[Detection Engine] Adds 8.0 rules (#123786)

* [Detection Rules] Add 8.0 rules
* rollback changes for python tty rule elastic/detection-rules#1731

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -15,8 +15,8 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Application Added to Google Workspace Domain",
-  "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
-  "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+  "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+  "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
   "references": [
     "https://support.google.com/a/answer/6328701?hl=en#"
   ],
@@ -33,5 +33,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json

@@ -11,6 +11,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
+  "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the\ncomputer.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
   "query": "event.category:process and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
   "references": [
     "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
@@ -66,5 +67,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json

@@ -11,6 +11,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell Keylogging Script",
+  "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other\nvaluable information as Credit Card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
   "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n   )\n",
   "references": [
     "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
@@ -74,5 +75,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json

@@ -0,0 +1,70 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).",
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-windows.*"
+  ],
+  "language": "kuery",
+  "license": "Elastic License v2",
+  "name": "PowerShell Suspicious Script with Screenshot Capabilities",
+  "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (System.Drawing.Bitmap or Drawing.Bitmap)\n  )\n",
+  "references": [
+    "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
+  ],
+  "risk_score": 47,
+  "rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Collection"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0009",
+        "name": "Collection",
+        "reference": "https://attack.mitre.org/tactics/TA0009/"
+      },
+      "technique": [
+        {
+          "id": "T1113",
+          "name": "Screen Capture",
+          "reference": "https://attack.mitre.org/techniques/T1113/"
+        }
+      ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0002",
+        "name": "Execution",
+        "reference": "https://attack.mitre.org/tactics/TA0002/"
+      },
+      "technique": [
+        {
+          "id": "T1059",
+          "name": "Command and Scripting Interpreter",
+          "reference": "https://attack.mitre.org/techniques/T1059/",
+          "subtechnique": [
+            {
+              "id": "T1059.001",
+              "name": "PowerShell",
+              "reference": "https://attack.mitre.org/techniques/T1059/001/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json

@@ -12,7 +12,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Connection to Commonly Abused Web Services",
-  "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n    )\n",
+  "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\",\n        \"cdn.discordapp.com\",\n        \"discordapp.com\",\n        \"discord.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\-*\\\\Discord.exe\"\n    )\n",
   "risk_score": 21,
   "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
   "severity": "low",
@@ -69,5 +69,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json

@@ -14,10 +14,12 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell MiniDump Script",
+  "note": "## Triage and analysis.\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nProcess Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged\ninformation stored in the process memory.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
   "query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
   "references": [
     "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
-    "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1"
+    "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
+    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
   ],
   "risk_score": 73,
   "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
@@ -77,5 +79,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.json

@@ -0,0 +1,53 @@
+{
+  "author": [
+    "Austin Songer"
+  ],
+  "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.",
+  "false_positives": [
+    "Legitimate administrative activity related to shadow copies"
+  ],
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Symbolic Link to Shadow Copy Created",
+  "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.pe.original_file_name == \"Cmd.Exe\" and\nprocess.args : \"*mklink*\" and\nprocess.args : \"*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\"\n",
+  "references": [
+    "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
+    "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"
+  ],
+  "risk_score": 47,
+  "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Credential Access"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0006",
+        "name": "Credential Access",
+        "reference": "https://attack.mitre.org/tactics/TA0006/"
+      },
+      "technique": [
+        {
+          "id": "T1003",
+          "name": "OS Credential Dumping",
+          "reference": "https://attack.mitre.org/techniques/T1003/"
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "O365 Excessive Single Sign-On Logon Errors",
   "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+  "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
   "risk_score": 73,
   "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0",
   "severity": "high",
@@ -52,5 +52,5 @@
     "value": 5
   },
   "type": "threshold",
-  "version": 2
+  "version": 3
 }