Skip to content

Commit

Permalink
[Detection Rules] Add 7.15 rules (#110345)
Browse files Browse the repository at this point in the history
  • Loading branch information
rw-access authored Aug 26, 2021
1 parent cf24e6c commit e64a036
Show file tree
Hide file tree
Showing 73 changed files with 440 additions and 175 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
"description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
Expand All @@ -26,5 +26,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 8
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
"description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
Expand All @@ -26,5 +26,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 7
"version": 8
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Application Added to Google Workspace Domain",
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
"references": [
"https://support.google.com/a/answer/6328701?hl=en#"
Expand All @@ -33,5 +33,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 4
"version": 5
}
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,16 @@
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
},
{
"id": "T1005",
"name": "Data from Local System",
"reference": "https://attack.mitre.org/techniques/T1005/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,16 @@
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
},
{
"id": "T1005",
"name": "Data from Local System",
"reference": "https://attack.mitre.org/techniques/T1005/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
"from": "now-9m",
"index": [
"auditbeat-*",
Expand All @@ -13,7 +13,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "Default Cobalt Strike Team Server Certificate",
"note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
"note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
"query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
"references": [
"https://attack.mitre.org/software/S0154/",
Expand Down Expand Up @@ -59,5 +59,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
"version": 6
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.",
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS and it opens your network to a variety of abuses and malicious communications.",
"false_positives": [
"Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
],
Expand Down Expand Up @@ -45,5 +45,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 10
"version": 11
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
"description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
"false_positives": [
"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
],
Expand Down Expand Up @@ -52,5 +52,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 6
"version": 7
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
"description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
],
Expand Down Expand Up @@ -74,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 10
"version": 11
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
"description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
"false_positives": [
"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
],
Expand Down Expand Up @@ -71,5 +71,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
"description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
],
Expand Down Expand Up @@ -65,5 +65,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 10
"version": 11
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
"description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
"false_positives": [
"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
],
Expand Down Expand Up @@ -50,5 +50,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 10
"version": 11
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
"author": [
"Elastic"
"Elastic",
"Austin Songer"
],
"description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
"from": "now-9m",
Expand All @@ -13,9 +14,10 @@
"license": "Elastic License v2",
"max_signals": 33,
"name": "NTDS or SAM Database File Copied",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
"query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
],
"risk_score": 73,
"rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
Expand Down Expand Up @@ -46,5 +48,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"Elastic",
"Austin Songer"
],
"description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or single sign-on token.",
"description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
"false_positives": [
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
],
Expand Down Expand Up @@ -52,5 +52,5 @@
"value": 5
},
"type": "threshold",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Jscript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the Jscript process. An adversary can modify this key to disable AMSI protections.",
"description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
"from": "now-9m",
"index": [
"winlogbeat-*",
Expand Down Expand Up @@ -53,5 +53,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}
Loading

0 comments on commit e64a036

Please sign in to comment.