[Detection Engine] Adds 8.2 rules

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -33,5 +33,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 8
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json

@@ -15,6 +15,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Exporting Exchange Mailbox via PowerShell",
+  "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
   "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
   "references": [
     "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
@@ -39,6 +40,11 @@
         "reference": "https://attack.mitre.org/tactics/TA0009/"
       },
       "technique": [
+        {
+          "id": "T1005",
+          "name": "Data from Local System",
+          "reference": "https://attack.mitre.org/techniques/T1005/"
+        },
         {
           "id": "T1114",
           "name": "Email Collection",
@@ -50,16 +56,11 @@
               "reference": "https://attack.mitre.org/techniques/T1114/002/"
             }
           ]
-        },
-        {
-          "id": "T1005",
-          "name": "Data from Local System",
-          "reference": "https://attack.mitre.org/techniques/T1005/"
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 6
+  "version": 7
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json

@@ -4,7 +4,7 @@
     "Gary Blackwell",
     "Austin Songer"
   ],
-  "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data while not requiring organization-wide configuration changes nor privileges to set those.",
+  "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.",
   "false_positives": [
     "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."
   ],
@@ -61,5 +61,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json

@@ -11,8 +11,8 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
-  "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the\ncomputer.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious PowerShell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
-  "query": "event.category:process and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+  "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine script content that triggered the detection. \n- Investigate the script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious PowerShell host process instance.\n- Investigate other alerts related to the user/host in the last 48 hours.\n- Consider whether the user needs PowerShell to complete its tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n- Determine if the user credentials were compromised and if the attacker used them to perform unauthorized access to the\nlinked email account.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.\n- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.\n- Review GPOs to add additional restrictions for PowerShell usage by users.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+  "query": "event.category:process and \n  powershell.file.script_block_text : (\n    \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n  )\n",
   "references": [
     "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
   ],
@@ -67,5 +67,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json

@@ -11,8 +11,8 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell Keylogging Script",
-  "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious PowerShell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
-  "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n   )\n",
+  "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate the script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious PowerShell host process instance.\n- Investigate other alerts related to the user/host in the last 48 hours.\n- Consider whether the user needs PowerShell to complete its tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.\n- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.\n- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+  "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or \n   powershell.file.script_block_text : (\n        (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n        (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n   )\n   )\n",
   "references": [
     "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
     "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
@@ -75,5 +75,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json

@@ -11,7 +11,8 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "PowerShell Suspicious Script with Screenshot Capabilities",
-  "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (System.Drawing.Bitmap or Drawing.Bitmap)\n  )\n",
+  "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection. \n- Investigate the script execution chain (parent process tree).\n- Inspect file or network events from the suspicious PowerShell host process instance.\n- Investigate other alerts associated with the user or host in the past 48 hours.\n- Consider whether the user needs PowerShell to complete its tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Examine network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.\n- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.\n- Reset the password for the user account.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+  "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n  )\n",
   "references": [
     "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
   ],
@@ -66,5 +67,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json

@@ -12,6 +12,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Encrypting Files with WinRar or 7z",
+  "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree).\n- Retrieve the encrypted file.\n- Investigate other alerts related to the user/host in the last 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If personally identifiable information (PII) or other classified data is involved, investigations into this should be prioritized.\n- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.\n- Reset the passwords of the involved accounts.\n- Safeguard critical assets to prevent further harm or theft of data.\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
   "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
   "references": [
     "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
@@ -52,5 +53,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }