-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Add 7.11 rules (#87422)
* [Detection Rules] Add 7.11 rules * add empty array for missing technique
- Loading branch information
1 parent
03ef089
commit f12228e
Showing
226 changed files
with
2,382 additions
and
1,023 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", | ||
"false_positives": [ | ||
"Legitimate exchange system administration activity." | ||
], | ||
"index": [ | ||
"logs-endpoint.events.*", | ||
"winlogbeat-*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License", | ||
"name": "Exporting Exchange Mailbox via PowerShell", | ||
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n", | ||
"references": [ | ||
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", | ||
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Collection" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0009", | ||
"name": "Collection", | ||
"reference": "https://attack.mitre.org/tactics/TA0009/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1114", | ||
"name": "Email Collection", | ||
"reference": "https://attack.mitre.org/techniques/T1114/" | ||
} | ||
] | ||
} | ||
], | ||
"type": "eql", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...epackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", | ||
"false_positives": [ | ||
"Legitimate exchange system administration activity." | ||
], | ||
"index": [ | ||
"logs-endpoint.events.*", | ||
"winlogbeat-*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License", | ||
"name": "New ActiveSyncAllowedDeviceID Added via PowerShell", | ||
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", | ||
"references": [ | ||
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", | ||
"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Collection" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0009", | ||
"name": "Collection", | ||
"reference": "https://attack.mitre.org/tactics/TA0009/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1114", | ||
"name": "Email Collection", | ||
"reference": "https://attack.mitre.org/techniques/T1114/" | ||
} | ||
] | ||
} | ||
], | ||
"type": "eql", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.