From 4323357ef8c28a7b64e7183744d296811f279ab5 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 4 Nov 2020 00:33:39 +0100 Subject: [PATCH] [Detection Rules] Add 7.10 rules - v3 (#82214) --- ...d_control_certutil_network_connection.json | 6 +- .../defense_evasion_installutil_beacon.json | 2 +- ...isc_lolbin_connecting_to_the_internet.json | 6 +- ...fense_evasion_msbuild_beacon_sequence.json | 44 -- .../defense_evasion_msxsl_beacon.json | 44 -- ...etwork_connection_from_windows_binary.json | 2 +- .../defense_evasion_reg_beacon.json | 44 -- ...defense_evasion_rundll32_no_arguments.json | 2 +- .../defense_evasion_rundll32_sequence.json | 44 -- ...and_prompt_connecting_to_the_internet.json | 6 +- ...le_program_connecting_to_the_internet.json | 6 +- ...on_msbuild_making_network_connections.json | 6 +- ...tion_mshta_making_network_connections.json | 47 -- .../execution_msxsl_network.json | 6 +- ...ution_psexec_lateral_movement_command.json | 6 +- ...er_program_connecting_to_the_internet.json | 6 +- ...ution_unusual_dns_service_file_writes.json | 2 +- ...usual_network_connection_via_rundll32.json | 6 +- ...on_unusual_process_network_connection.json | 6 +- .../execution_wpad_exploitation.json | 43 -- .../rules/prepackaged_rules/index.ts | 530 +++++++++--------- ..._access_zoom_meeting_with_no_passcode.json | 49 ++ .../lateral_movement_cmd_service.json | 2 +- ...vement_direct_outbound_smb_connection.json | 6 +- ...ment_telnet_network_activity_external.json | 6 +- ...ment_telnet_network_activity_internal.json | 6 +- .../linux_netcat_network_connection.json | 6 +- .../ml_linux_anomalous_network_activity.json | 2 +- .../ml_rare_process_by_host_windows.json | 2 +- ...ml_windows_anomalous_network_activity.json | 2 +- ...windows_rare_user_type10_remote_login.json | 2 +- .../privilege_escalation_uac_sdclt.json | 44 -- .../tests/create_exceptions.ts | 12 +- 33 files changed, 365 insertions(+), 638 deletions(-) delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_wpad_exploitation.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_sdclt.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json index e88297aa2c813..8f81d675a4325 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Network Connection via Certutil", - "query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json index 231ed1b36dc0f..5f2cd894fae0f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License", "name": "InstallUtil Process Making Network Connections", - "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n [network where event.type == \"connection\" and process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n", + "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n", "risk_score": 21, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json index 3d87720818ff5..e60f5ccebe2f9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Network Connection via Signed Binary", - "query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", @@ -54,6 +54,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json deleted file mode 100644 index 0740e26d3bba6..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License", - "name": "MsBuild Network Connection Sequence", - "query": "sequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"MSBuild.exe\"]\n [network where process.name : \"MSBuild.exe\" and\n not (destination.ip == \"127.0.0.1\" and source.ip == \"127.0.0.1\")]\n", - "risk_score": 21, - "rule_id": "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json deleted file mode 100644 index c188387304214..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License", - "name": "MsXsl Making Network Connections", - "query": "sequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"msxsl.exe\"]\n [network where event.type == \"connection\" and process.name : \"msxsl.exe\" and network.direction == \"outgoing\"]\n", - "risk_score": 21, - "rule_id": "870d1753-1078-403e-92d4-735f142edcca", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json index 4e1d0cad0b5da..88fd8a2054ee8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License", "name": "Unusual Network Activity from a Windows System Binary", - "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where event.type == \"connection\" and\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "risk_score": 21, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json deleted file mode 100644 index aa4f9985f6e2c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies registration utilities making outbound network connections. This includes regsvcs, regasm, and regsvr32. This may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License", - "name": "Registration Tool Making Network Connections", - "query": "sequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"RegAsm.exe\" or process.name : \"regsvcs.exe\" or process.name : \"regsvr32.exe\")]\n [network where event.type == \"connection\" and\n (process.name : \"RegAsm.exe\" or process.name : \"regsvcs.exe\" or process.name : \"regsvr32.exe\")]\nuntil\n [process where event.type == \"end\" and\n (process.name : \"RegAsm.exe\" or process.name : \"regsvcs.exe\" or process.name : \"regsvr32.exe\")]\n", - "risk_score": 21, - "rule_id": "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json index 2950b792219b6..c2712f1574a7c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License", "name": "Unusual Child Processes of RunDLL32", - "query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n process.args_count < 2\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ )\n ] by process.parent.entity_id\n", + "query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n process.args_count < 2\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "risk_score": 21, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json deleted file mode 100644 index c022d0a603858..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License", - "name": "Unusual Network Connection Sequence via RunDLL32", - "query": "sequence by process.entity_id with maxspan=2h\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n process.args_count < 2]\n [network where event.type == \"connection\" and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ )]\n", - "risk_score": 21, - "rule_id": "2b347f66-6739-4ae3-bd94-195036dde8b3", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1085", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1085/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json index d73b1a4cab008..12d2a94afc823 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json @@ -11,10 +11,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Command Prompt Network Connection", - "query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", @@ -57,6 +57,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json index d33f2287c7d8b..a950b7280bb73 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Network Connection via Compiled HTML File", - "query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where process.name : \"hh.exe\" and event.type == \"start\"]\n [network where process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", @@ -54,6 +54,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json index 7fd2933fe46f1..758e96b8c71f9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "MsBuild Making Network Connections", - "query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")", + "query": "sequence by process.entity_id\n [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json deleted file mode 100644 index 9b863c2ed5ee4..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License", - "name": "Network Connection via Mshta", - "query": "event.category:network and event.type:connection and process.name:mshta.exe", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], - "risk_score": 47, - "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1170", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1170/" - } - ] - } - ], - "type": "query", - "version": 5 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json index 17987218af0ae..be0a7a7ec0a1b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Network Connection via MsXsl", - "query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json index 8505a837ad591..e587444c86296 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json @@ -11,10 +11,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "PsExec Network Connection", - "query": "event.category:network and event.type:connection and process.name:PsExec.exe", + "query": "sequence by process.entity_id\n [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n [network where process.name : \"PsExec.exe\"]\n", "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", @@ -57,6 +57,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json index bf1a30f11137e..579e8b549fd02 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json @@ -11,10 +11,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Network Connection via Registration Utility", - "query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe or RegSvcs.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "sequence by process.entity_id\n [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n", "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", @@ -57,6 +57,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_dns_service_file_writes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_dns_service_file_writes.json index 229fc28beee9c..fb77c4c78240c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_dns_service_file_writes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_dns_service_file_writes.json @@ -10,7 +10,7 @@ "language": "kuery", "license": "Elastic License", "name": "Unusual File Modification by dns.exe", - "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. \n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", + "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "event.category:file and process.name:dns.exe and not file.name:dns.log", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json index 2763f69e1f8e8..7a7aec00cc887 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Unusual Network Connection via RunDLL32", - "query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)", + "query": "sequence by process.entity_id\n [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n [network where process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n", "risk_score": 21, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_process_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_process_network_connection.json index 877c489b0d187..337cf3145fe39 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_process_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_process_network_connection.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Unusual Process Network Connection", - "query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", + "query": "sequence by process.entity_id\n [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_wpad_exploitation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_wpad_exploitation.json deleted file mode 100644 index a09bce5119ecf..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_wpad_exploitation.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License", - "name": "WPAD Service Exploit", - "query": "/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */\n\nsequence with maxspan=5s\n [process where event.type in (\"start\", \"process_started\") and process.name : \"svchost.exe\" and\n user.domain == \"NT AUTHORITY\" and user.name == \"LOCAL SERVICE\"] by process.entity_id\n [network where network.protocol == \"dns\" and process.name : \"svchost.exe\" and\n dns.question.name : \"wpad\" and process.name : \"svchost.exe\"] by process.entity_id\n [network where event.type == \"connection\" and process.name : \"svchost.exe\"\n and network.direction == \"outgoing\" and destination.port == 80] by process.entity_id\n [library where event.type == \"start\" and process.name : \"svchost.exe\" and\n file.name : \"jscript.dll\" and process.name : \"svchost.exe\"] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\"] by process.parent.entity_id\n", - "risk_score": 21, - "rule_id": "ec328da1-d5df-482b-866c-4a435692b1f3", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 5fec97e83bad4..935cf52d986ff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -66,271 +66,265 @@ import rule54 from './execution_command_shell_started_by_svchost.json'; import rule55 from './execution_html_help_executable_program_connecting_to_the_internet.json'; import rule56 from './execution_local_service_commands.json'; import rule57 from './execution_msbuild_making_network_connections.json'; -import rule58 from './execution_mshta_making_network_connections.json'; -import rule59 from './execution_psexec_lateral_movement_command.json'; -import rule60 from './execution_register_server_program_connecting_to_the_internet.json'; -import rule61 from './execution_script_executing_powershell.json'; -import rule62 from './execution_suspicious_ms_office_child_process.json'; -import rule63 from './execution_suspicious_ms_outlook_child_process.json'; -import rule64 from './execution_unusual_network_connection_via_rundll32.json'; -import rule65 from './execution_unusual_process_network_connection.json'; -import rule66 from './execution_via_compiled_html_file.json'; -import rule67 from './initial_access_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule68 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; -import rule69 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; -import rule70 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule71 from './lateral_movement_direct_outbound_smb_connection.json'; -import rule72 from './linux_hping_activity.json'; -import rule73 from './linux_iodine_activity.json'; -import rule74 from './linux_mknod_activity.json'; -import rule75 from './linux_netcat_network_connection.json'; -import rule76 from './linux_nmap_activity.json'; -import rule77 from './linux_nping_activity.json'; -import rule78 from './linux_process_started_in_temp_directory.json'; -import rule79 from './linux_socat_activity.json'; -import rule80 from './linux_strace_activity.json'; -import rule81 from './persistence_adobe_hijack_persistence.json'; -import rule82 from './persistence_kernel_module_activity.json'; -import rule83 from './persistence_local_scheduled_task_commands.json'; -import rule84 from './persistence_priv_escalation_via_accessibility_features.json'; -import rule85 from './persistence_shell_activity_by_web_server.json'; -import rule86 from './persistence_system_shells_via_services.json'; -import rule87 from './persistence_user_account_creation.json'; -import rule88 from './persistence_via_application_shimming.json'; -import rule89 from './privilege_escalation_unusual_parentchild_relationship.json'; -import rule90 from './defense_evasion_modification_of_boot_config.json'; -import rule91 from './privilege_escalation_uac_bypass_event_viewer.json'; -import rule92 from './discovery_net_command_system_account.json'; -import rule93 from './execution_msxsl_network.json'; -import rule94 from './command_and_control_certutil_network_connection.json'; -import rule95 from './defense_evasion_cve_2020_0601.json'; -import rule96 from './credential_access_credential_dumping_msbuild.json'; -import rule97 from './defense_evasion_execution_msbuild_started_by_office_app.json'; -import rule98 from './defense_evasion_execution_msbuild_started_by_script.json'; -import rule99 from './defense_evasion_execution_msbuild_started_by_system_process.json'; -import rule100 from './defense_evasion_execution_msbuild_started_renamed.json'; -import rule101 from './defense_evasion_execution_msbuild_started_unusal_process.json'; -import rule102 from './defense_evasion_injection_msbuild.json'; -import rule103 from './execution_via_net_com_assemblies.json'; -import rule104 from './ml_linux_anomalous_network_activity.json'; -import rule105 from './ml_linux_anomalous_network_port_activity.json'; -import rule106 from './ml_linux_anomalous_network_service.json'; -import rule107 from './ml_linux_anomalous_network_url_activity.json'; -import rule108 from './ml_linux_anomalous_process_all_hosts.json'; -import rule109 from './ml_linux_anomalous_user_name.json'; -import rule110 from './ml_packetbeat_dns_tunneling.json'; -import rule111 from './ml_packetbeat_rare_dns_question.json'; -import rule112 from './ml_packetbeat_rare_server_domain.json'; -import rule113 from './ml_packetbeat_rare_urls.json'; -import rule114 from './ml_packetbeat_rare_user_agent.json'; -import rule115 from './ml_rare_process_by_host_linux.json'; -import rule116 from './ml_rare_process_by_host_windows.json'; -import rule117 from './ml_suspicious_login_activity.json'; -import rule118 from './ml_windows_anomalous_network_activity.json'; -import rule119 from './ml_windows_anomalous_path_activity.json'; -import rule120 from './ml_windows_anomalous_process_all_hosts.json'; -import rule121 from './ml_windows_anomalous_process_creation.json'; -import rule122 from './ml_windows_anomalous_script.json'; -import rule123 from './ml_windows_anomalous_service.json'; -import rule124 from './ml_windows_anomalous_user_name.json'; -import rule125 from './ml_windows_rare_user_runas_event.json'; -import rule126 from './ml_windows_rare_user_type10_remote_login.json'; -import rule127 from './execution_suspicious_pdf_reader.json'; -import rule128 from './privilege_escalation_sudoers_file_mod.json'; -import rule129 from './defense_evasion_iis_httplogging_disabled.json'; -import rule130 from './execution_python_tty_shell.json'; -import rule131 from './execution_perl_tty_shell.json'; -import rule132 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; -import rule133 from './defense_evasion_base64_encoding_or_decoding_activity.json'; -import rule134 from './defense_evasion_hex_encoding_or_decoding_activity.json'; -import rule135 from './defense_evasion_file_mod_writable_dir.json'; -import rule136 from './defense_evasion_disable_selinux_attempt.json'; -import rule137 from './discovery_kernel_module_enumeration.json'; -import rule138 from './lateral_movement_telnet_network_activity_external.json'; -import rule139 from './lateral_movement_telnet_network_activity_internal.json'; -import rule140 from './privilege_escalation_setgid_bit_set_via_chmod.json'; -import rule141 from './privilege_escalation_setuid_bit_set_via_chmod.json'; -import rule142 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; -import rule143 from './defense_evasion_kernel_module_removal.json'; -import rule144 from './defense_evasion_attempt_to_disable_syslog_service.json'; -import rule145 from './defense_evasion_file_deletion_via_shred.json'; -import rule146 from './discovery_virtual_machine_fingerprinting.json'; -import rule147 from './defense_evasion_hidden_file_dir_tmp.json'; -import rule148 from './defense_evasion_deletion_of_bash_command_line_history.json'; -import rule149 from './impact_cloudwatch_log_group_deletion.json'; -import rule150 from './impact_cloudwatch_log_stream_deletion.json'; -import rule151 from './impact_rds_instance_cluster_stoppage.json'; -import rule152 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; -import rule153 from './persistence_rds_cluster_creation.json'; -import rule154 from './credential_access_attempted_bypass_of_okta_mfa.json'; -import rule155 from './defense_evasion_waf_acl_deletion.json'; -import rule156 from './impact_attempt_to_revoke_okta_api_token.json'; -import rule157 from './impact_iam_group_deletion.json'; -import rule158 from './impact_possible_okta_dos_attack.json'; -import rule159 from './impact_rds_cluster_deletion.json'; -import rule160 from './initial_access_suspicious_activity_reported_by_okta_user.json'; -import rule161 from './okta_attempt_to_deactivate_okta_mfa_rule.json'; -import rule162 from './okta_attempt_to_modify_okta_mfa_rule.json'; -import rule163 from './okta_attempt_to_modify_okta_network_zone.json'; -import rule164 from './okta_attempt_to_modify_okta_policy.json'; -import rule165 from './okta_threat_detected_by_okta_threatinsight.json'; -import rule166 from './persistence_administrator_privileges_assigned_to_okta_group.json'; -import rule167 from './persistence_attempt_to_create_okta_api_token.json'; -import rule168 from './persistence_attempt_to_deactivate_okta_policy.json'; -import rule169 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; -import rule170 from './defense_evasion_cloudtrail_logging_deleted.json'; -import rule171 from './defense_evasion_ec2_network_acl_deletion.json'; -import rule172 from './impact_iam_deactivate_mfa_device.json'; -import rule173 from './defense_evasion_s3_bucket_configuration_deletion.json'; -import rule174 from './defense_evasion_guardduty_detector_deletion.json'; -import rule175 from './okta_attempt_to_delete_okta_policy.json'; -import rule176 from './credential_access_iam_user_addition_to_group.json'; -import rule177 from './persistence_ec2_network_acl_creation.json'; -import rule178 from './impact_ec2_disable_ebs_encryption.json'; -import rule179 from './persistence_iam_group_creation.json'; -import rule180 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; -import rule181 from './collection_cloudtrail_logging_created.json'; -import rule182 from './defense_evasion_cloudtrail_logging_suspended.json'; -import rule183 from './impact_cloudtrail_logging_updated.json'; -import rule184 from './initial_access_console_login_root.json'; -import rule185 from './defense_evasion_cloudwatch_alarm_deletion.json'; -import rule186 from './defense_evasion_ec2_flow_log_deletion.json'; -import rule187 from './defense_evasion_configuration_recorder_stopped.json'; -import rule188 from './exfiltration_ec2_snapshot_change_activity.json'; -import rule189 from './defense_evasion_config_service_rule_deletion.json'; -import rule190 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; -import rule191 from './command_and_control_download_rar_powershell_from_internet.json'; -import rule192 from './initial_access_password_recovery.json'; -import rule193 from './command_and_control_cobalt_strike_beacon.json'; -import rule194 from './command_and_control_fin7_c2_behavior.json'; -import rule195 from './command_and_control_halfbaked_beacon.json'; -import rule196 from './credential_access_secretsmanager_getsecretvalue.json'; -import rule197 from './execution_via_system_manager.json'; -import rule198 from './privilege_escalation_root_login_without_mfa.json'; -import rule199 from './privilege_escalation_updateassumerolepolicy.json'; -import rule200 from './impact_hosts_file_modified.json'; -import rule201 from './elastic_endpoint.json'; -import rule202 from './external_alerts.json'; -import rule203 from './ml_cloudtrail_error_message_spike.json'; -import rule204 from './ml_cloudtrail_rare_error_code.json'; -import rule205 from './ml_cloudtrail_rare_method_by_city.json'; -import rule206 from './ml_cloudtrail_rare_method_by_country.json'; -import rule207 from './ml_cloudtrail_rare_method_by_user.json'; -import rule208 from './credential_access_aws_iam_assume_role_brute_force.json'; -import rule209 from './credential_access_okta_brute_force_or_password_spraying.json'; -import rule210 from './execution_unusual_dns_service_children.json'; -import rule211 from './execution_unusual_dns_service_file_writes.json'; -import rule212 from './lateral_movement_dns_server_overflow.json'; -import rule213 from './credential_access_root_console_failure_brute_force.json'; -import rule214 from './initial_access_unsecure_elasticsearch_node.json'; -import rule215 from './credential_access_domain_backup_dpapi_private_keys.json'; -import rule216 from './persistence_gpo_schtask_service_creation.json'; -import rule217 from './credential_access_compress_credentials_keychains.json'; -import rule218 from './credential_access_kerberosdump_kcc.json'; -import rule219 from './execution_suspicious_psexesvc.json'; -import rule220 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; -import rule221 from './privilege_escalation_printspooler_service_suspicious_file.json'; -import rule222 from './privilege_escalation_printspooler_suspicious_spl_file.json'; -import rule223 from './defense_evasion_azure_diagnostic_settings_deletion.json'; -import rule224 from './execution_command_virtual_machine.json'; -import rule225 from './execution_via_hidden_shell_conhost.json'; -import rule226 from './impact_resource_group_deletion.json'; -import rule227 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; -import rule228 from './persistence_via_update_orchestrator_service_hijack.json'; -import rule229 from './collection_update_event_hub_auth_rule.json'; -import rule230 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; -import rule231 from './credential_access_iis_connectionstrings_dumping.json'; -import rule232 from './defense_evasion_event_hub_deletion.json'; -import rule233 from './defense_evasion_firewall_policy_deletion.json'; -import rule234 from './defense_evasion_sdelete_like_filename_rename.json'; -import rule235 from './lateral_movement_remote_ssh_login_enabled.json'; -import rule236 from './persistence_azure_automation_account_created.json'; -import rule237 from './persistence_azure_automation_runbook_created_or_modified.json'; -import rule238 from './persistence_azure_automation_webhook_created.json'; -import rule239 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; -import rule240 from './credential_access_attempts_to_brute_force_okta_user_account.json'; -import rule241 from './credential_access_storage_account_key_regenerated.json'; -import rule242 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; -import rule243 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; -import rule244 from './defense_evasion_unusual_system_vp_child_program.json'; -import rule245 from './discovery_blob_container_access_mod.json'; -import rule246 from './persistence_mfa_disabled_for_azure_user.json'; -import rule247 from './persistence_user_added_as_owner_for_azure_application.json'; -import rule248 from './persistence_user_added_as_owner_for_azure_service_principal.json'; -import rule249 from './defense_evasion_dotnet_compiler_parent_process.json'; -import rule250 from './defense_evasion_suspicious_managedcode_host_process.json'; -import rule251 from './execution_command_shell_started_by_unusual_process.json'; -import rule252 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; -import rule253 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; -import rule254 from './defense_evasion_masquerading_werfault.json'; -import rule255 from './credential_access_key_vault_modified.json'; -import rule256 from './credential_access_mimikatz_memssp_default_logs.json'; -import rule257 from './defense_evasion_code_injection_conhost.json'; -import rule258 from './defense_evasion_network_watcher_deletion.json'; -import rule259 from './initial_access_external_guest_user_invite.json'; -import rule260 from './defense_evasion_masquerading_renamed_autoit.json'; -import rule261 from './impact_azure_automation_runbook_deleted.json'; -import rule262 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; -import rule263 from './persistence_azure_conditional_access_policy_modified.json'; -import rule264 from './persistence_azure_privileged_identity_management_role_modified.json'; -import rule265 from './command_and_control_teamviewer_remote_file_copy.json'; -import rule266 from './defense_evasion_installutil_beacon.json'; -import rule267 from './defense_evasion_msbuild_beacon_sequence.json'; -import rule268 from './defense_evasion_mshta_beacon.json'; -import rule269 from './defense_evasion_msxsl_beacon.json'; -import rule270 from './defense_evasion_network_connection_from_windows_binary.json'; -import rule271 from './defense_evasion_reg_beacon.json'; -import rule272 from './defense_evasion_rundll32_no_arguments.json'; -import rule273 from './defense_evasion_rundll32_sequence.json'; -import rule274 from './defense_evasion_suspicious_scrobj_load.json'; -import rule275 from './defense_evasion_suspicious_wmi_script.json'; -import rule276 from './execution_ms_office_written_file.json'; -import rule277 from './execution_pdf_written_file.json'; -import rule278 from './execution_wpad_exploitation.json'; -import rule279 from './lateral_movement_cmd_service.json'; -import rule280 from './persistence_app_compat_shim.json'; -import rule281 from './privilege_escalation_uac_sdclt.json'; -import rule282 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; -import rule283 from './command_and_control_remote_file_copy_mpcmdrun.json'; -import rule284 from './defense_evasion_execution_suspicious_explorer_winword.json'; -import rule285 from './defense_evasion_suspicious_zoom_child_process.json'; -import rule286 from './ml_linux_anomalous_compiler_activity.json'; -import rule287 from './ml_linux_anomalous_kernel_module_arguments.json'; -import rule288 from './ml_linux_anomalous_sudo_activity.json'; -import rule289 from './ml_linux_system_information_discovery.json'; -import rule290 from './ml_linux_system_network_configuration_discovery.json'; -import rule291 from './ml_linux_system_network_connection_discovery.json'; -import rule292 from './ml_linux_system_process_discovery.json'; -import rule293 from './ml_linux_system_user_discovery.json'; -import rule294 from './discovery_post_exploitation_public_ip_reconnaissance.json'; -import rule295 from './defense_evasion_gcp_logging_sink_deletion.json'; -import rule296 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; -import rule297 from './credential_access_gcp_iam_service_account_key_deletion.json'; -import rule298 from './credential_access_gcp_key_created_for_service_account.json'; -import rule299 from './defense_evasion_gcp_firewall_rule_created.json'; -import rule300 from './defense_evasion_gcp_firewall_rule_deleted.json'; -import rule301 from './defense_evasion_gcp_firewall_rule_modified.json'; -import rule302 from './defense_evasion_gcp_logging_bucket_deletion.json'; -import rule303 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; -import rule304 from './impact_gcp_storage_bucket_deleted.json'; -import rule305 from './initial_access_gcp_iam_custom_role_creation.json'; -import rule306 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; -import rule307 from './exfiltration_gcp_logging_sink_modification.json'; -import rule308 from './impact_gcp_iam_role_deletion.json'; -import rule309 from './impact_gcp_service_account_deleted.json'; -import rule310 from './impact_gcp_service_account_disabled.json'; -import rule311 from './impact_gcp_virtual_private_cloud_network_deleted.json'; -import rule312 from './impact_gcp_virtual_private_cloud_route_created.json'; -import rule313 from './impact_gcp_virtual_private_cloud_route_deleted.json'; -import rule314 from './ml_linux_anomalous_metadata_process.json'; -import rule315 from './ml_linux_anomalous_metadata_user.json'; -import rule316 from './ml_windows_anomalous_metadata_process.json'; -import rule317 from './ml_windows_anomalous_metadata_user.json'; -import rule318 from './persistence_gcp_service_account_created.json'; -import rule319 from './collection_gcp_pub_sub_subscription_creation.json'; -import rule320 from './collection_gcp_pub_sub_topic_creation.json'; -import rule321 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; -import rule322 from './persistence_azure_pim_user_added_global_admin.json'; +import rule58 from './execution_psexec_lateral_movement_command.json'; +import rule59 from './execution_register_server_program_connecting_to_the_internet.json'; +import rule60 from './execution_script_executing_powershell.json'; +import rule61 from './execution_suspicious_ms_office_child_process.json'; +import rule62 from './execution_suspicious_ms_outlook_child_process.json'; +import rule63 from './execution_unusual_network_connection_via_rundll32.json'; +import rule64 from './execution_unusual_process_network_connection.json'; +import rule65 from './execution_via_compiled_html_file.json'; +import rule66 from './initial_access_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule67 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; +import rule68 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; +import rule69 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule70 from './lateral_movement_direct_outbound_smb_connection.json'; +import rule71 from './linux_hping_activity.json'; +import rule72 from './linux_iodine_activity.json'; +import rule73 from './linux_mknod_activity.json'; +import rule74 from './linux_netcat_network_connection.json'; +import rule75 from './linux_nmap_activity.json'; +import rule76 from './linux_nping_activity.json'; +import rule77 from './linux_process_started_in_temp_directory.json'; +import rule78 from './linux_socat_activity.json'; +import rule79 from './linux_strace_activity.json'; +import rule80 from './persistence_adobe_hijack_persistence.json'; +import rule81 from './persistence_kernel_module_activity.json'; +import rule82 from './persistence_local_scheduled_task_commands.json'; +import rule83 from './persistence_priv_escalation_via_accessibility_features.json'; +import rule84 from './persistence_shell_activity_by_web_server.json'; +import rule85 from './persistence_system_shells_via_services.json'; +import rule86 from './persistence_user_account_creation.json'; +import rule87 from './persistence_via_application_shimming.json'; +import rule88 from './privilege_escalation_unusual_parentchild_relationship.json'; +import rule89 from './defense_evasion_modification_of_boot_config.json'; +import rule90 from './privilege_escalation_uac_bypass_event_viewer.json'; +import rule91 from './discovery_net_command_system_account.json'; +import rule92 from './execution_msxsl_network.json'; +import rule93 from './command_and_control_certutil_network_connection.json'; +import rule94 from './defense_evasion_cve_2020_0601.json'; +import rule95 from './credential_access_credential_dumping_msbuild.json'; +import rule96 from './defense_evasion_execution_msbuild_started_by_office_app.json'; +import rule97 from './defense_evasion_execution_msbuild_started_by_script.json'; +import rule98 from './defense_evasion_execution_msbuild_started_by_system_process.json'; +import rule99 from './defense_evasion_execution_msbuild_started_renamed.json'; +import rule100 from './defense_evasion_execution_msbuild_started_unusal_process.json'; +import rule101 from './defense_evasion_injection_msbuild.json'; +import rule102 from './execution_via_net_com_assemblies.json'; +import rule103 from './ml_linux_anomalous_network_activity.json'; +import rule104 from './ml_linux_anomalous_network_port_activity.json'; +import rule105 from './ml_linux_anomalous_network_service.json'; +import rule106 from './ml_linux_anomalous_network_url_activity.json'; +import rule107 from './ml_linux_anomalous_process_all_hosts.json'; +import rule108 from './ml_linux_anomalous_user_name.json'; +import rule109 from './ml_packetbeat_dns_tunneling.json'; +import rule110 from './ml_packetbeat_rare_dns_question.json'; +import rule111 from './ml_packetbeat_rare_server_domain.json'; +import rule112 from './ml_packetbeat_rare_urls.json'; +import rule113 from './ml_packetbeat_rare_user_agent.json'; +import rule114 from './ml_rare_process_by_host_linux.json'; +import rule115 from './ml_rare_process_by_host_windows.json'; +import rule116 from './ml_suspicious_login_activity.json'; +import rule117 from './ml_windows_anomalous_network_activity.json'; +import rule118 from './ml_windows_anomalous_path_activity.json'; +import rule119 from './ml_windows_anomalous_process_all_hosts.json'; +import rule120 from './ml_windows_anomalous_process_creation.json'; +import rule121 from './ml_windows_anomalous_script.json'; +import rule122 from './ml_windows_anomalous_service.json'; +import rule123 from './ml_windows_anomalous_user_name.json'; +import rule124 from './ml_windows_rare_user_runas_event.json'; +import rule125 from './ml_windows_rare_user_type10_remote_login.json'; +import rule126 from './execution_suspicious_pdf_reader.json'; +import rule127 from './privilege_escalation_sudoers_file_mod.json'; +import rule128 from './defense_evasion_iis_httplogging_disabled.json'; +import rule129 from './execution_python_tty_shell.json'; +import rule130 from './execution_perl_tty_shell.json'; +import rule131 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; +import rule132 from './defense_evasion_base64_encoding_or_decoding_activity.json'; +import rule133 from './defense_evasion_hex_encoding_or_decoding_activity.json'; +import rule134 from './defense_evasion_file_mod_writable_dir.json'; +import rule135 from './defense_evasion_disable_selinux_attempt.json'; +import rule136 from './discovery_kernel_module_enumeration.json'; +import rule137 from './lateral_movement_telnet_network_activity_external.json'; +import rule138 from './lateral_movement_telnet_network_activity_internal.json'; +import rule139 from './privilege_escalation_setgid_bit_set_via_chmod.json'; +import rule140 from './privilege_escalation_setuid_bit_set_via_chmod.json'; +import rule141 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; +import rule142 from './defense_evasion_kernel_module_removal.json'; +import rule143 from './defense_evasion_attempt_to_disable_syslog_service.json'; +import rule144 from './defense_evasion_file_deletion_via_shred.json'; +import rule145 from './discovery_virtual_machine_fingerprinting.json'; +import rule146 from './defense_evasion_hidden_file_dir_tmp.json'; +import rule147 from './defense_evasion_deletion_of_bash_command_line_history.json'; +import rule148 from './impact_cloudwatch_log_group_deletion.json'; +import rule149 from './impact_cloudwatch_log_stream_deletion.json'; +import rule150 from './impact_rds_instance_cluster_stoppage.json'; +import rule151 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; +import rule152 from './persistence_rds_cluster_creation.json'; +import rule153 from './credential_access_attempted_bypass_of_okta_mfa.json'; +import rule154 from './defense_evasion_waf_acl_deletion.json'; +import rule155 from './impact_attempt_to_revoke_okta_api_token.json'; +import rule156 from './impact_iam_group_deletion.json'; +import rule157 from './impact_possible_okta_dos_attack.json'; +import rule158 from './impact_rds_cluster_deletion.json'; +import rule159 from './initial_access_suspicious_activity_reported_by_okta_user.json'; +import rule160 from './okta_attempt_to_deactivate_okta_mfa_rule.json'; +import rule161 from './okta_attempt_to_modify_okta_mfa_rule.json'; +import rule162 from './okta_attempt_to_modify_okta_network_zone.json'; +import rule163 from './okta_attempt_to_modify_okta_policy.json'; +import rule164 from './okta_threat_detected_by_okta_threatinsight.json'; +import rule165 from './persistence_administrator_privileges_assigned_to_okta_group.json'; +import rule166 from './persistence_attempt_to_create_okta_api_token.json'; +import rule167 from './persistence_attempt_to_deactivate_okta_policy.json'; +import rule168 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; +import rule169 from './defense_evasion_cloudtrail_logging_deleted.json'; +import rule170 from './defense_evasion_ec2_network_acl_deletion.json'; +import rule171 from './impact_iam_deactivate_mfa_device.json'; +import rule172 from './defense_evasion_s3_bucket_configuration_deletion.json'; +import rule173 from './defense_evasion_guardduty_detector_deletion.json'; +import rule174 from './okta_attempt_to_delete_okta_policy.json'; +import rule175 from './credential_access_iam_user_addition_to_group.json'; +import rule176 from './persistence_ec2_network_acl_creation.json'; +import rule177 from './impact_ec2_disable_ebs_encryption.json'; +import rule178 from './persistence_iam_group_creation.json'; +import rule179 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; +import rule180 from './collection_cloudtrail_logging_created.json'; +import rule181 from './defense_evasion_cloudtrail_logging_suspended.json'; +import rule182 from './impact_cloudtrail_logging_updated.json'; +import rule183 from './initial_access_console_login_root.json'; +import rule184 from './defense_evasion_cloudwatch_alarm_deletion.json'; +import rule185 from './defense_evasion_ec2_flow_log_deletion.json'; +import rule186 from './defense_evasion_configuration_recorder_stopped.json'; +import rule187 from './exfiltration_ec2_snapshot_change_activity.json'; +import rule188 from './defense_evasion_config_service_rule_deletion.json'; +import rule189 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; +import rule190 from './command_and_control_download_rar_powershell_from_internet.json'; +import rule191 from './initial_access_password_recovery.json'; +import rule192 from './command_and_control_cobalt_strike_beacon.json'; +import rule193 from './command_and_control_fin7_c2_behavior.json'; +import rule194 from './command_and_control_halfbaked_beacon.json'; +import rule195 from './credential_access_secretsmanager_getsecretvalue.json'; +import rule196 from './execution_via_system_manager.json'; +import rule197 from './privilege_escalation_root_login_without_mfa.json'; +import rule198 from './privilege_escalation_updateassumerolepolicy.json'; +import rule199 from './impact_hosts_file_modified.json'; +import rule200 from './elastic_endpoint.json'; +import rule201 from './external_alerts.json'; +import rule202 from './ml_cloudtrail_error_message_spike.json'; +import rule203 from './ml_cloudtrail_rare_error_code.json'; +import rule204 from './ml_cloudtrail_rare_method_by_city.json'; +import rule205 from './ml_cloudtrail_rare_method_by_country.json'; +import rule206 from './ml_cloudtrail_rare_method_by_user.json'; +import rule207 from './credential_access_aws_iam_assume_role_brute_force.json'; +import rule208 from './credential_access_okta_brute_force_or_password_spraying.json'; +import rule209 from './execution_unusual_dns_service_children.json'; +import rule210 from './execution_unusual_dns_service_file_writes.json'; +import rule211 from './lateral_movement_dns_server_overflow.json'; +import rule212 from './credential_access_root_console_failure_brute_force.json'; +import rule213 from './initial_access_unsecure_elasticsearch_node.json'; +import rule214 from './credential_access_domain_backup_dpapi_private_keys.json'; +import rule215 from './persistence_gpo_schtask_service_creation.json'; +import rule216 from './credential_access_compress_credentials_keychains.json'; +import rule217 from './credential_access_kerberosdump_kcc.json'; +import rule218 from './execution_suspicious_psexesvc.json'; +import rule219 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; +import rule220 from './privilege_escalation_printspooler_service_suspicious_file.json'; +import rule221 from './privilege_escalation_printspooler_suspicious_spl_file.json'; +import rule222 from './defense_evasion_azure_diagnostic_settings_deletion.json'; +import rule223 from './execution_command_virtual_machine.json'; +import rule224 from './execution_via_hidden_shell_conhost.json'; +import rule225 from './impact_resource_group_deletion.json'; +import rule226 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; +import rule227 from './persistence_via_update_orchestrator_service_hijack.json'; +import rule228 from './collection_update_event_hub_auth_rule.json'; +import rule229 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; +import rule230 from './credential_access_iis_connectionstrings_dumping.json'; +import rule231 from './defense_evasion_event_hub_deletion.json'; +import rule232 from './defense_evasion_firewall_policy_deletion.json'; +import rule233 from './defense_evasion_sdelete_like_filename_rename.json'; +import rule234 from './lateral_movement_remote_ssh_login_enabled.json'; +import rule235 from './persistence_azure_automation_account_created.json'; +import rule236 from './persistence_azure_automation_runbook_created_or_modified.json'; +import rule237 from './persistence_azure_automation_webhook_created.json'; +import rule238 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; +import rule239 from './credential_access_attempts_to_brute_force_okta_user_account.json'; +import rule240 from './credential_access_storage_account_key_regenerated.json'; +import rule241 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; +import rule242 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; +import rule243 from './defense_evasion_unusual_system_vp_child_program.json'; +import rule244 from './discovery_blob_container_access_mod.json'; +import rule245 from './persistence_mfa_disabled_for_azure_user.json'; +import rule246 from './persistence_user_added_as_owner_for_azure_application.json'; +import rule247 from './persistence_user_added_as_owner_for_azure_service_principal.json'; +import rule248 from './defense_evasion_dotnet_compiler_parent_process.json'; +import rule249 from './defense_evasion_suspicious_managedcode_host_process.json'; +import rule250 from './execution_command_shell_started_by_unusual_process.json'; +import rule251 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; +import rule252 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; +import rule253 from './defense_evasion_masquerading_werfault.json'; +import rule254 from './credential_access_key_vault_modified.json'; +import rule255 from './credential_access_mimikatz_memssp_default_logs.json'; +import rule256 from './defense_evasion_code_injection_conhost.json'; +import rule257 from './defense_evasion_network_watcher_deletion.json'; +import rule258 from './initial_access_external_guest_user_invite.json'; +import rule259 from './defense_evasion_masquerading_renamed_autoit.json'; +import rule260 from './impact_azure_automation_runbook_deleted.json'; +import rule261 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; +import rule262 from './persistence_azure_conditional_access_policy_modified.json'; +import rule263 from './persistence_azure_privileged_identity_management_role_modified.json'; +import rule264 from './command_and_control_teamviewer_remote_file_copy.json'; +import rule265 from './defense_evasion_installutil_beacon.json'; +import rule266 from './defense_evasion_mshta_beacon.json'; +import rule267 from './defense_evasion_network_connection_from_windows_binary.json'; +import rule268 from './defense_evasion_rundll32_no_arguments.json'; +import rule269 from './defense_evasion_suspicious_scrobj_load.json'; +import rule270 from './defense_evasion_suspicious_wmi_script.json'; +import rule271 from './execution_ms_office_written_file.json'; +import rule272 from './execution_pdf_written_file.json'; +import rule273 from './lateral_movement_cmd_service.json'; +import rule274 from './persistence_app_compat_shim.json'; +import rule275 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; +import rule276 from './command_and_control_remote_file_copy_mpcmdrun.json'; +import rule277 from './defense_evasion_execution_suspicious_explorer_winword.json'; +import rule278 from './defense_evasion_suspicious_zoom_child_process.json'; +import rule279 from './ml_linux_anomalous_compiler_activity.json'; +import rule280 from './ml_linux_anomalous_kernel_module_arguments.json'; +import rule281 from './ml_linux_anomalous_sudo_activity.json'; +import rule282 from './ml_linux_system_information_discovery.json'; +import rule283 from './ml_linux_system_network_configuration_discovery.json'; +import rule284 from './ml_linux_system_network_connection_discovery.json'; +import rule285 from './ml_linux_system_process_discovery.json'; +import rule286 from './ml_linux_system_user_discovery.json'; +import rule287 from './discovery_post_exploitation_public_ip_reconnaissance.json'; +import rule288 from './initial_access_zoom_meeting_with_no_passcode.json'; +import rule289 from './defense_evasion_gcp_logging_sink_deletion.json'; +import rule290 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; +import rule291 from './credential_access_gcp_iam_service_account_key_deletion.json'; +import rule292 from './credential_access_gcp_key_created_for_service_account.json'; +import rule293 from './defense_evasion_gcp_firewall_rule_created.json'; +import rule294 from './defense_evasion_gcp_firewall_rule_deleted.json'; +import rule295 from './defense_evasion_gcp_firewall_rule_modified.json'; +import rule296 from './defense_evasion_gcp_logging_bucket_deletion.json'; +import rule297 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; +import rule298 from './impact_gcp_storage_bucket_deleted.json'; +import rule299 from './initial_access_gcp_iam_custom_role_creation.json'; +import rule300 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; +import rule301 from './exfiltration_gcp_logging_sink_modification.json'; +import rule302 from './impact_gcp_iam_role_deletion.json'; +import rule303 from './impact_gcp_service_account_deleted.json'; +import rule304 from './impact_gcp_service_account_disabled.json'; +import rule305 from './impact_gcp_virtual_private_cloud_network_deleted.json'; +import rule306 from './impact_gcp_virtual_private_cloud_route_created.json'; +import rule307 from './impact_gcp_virtual_private_cloud_route_deleted.json'; +import rule308 from './ml_linux_anomalous_metadata_process.json'; +import rule309 from './ml_linux_anomalous_metadata_user.json'; +import rule310 from './ml_windows_anomalous_metadata_process.json'; +import rule311 from './ml_windows_anomalous_metadata_user.json'; +import rule312 from './persistence_gcp_service_account_created.json'; +import rule313 from './collection_gcp_pub_sub_subscription_creation.json'; +import rule314 from './collection_gcp_pub_sub_topic_creation.json'; +import rule315 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; +import rule316 from './persistence_azure_pim_user_added_global_admin.json'; export const rawRules = [ rule1, @@ -649,10 +643,4 @@ export const rawRules = [ rule314, rule315, rule316, - rule317, - rule318, - rule319, - rule320, - rule321, - rule322, ]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json new file mode 100644 index 0000000000000..8ce2400e3e2c8 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json @@ -0,0 +1,49 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License", + "name": "Zoom Meeting with no Passcode", + "note": "This rule requires the Zoom Filebeat module.", + "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*", + "references": [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" + ], + "risk_score": 47, + "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "severity": "medium", + "tags": [ + "Elastic", + "Application", + "Communication", + "Zoom", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json