[Detection Rules] Add 7.12 rules (#91082) (#91891)

## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <[email protected]>
elastic · Feb 18, 2021 · 758bc96 · 758bc96
1 parent fbe6778
commit 758bc96
Show file tree

Hide file tree

Showing 301 changed files with 6,039 additions and 1,003 deletions.
diff --git a/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
@@ -6,9 +6,11 @@
   "false_positives": [
     "Legitimate exchange system administration activity."
   ],
+  "from": "now-9m",
   "index": [
     "logs-endpoint.events.*",
-    "winlogbeat-*"
+    "winlogbeat-*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -47,5 +49,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/...epackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json b/...epackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json
@@ -6,9 +6,11 @@
   "false_positives": [
     "Legitimate exchange system administration activity."
   ],
+  "from": "now-9m",
   "index": [
     "logs-endpoint.events.*",
-    "winlogbeat-*"
+    "winlogbeat-*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -47,5 +49,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json b/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json
@@ -3,9 +3,11 @@
     "Elastic"
   ],
   "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
+  "from": "now-9m",
   "index": [
     "logs-endpoint.events.*",
-    "winlogbeat-*"
+    "winlogbeat-*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -43,5 +45,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json b/...ction_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -40,5 +41,5 @@
     }
   ],
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...ne/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json b/...ne/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json
@@ -19,7 +19,7 @@
     "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
     "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
   ],
-  "risk_score": 100,
+  "risk_score": 99,
   "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
   "severity": "critical",
   "tags": [
@@ -55,5 +55,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json
@@ -6,12 +6,13 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
   "name": "Connection to Commonly Abused Web Services",
-  "query": "network where network.protocol == \"dns\" and\n             /* Add new WebSvc domains here */\n              wildcard(dns.question.name, \"*.githubusercontent.*\",\n                                          \"*.pastebin.*\",\n                                          \"*drive.google.*\",\n                                          \"*docs.live.*\",\n                                          \"*api.dropboxapi.*\",\n                                          \"*dropboxusercontent.*\",\n                                          \"*onedrive.*\",\n                                          \"*4shared.*\",\n                                          \"*.file.io\",\n                                          \"*filebin.net\",\n                                          \"*slack-files.com\",\n                                          \"*ghostbin.*\",\n                                          \"*ngrok.*\",\n                                          \"*portmap.*\",\n                                          \"*serveo.net\",\n                                          \"*localtunnel.me\",\n                                          \"*pagekite.me\",\n                                          \"*localxpose.io\",\n                                          \"*notabug.org\"\n                      ) and\n                          /* Insert noisy false positives here */\n              not process.name in (\"MicrosoftEdgeCP.exe\",\n                                    \"MicrosoftEdge.exe\",\n                                    \"iexplore.exe\",\n                                    \"chrome.exe\",\n                                    \"msedge.exe\",\n                                    \"opera.exe\",\n                                    \"firefox.exe\",\n                                    \"Dropbox.exe\",\n                                    \"slack.exe\",\n                                    \"svchost.exe\",\n                                    \"thunderbird.exe\",\n                                    \"outlook.exe\",\n                                    \"OneDrive.exe\")\n",
+  "query": "network where network.protocol == \"dns\" and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"*.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.name :\n    (\n        \"MicrosoftEdgeCP.exe\",\n        \"MicrosoftEdge.exe\",\n        \"iexplore.exe\",\n        \"chrome.exe\",\n        \"msedge.exe\",\n        \"opera.exe\",\n        \"firefox.exe\",\n        \"Dropbox.exe\",\n        \"slack.exe\",\n        \"svchost.exe\",\n        \"thunderbird.exe\",\n        \"outlook.exe\",\n        \"OneDrive.exe\"\n    )\n",
   "risk_score": 21,
   "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
   "severity": "low",
@@ -41,5 +42,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/.../detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json b/.../detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "kuery",
   "license": "Elastic License",
@@ -47,5 +48,5 @@
     "value": 15
   },
   "type": "threshold",
-  "version": 1
+  "version": 2
 }
diff --git a/...ion_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json b/...ion_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -41,5 +42,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/...ckaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json b/...ckaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -53,5 +54,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json
@@ -6,13 +6,14 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
   "name": "Potential Command and Control via Internet Explorer",
-  "query": "sequence by host.id, process.entity_id with maxspan = 1s\n  [process where event.type:\"start\" and process.parent.name:\"iexplore.exe\" and process.parent.args:\"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol : \"dns\" and process.name:\"iexplore.exe\" and\n   not wildcard(dns.question.name, \"*.microsoft.com\", \n                                   \"*.digicert.com\", \n                                   \"*.msocsp.com\", \n                                   \"*.windowsupdate.com\", \n                                   \"*.bing.com\",\n                                   \"*.identrust.com\")\n  ]\n",
-  "risk_score": 43,
+  "query": "sequence by host.id, process.entity_id with maxspan = 1s\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\"\n    )\n  ]\n",
+  "risk_score": 47,
   "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
   "severity": "medium",
   "tags": [
@@ -40,5 +41,5 @@
     }
   ],
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/..._rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/..._rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -53,5 +54,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json b/...ction_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -38,5 +39,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -57,5 +58,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ngine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json b/...ngine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -38,5 +39,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...repackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json b/...repackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -38,5 +39,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...gine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json b/...gine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -38,5 +39,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/.../prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json b/.../prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -68,5 +69,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...ngine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json b/...ngine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "kuery",
   "license": "Elastic License",
@@ -44,5 +45,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 3
+  "version": 4
 }
diff --git a/...tection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/...tection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "kuery",
   "license": "Elastic License",
@@ -46,5 +47,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 3
+  "version": 4
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json b/...ction_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json
@@ -6,7 +6,8 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
@@ -62,5 +63,5 @@
     }
   ],
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...etection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json b/...etection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json
@@ -6,13 +6,14 @@
   "from": "now-9m",
   "index": [
     "winlogbeat-*",
-    "logs-endpoint.events.*"
+    "logs-endpoint.events.*",
+    "logs-windows.*"
   ],
   "language": "eql",
   "license": "Elastic License",
   "name": "Remote File Download via Script Interpreter",
   "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
-  "risk_score": 43,
+  "risk_score": 47,
   "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
   "severity": "medium",
   "tags": [
@@ -40,5 +41,5 @@
     }
   ],
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...ib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json b/...ib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -53,5 +54,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json b/...rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json
@@ -6,6 +6,7 @@
   "false_positives": [
     "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
   ],
+  "from": "now-9m",
   "index": [
     "filebeat-*",
     "packetbeat-*",
@@ -38,5 +39,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }