Skip to content

Commit

Permalink
[Detection Rules] Add 7.11 rules (#87422)
Browse files Browse the repository at this point in the history
* [Detection Rules] Add 7.11 rules
* add empty array for missing technique
  • Loading branch information
brokensound77 authored Jan 11, 2021
1 parent 03ef089 commit f12228e
Show file tree
Hide file tree
Showing 226 changed files with 2,382 additions and 1,023 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,15 @@
],
"from": "now-130m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-google_workspace*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License",
"name": "Application Added to Google Workspace Domain",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
"references": [
"https://support.google.com/a/answer/6328701?hl=en#"
],
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
"false_positives": [
"Legitimate exchange system administration activity."
],
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Exporting Exchange Mailbox via PowerShell",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
}
]
}
],
"type": "eql",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@
"Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Subscription Creation",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
Expand Down Expand Up @@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@
"Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Topic Creation",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/admin"
],
Expand Down Expand Up @@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
"false_positives": [
"Legitimate exchange system administration activity."
],
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
}
]
}
],
"type": "eql",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Event Hub Authorization Rule Created or Updated",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
],
Expand Down Expand Up @@ -62,5 +63,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,20 @@
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,19 +35,26 @@
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,20 @@
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,9 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
Expand All @@ -62,5 +56,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",
Expand Down
Loading

0 comments on commit f12228e

Please sign in to comment.