index f4e137663762a..148bd72f7c4be 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License", "name": "Service Command Lateral Movement", - "query": "sequence by process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n /* case insensitive */\n wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and \n (process.args : \"create\" or\n process.args : \"config\" or\n process.args : \"failure\" or\n process.args : \"start\")]\n [network where event.type == \"connection\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "query": "sequence by process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n /* case insensitive */\n wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n (process.args : \"create\" or\n process.args : \"config\" or\n process.args : \"failure\" or\n process.args : \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json index 39f45a736383a..bb461cc8321e1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json @@ -8,10 +8,10 @@ "winlogbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Direct Outbound SMB Connection", - "query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and process.pid != 4]\n [network where destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", @@ -39,6 +39,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json index ff62251a465f7..70d4665ee02f0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json @@ -11,10 +11,10 @@ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Connection to External Network via Telnet", - "query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")", + "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n", "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "severity": "medium", @@ -42,6 +42,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json index bb6c03e9410e5..8db2a058c3e9e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json @@ -11,10 +11,10 @@ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Connection to Internal Network via Telnet", - "query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))", + "query": "sequence by process.entity_id\n [process where process.name == \"telnet\" and event.type == \"start\"]\n [network where process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "severity": "medium", @@ -42,6 +42,6 @@ ] } ], - "type": "query", + "type": "eql", "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index ebe884debc9a0..505acd0982d87 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -11,10 +11,10 @@ "auditbeat-*", "logs-endpoint.events.*" ], - "language": "kuery", + "language": "eql", "license": "Elastic License", "name": "Netcat Network Activity", - "query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)", + "query": "sequence by process.entity_id\n [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n event.type == \"start\"]\n [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -29,6 +29,6 @@ "Linux", "Threat Detection" ], - "type": "query", + "type": "eql", "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json index 04df4adab8525..bc65058fbe6e9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json @@ -9,7 +9,7 @@ "license": "Elastic License", "machine_learning_job_id": "linux_anomalous_network_activity_ecs", "name": "Unusual Linux Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json index e86bc96fddae5..5c9aa5a2c45a7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json @@ -12,7 +12,7 @@ "license": "Elastic License", "machine_learning_job_id": "rare_process_by_host_windows_ecs", "name": "Unusual Process For a Windows Host", - "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", + "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json index 937fcbc079eb8..cc880c104516f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json @@ -12,7 +12,7 @@ "license": "Elastic License", "machine_learning_job_id": "windows_anomalous_network_activity_ecs", "name": "Unusual Windows Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json index dda4e0bbad88d..eac4a4afb57fe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json @@ -12,7 +12,7 @@ "license": "Elastic License", "machine_learning_job_id": "windows_rare_user_type10_remote_login", "name": "Unusual Windows Remote User", - "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_sdclt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_sdclt.json deleted file mode 100644 index ce82db3a96e11..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_sdclt.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License", - "name": "Bypass UAC via Sdclt", - "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"sdclt.exe\" and\n /* uncomment once in winlogbeat */\n /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n process.args : \"/kickoffelev\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"sdclt.exe\" and\n not (process.executable : \"C:\\\\Windows\\\\System32\\\\sdclt.exe\" or\n process.executable : \"C:\\\\Windows\\\\System32\\\\control.exe\" or\n process.executable : \"C:\\\\Windows\\\\SysWOW64\\\\sdclt.exe\" or\n process.executable : \"C:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n ] by process.parent.entity_id\n", - "risk_score": 21, - "rule_id": "9b54e002-034a-47ac-9307-ad12c03fa900", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_exceptions.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_exceptions.ts index ae4ff41c509ea..238768e1feb8f 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_exceptions.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_exceptions.ts @@ -349,10 +349,10 @@ export default ({ getService }: FtrProviderContext) => { getCreateExceptionListMinimalSchemaMock() ); - // Rule id of "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6" is from the file: - // x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/c2_reg_beacon.json + // Rule id of "eb079c62-4481-4d6e-9643-3ca499df7aaa" is from the file: + // x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json // since this rule does not have existing exceptions_list that we are going to use for tests - const immutableRule = await getRule(supertest, '6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6'); + const immutableRule = await getRule(supertest, 'eb079c62-4481-4d6e-9643-3ca499df7aaa'); expect(immutableRule.exceptions_list.length).eql(0); // make sure we have no exceptions_list // add a second exceptions list as a user is allowed to add a second list to an immutable rule @@ -360,7 +360,7 @@ export default ({ getService }: FtrProviderContext) => { .patch(DETECTION_ENGINE_RULES_URL) .set('kbn-xsrf', 'true') .send({ - rule_id: '6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6', + rule_id: 'eb079c62-4481-4d6e-9643-3ca499df7aaa', exceptions_list: [ { id, @@ -372,11 +372,11 @@ export default ({ getService }: FtrProviderContext) => { }) .expect(200); - await downgradeImmutableRule(es, '6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6'); + await downgradeImmutableRule(es, 'eb079c62-4481-4d6e-9643-3ca499df7aaa'); await installPrePackagedRules(supertest); const immutableRuleSecondTime = await getRule( supertest, - '6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6' + 'eb079c62-4481-4d6e-9643-3ca499df7aaa' ); expect(immutableRuleSecondTime.exceptions_list).to.eql([