* and client.geo.country_name:* +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.security_context.is_proxy != true and okta.actor.id != "unknown" + AND event.outcome == "success" +| STATS + geo_auth_counts = COUNT_DISTINCT(client.geo.country_name) + BY okta.actor.id, okta.actor.alternate_id +| WHERE + geo_auth_counts >= 2 ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -56,11 +104,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[rule.threshold] -field = ["okta.actor.id"] -value = 1 - -[[rule.threshold.cardinality]] -field = "client.geo.country_name" -value = 2 diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml new file mode 100644 index 00000000000..61a81cc9cfa --- /dev/null +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2024/06/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is +used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an +attacker is attempting to establish persistence in a YUM or DNF plugin. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Yum/DNF Plugin Status Discovery" +references = [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://pwnshift.github.io/2020/10/01/persistence.html" +] +risk_score = 21 +rule_id = "78390eb5-c838-4c1d-8240-69dd7397cfb7" +setup = """## Setup +This rule requires data coming in from Elastic Defend. +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "grep" and process.args : "plugins*" and process.args : ( + "/etc/yum.conf", "/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*", + "/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*", "/etc/dnf/dnf.conf" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml new file mode 100644 index 00000000000..6ca712181da --- /dev/null +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -0,0 +1,108 @@ +[metadata] +creation_date = "2024/06/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +description = """ +Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, +Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions +for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can +backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued +unauthorized access or control each time Yum is used for package management. +""" +from = "now-9m" +index = ["logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "Yum Package Manager Plugin File Creation" +references = ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"] +risk_score = 21 +rule_id = "0b15bcad-aff1-4250-a5be-5d1b7eb56d07" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("rename", "creation") and +file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( + process.executable in ( + "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", + "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", + "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", + "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", + "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", + "/usr/libexec/netplan/generate" + ) or + process.name == "yumBackend.py" or + file.extension in ("swp", "swpx", "swx") or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*", + "/etc/kernel/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 11ced2586f4..debaac79b06 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 7a933193649..57cef36eac2 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -27,6 +27,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index f5f645da58c..7e7f50eccfe 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -30,6 +30,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 80d1ea8c12a..92fe092fe32 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index b1686ca28d2..254e2a72443 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -23,6 +23,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_fails" name = "Spike in Failed Logon Events" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Spike in Failed Logon Events diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 7bef2ab7db8..7c9569ca0b5 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_events" name = "Spike in Logon Events" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index a7db1669252..3305439fe96 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip" name = "Spike in Successful Logon Events from a Source IP" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Spike in Successful Logon Events from a Source IP diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 99b868e36b7..25165dddda5 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_metadata_process"] name = "Unusual Linux Process Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index c9b15fd4751..1e960dc1f49 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_metadata_user"] name = "Unusual Linux User Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index ce9acc37043..ee7a91db756 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -19,6 +19,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "suspicious_login_activity" name = "Unusual Login Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 708f48dd65d..89ccc71f723 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_process"] name = "Unusual Windows Process Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 783424170e7..e9dc2c50862 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_user"] name = "Unusual Windows User Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index c796520526c..2e06a27dba8 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_information_discovery"] name = "Unusual Linux System Information Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 016916bf3cc..eae2bbef640 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 25 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_network_configuration_discovery"] name = "Unusual Linux Network Configuration Discovery" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 240ea84f8e6..83d47f0cbe2 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 25 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_network_connection_discovery"] name = "Unusual Linux Network Connection Discovery" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 236077e3190..9eadd5f1c4b 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_process_discovery"] name = "Unusual Linux Process Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index fedcc03086d..c7ce566570c 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_user_discovery"] name = "Unusual Linux User Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 6818f720d45..9bdf470104c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 5c318758f9f..53e05ffe3fd 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -18,6 +18,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_hour_for_a_user" name = "Unusual Hour for a User to Logon" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Unusual Hour for a User to Logon diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 5a1520d9f3b..f6b95127b55 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -19,6 +19,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_source_ip_for_a_user" name = "Unusual Source IP for a User to Logon from" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 18af4302fd7..47a768779c8 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -25,6 +25,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_user" name = "Rare User Logon" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Rare User Logon diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index bc5582d144b..f95faf19706 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_user_name"] name = "Unusual Linux Username" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating an Unusual Linux User diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 7bae0eb9882..23fd8dfc046 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_user_name"] name = "Unusual Windows Username" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating an Unusual Windows User diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 66e6ed0a0d2..5fdd2d4a623 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"] name = "Unusual Windows Remote User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating an Unusual Windows User diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index e953addcff0..c0f5fc17b56 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -26,6 +26,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_network_denies" name = "Spike in Firewall Denies" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 1218c64e54e..edc03f65057 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -25,6 +25,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_network_events" name = "Spike in Network Traffic" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 97ddd9a53ec..7fed0183b9e 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -19,6 +19,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_network_activity"] name = "Unusual Linux Network Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Unusual Network Activity diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 8b0838f66cb..140a8bc735f 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -18,6 +18,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_network_port_activity"] name = "Unusual Linux Network Port Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index f8623cc1f77..653e4cc3226 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -27,6 +27,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index b496dfbd435..3f293cd15f6 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -29,6 +29,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_destination_country" name = "Network Traffic to Rare Destination Country" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9066dda2475..9ca8cdd35e3 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -27,6 +27,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_by_destination_country" name = "Spike in Network Traffic To a Country" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" note = """## Triage and analysis ### Investigating Spike in Network Traffic To a Country diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 56b7637a327..a17357a1673 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -20,6 +20,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_network_activity"] name = "Unusual Windows Network Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Unusual Network Activity diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 8de5f286491..3df45d5fb94 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts"] name = "Anomalous Process For a Linux Population" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Anomalous Process For a Linux Population diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 224077d6f73..0361a75d0d9 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_linux"] name = "Unusual Process For a Linux Host" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Unusual Process For a Linux Host diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 280215b6f2f..ecc0bb7c736 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -49,6 +49,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_windows"] name = "Unusual Process For a Windows Host" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Unusual Process For a Windows Host diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index dbcb5d48cfd..39a9d623f10 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -25,6 +25,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_path_activity"] name = "Unusual Windows Path Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index b3a28a2b751..b80a807ed66 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -49,6 +49,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"] name = "Anomalous Process For a Windows Population" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Anomalous Process For a Windows Population diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index e7d43de5ed1..1e1a7b527f0 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -52,6 +52,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_creation"] name = "Anomalous Windows Process Creation" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Anomalous Windows Process Creation diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index ebd2420f362..ac98225fd35 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_service"] name = "Unusual Windows Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index adc9dacabe5..6d718fc767f 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_sudo_user"] name = "Unusual Sudo Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 62175943783..a4a9a6cebe6 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_runas_event"] name = "Unusual Windows User Privilege Elevation Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index ca7bed0a274..e3878144a51 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_user_compiler"] name = "Anomalous Linux Compiler Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml index 85a6d0d45ed..fffdad302cf 100644 --- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["ti_rapid7_threat_command"] maturity = "production" -updated_date = "2024/06/12" +updated_date = "2024/06/20" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Use Case: Asset Visibility", "Use Case: Continuous Monitoring", ] -threat_index = ["logs-ti_rapid7_threat_command_latest.ioc"] +threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"] threat_indicator_path = "rapid7.tc.vulnerability" threat_language = "kuery" threat_query = """ @@ -90,16 +90,16 @@ vulnerability.id : * ''' -[[rule.threat_filters]] +[[rule.filters]] -[rule.threat_filters."$state"] +[rule.filters."$state"] store = "appState" -[rule.threat_filters.meta] +[rule.filters.meta] disabled = false key = "rapid7.tc.vulnerability.id" negate = true type = "exists" -[rule.threat_filters.query.exists] +[rule.filters.query.exists] field = "rapid7.tc.vulnerability.id" [[rule.threat_mapping]] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 1ea0ba036ef..c08a1dd2422 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/15" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -74,7 +74,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index bec3e54b63b..19f06141311 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/14" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -72,7 +72,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 0251401edf1..28afb617b92 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/03/27" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" @@ -30,7 +30,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml new file mode 100644 index 00000000000..ab0782ec66c --- /dev/null +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2024/06/03" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/06/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the +Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for +privilege escalation and lateral movement. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential WPAD Spoofing via DNS Record Creation" +references = [ + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", + "https://cube0x0.github.io/Pocing-Beyond-DA/", +] +risk_score = 47 +rule_id = "894326d2-56c0-4342-b553-4abfaf421b5b" +setup = """## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.action == "Directory Service Changes" and + event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 2517a7c0dbd..dae11b84426 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/13" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -36,7 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index ad29d6bc414..c98f6321bb0 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 7a3135c6e28..195ea51492b 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/03/02" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" from = "now-9m" -index = ["logs-endpoint.events.api-*"] +index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" @@ -112,6 +112,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -119,9 +120,7 @@ type = "eql" query = ''' api where host.os.type == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and - not - ( - process.executable : ( + not process.executable : ( "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", @@ -158,7 +157,6 @@ api where host.os.type == "windows" and "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" - ) and process.code_signature.trusted == true ) ''' diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml new file mode 100644 index 00000000000..2c6b29f0e10 --- /dev/null +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -0,0 +1,84 @@ +[metadata] +creation_date = "2024/06/05" +integration = ["windows", "endpoint", "system"] +maturity = "production" +updated_date = "2024/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from +groups like Backup Operators can abuse the utility to perform credential access and compromise the domain. +""" +from = "now-9m" +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] +language = "eql" +license = "Elastic License v2" +name = "NTDS Dump via Wbadmin" +references = [ + "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960" +] +risk_score = 47 +rule_id = "d93e61db-82d6-4095-99aa-714988118064" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and + process.args : "recovery" and process.command_line : "*ntds.dit*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index f119f947ba2..9572cd0247f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/01/17" -integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] +integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -104,7 +104,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index e93afa811f8..116a0f69944 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" @@ -35,6 +35,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -43,8 +44,7 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and - file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and - not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl") + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") ''' diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 53359cc1b12..584d337ab42 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -40,6 +41,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index c00d4a008ab..85763af68a2 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/11/01" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" @@ -35,7 +35,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml new file mode 100644 index 00000000000..e3ee0189440 --- /dev/null +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2024/05/31" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2024/05/31" + +[rule] +author = ["Elastic"] +description = """ +Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain +DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can +modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation +and lateral movement. +""" +from = "now-9m" +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "DNS Global Query Block List Modified or Disabled" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/" +] +risk_score = 47 +rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type : "change" and +( + (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or + (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 018f735ad8b..5e81dc0203b 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/03" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -97,7 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4369e04cdf3..13d80ec7f19 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -110,6 +111,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0df4a75f2b6..d70f49a5412 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "system", "windows"] +integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" @@ -72,6 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 5bead44db39..b8923fc73b7 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/08/21" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -25,7 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml new file mode 100644 index 00000000000..932370090b5 --- /dev/null +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -0,0 +1,85 @@ +[metadata] +creation_date = "2024/06/19" +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/06/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use +MSC files for initial access and execution. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +language = "eql" +license = "Elastic License v2" +name = "Microsoft Management Console File from Unusual Path" +references = ["https://www.elastic.co/security-labs/grimresource"] +risk_score = 73 +rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "?:\\Windows\\System32\\mmc.exe" and process.args : "*.msc" and + not process.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 60d4797b805..7a6bf1ec0ad 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/03/24" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -41,6 +42,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index f6a39710485..adc4d1cafb8 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -75,7 +75,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 3b79b147137..e2dd298af15 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -101,7 +101,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index d34fdd03120..2a5836043bf 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" @@ -28,7 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml new file mode 100644 index 00000000000..ee242c6f639 --- /dev/null +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2024/06/26" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate +that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +language = "eql" +license = "Elastic License v2" +name = "Active Directory Group Modification by SYSTEM" +risk_score = 47 +rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where winlog.api == "wineventlog" and event.code == "4728" and +winlog.event_data.SubjectUserSid : "S-1-5-18" and + +/* DOMAIN_USERS and local groups */ +not group.id : "S-1-5-21-*-513" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 4f551805628..5ccd1e2b17f 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml new file mode 100644 index 00000000000..71f91b04127 --- /dev/null +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -0,0 +1,136 @@ +[metadata] +creation_date = "2024/06/05" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2024/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with +privileges from groups like Server Operators may change the ImagePath of services to executables under their control or +to execute commands. +""" +from = "now-9m" +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Service ImagePath Modification" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/" +] +risk_score = 47 +rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and process.executable != null and + event.action == "modification" and registry.value == "ImagePath" and + registry.key : ( + "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc", + "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker", + "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS", + "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT", + "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon", + "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv", + "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc", + "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks", + "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange", + "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC", + "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv", + "*\\WPDBusEnum", "*\\WSearch" + ) and + not ( + registry.data.strings : ( + "?:\\Windows\\system32\\*.exe", + "%systemroot%\\system32\\*.exe", + "%windir%\\system32\\*.exe", + "%SystemRoot%\\system32\\svchost.exe -k *", + "%windir%\\system32\\svchost.exe -k *" + ) and + not registry.data.strings : ( + "*\\cmd.exe", + "*\\cscript.exe", + "*\\ieexec.exe", + "*\\iexpress.exe", + "*\\installutil.exe", + "*\\Microsoft.Workflow.Compiler.exe", + "*\\msbuild.exe", + "*\\mshta.exe", + "*\\msiexec.exe", + "*\\msxsl.exe", + "*\\net.exe", + "*\\powershell.exe", + "*\\pwsh.exe", + "*\\reg.exe", + "*\\RegAsm.exe", + "*\\RegSvcs.exe", + "*\\regsvr32.exe", + "*\\rundll32.exe", + "*\\vssadmin.exe", + "*\\wbadmin.exe", + "*\\wmic.exe", + "*\\wscript.exe" + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index d0c4a672662..801b6587329 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/17" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -121,6 +122,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 85994f02ebf..67e86481998 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -311,7 +311,8 @@ def test_required_tags(self): 'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']}, 'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']}, 'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']}, - 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']} + 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}, + 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']} } for rule in self.all_rules: @@ -679,15 +680,19 @@ def test_integration_tag(self): failures.append(err_msg) # checks if an index pattern exists if the package integration tag exists + # and is of pattern logs-{integration}* integration_string = "|".join(indices) - if not re.search(rule_integration, integration_string): + if not re.search(f"logs-{rule_integration}*", integration_string): if rule_integration == "windows" and re.search("winlog", integration_string) or \ any(ri in [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)] for ri in rule_integrations): continue + elif rule_integration == "apm" and \ + re.search("apm-*-transaction*|traces-apm*", integration_string): + continue elif rule.contents.data.type == 'threat_match': continue - err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing.' + err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing or incorrect.' failures.append(err_msg) # checks if event.dataset exists in query object and a tag exists in metadata diff --git a/tests/test_hunt_data.py b/tests/test_hunt_data.py index e1ba3ed8ad7..2c39fccb486 100644 --- a/tests/test_hunt_data.py +++ b/tests/test_hunt_data.py @@ -17,12 +17,13 @@ def test_toml_loading(self): example_toml = """ [hunt] author = "Elastic" + description = "Detects denial of service or resource exhaustion attacks." integration = "aws_bedrock.invocation" uuid = "dc181967-c32c-46c9-b84b-ec4c8811c6a0" name = "Denial of Service or Resource Exhaustion Attacks Detection" language = "ES|QL" license = "Elastic License v2" - query = 'SELECT * FROM logs' + query = ['SELECT * FROM logs'] notes = ["High token usage can strain system resources."] mitre = ["AML.T0034"] references = ["https://www.elastic.co"] @@ -43,6 +44,7 @@ def test_load_toml_files(self): toml_contents = toml_file.read_text() hunt = load_toml(toml_contents) self.assertTrue(hunt.author) + self.assertTrue(hunt.description) self.assertTrue(hunt.integration) self.assertTrue(hunt.uuid) self.assertTrue(hunt.name)