[Detection Rules] Add 7.16 rules (elastic#114939)

kibanamachine · Oct 14, 2021 · 2de0e17 · 2de0e17
1 parent ec70ce6
commit 2de0e17
Show file tree

Hide file tree

Showing 117 changed files with 1,920 additions and 377 deletions.
diff --git a/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
@@ -42,7 +42,14 @@
         {
           "id": "T1114",
           "name": "Email Collection",
-          "reference": "https://attack.mitre.org/techniques/T1114/"
+          "reference": "https://attack.mitre.org/techniques/T1114/",
+          "subtechnique": [
+            {
+              "id": "T1114.002",
+              "name": "Remote Email Collection",
+              "reference": "https://attack.mitre.org/techniques/T1114/002/"
+            }
+          ]
         },
         {
           "id": "T1005",
@@ -54,5 +61,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json b/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json
@@ -38,12 +38,19 @@
         {
           "id": "T1560",
           "name": "Archive Collected Data",
-          "reference": "https://attack.mitre.org/techniques/T1560/"
+          "reference": "https://attack.mitre.org/techniques/T1560/",
+          "subtechnique": [
+            {
+              "id": "T1560.001",
+              "name": "Archive via Utility",
+              "reference": "https://attack.mitre.org/techniques/T1560/001/"
+            }
+          ]
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }
diff --git a/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json
@@ -38,9 +38,36 @@
           "reference": "https://attack.mitre.org/techniques/T1102/"
         }
       ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0010",
+        "name": "Exfiltration",
+        "reference": "https://attack.mitre.org/tactics/TA0010/"
+      },
+      "technique": [
+        {
+          "id": "T1567",
+          "name": "Exfiltration Over Web Service",
+          "reference": "https://attack.mitre.org/techniques/T1567/",
+          "subtechnique": [
+            {
+              "id": "T1567.001",
+              "name": "Exfiltration to Code Repository",
+              "reference": "https://attack.mitre.org/techniques/T1567/001/"
+            },
+            {
+              "id": "T1567.002",
+              "name": "Exfiltration to Cloud Storage",
+              "reference": "https://attack.mitre.org/techniques/T1567/002/"
+            }
+          ]
+        }
+      ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...tion_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json b/...tion_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
@@ -2,7 +2,7 @@
   "author": [
     "Elastic"
   ],
-  "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS and it opens your network to a variety of abuses and malicious communications.",
+  "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
   "false_positives": [
     "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
   ],
@@ -45,5 +45,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 11
+  "version": 12
 }
diff --git a/.../detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json b/.../detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json
@@ -38,7 +38,14 @@
         {
           "id": "T1071",
           "name": "Application Layer Protocol",
-          "reference": "https://attack.mitre.org/techniques/T1071/"
+          "reference": "https://attack.mitre.org/techniques/T1071/",
+          "subtechnique": [
+            {
+              "id": "T1071.004",
+              "name": "DNS",
+              "reference": "https://attack.mitre.org/techniques/T1071/004/"
+            }
+          ]
         }
       ]
     }
@@ -50,5 +57,5 @@
     "value": 15
   },
   "type": "threshold",
-  "version": 2
+  "version": 3
 }
diff --git a/...ne/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json b/...ne/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
@@ -2,7 +2,7 @@
   "author": [
     "Elastic"
   ],
-  "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+  "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
   "false_positives": [
     "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
   ],
@@ -52,5 +52,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json
@@ -41,8 +41,30 @@
           "reference": "https://attack.mitre.org/techniques/T1071/"
         }
       ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0002",
+        "name": "Execution",
+        "reference": "https://attack.mitre.org/tactics/TA0002/"
+      },
+      "technique": [
+        {
+          "id": "T1559",
+          "name": "Inter-Process Communication",
+          "reference": "https://attack.mitre.org/techniques/T1559/",
+          "subtechnique": [
+            {
+              "id": "T1559.001",
+              "name": "Component Object Model",
+              "reference": "https://attack.mitre.org/techniques/T1559/001/"
+            }
+          ]
+        }
+      ]
     }
   ],
   "type": "eql",
-  "version": 3
+  "version": 4
 }
diff --git a/...asion_port_forwarding_added_registry.json → ...ntrol_port_forwarding_added_registry.json b/...asion_port_forwarding_added_registry.json → ...ntrol_port_forwarding_added_registry.json
@@ -24,33 +24,26 @@
     "Host",
     "Windows",
     "Threat Detection",
-    "Defense Evasion"
+    "Command and Control"
   ],
   "threat": [
     {
       "framework": "MITRE ATT&CK",
       "tactic": {
-        "id": "TA0005",
-        "name": "Defense Evasion",
-        "reference": "https://attack.mitre.org/tactics/TA0005/"
+        "id": "TA0011",
+        "name": "Command and Control",
+        "reference": "https://attack.mitre.org/tactics/TA0011/"
       },
       "technique": [
         {
-          "id": "T1562",
-          "name": "Impair Defenses",
-          "reference": "https://attack.mitre.org/techniques/T1562/",
-          "subtechnique": [
-            {
-              "id": "T1562.001",
-              "name": "Disable or Modify Tools",
-              "reference": "https://attack.mitre.org/techniques/T1562/001/"
-            }
-          ]
+          "id": "T1572",
+          "name": "Protocol Tunneling",
+          "reference": "https://attack.mitre.org/techniques/T1572/"
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }
diff --git a/...es/lateral_movement_rdp_tunnel_plink.json → ...command_and_control_rdp_tunnel_plink.json b/...es/lateral_movement_rdp_tunnel_plink.json → ...command_and_control_rdp_tunnel_plink.json
@@ -2,7 +2,7 @@
   "author": [
     "Elastic"
   ],
-  "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of adversary lateral movement to interactively access restricted networks.",
+  "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
   "from": "now-9m",
   "index": [
     "logs-endpoint.events.*",
@@ -24,26 +24,26 @@
     "Host",
     "Windows",
     "Threat Detection",
-    "Lateral Movement"
+    "Command and Control"
   ],
   "threat": [
     {
       "framework": "MITRE ATT&CK",
       "tactic": {
-        "id": "TA0008",
-        "name": "Lateral Movement",
-        "reference": "https://attack.mitre.org/tactics/TA0008/"
+        "id": "TA0011",
+        "name": "Command and Control",
+        "reference": "https://attack.mitre.org/tactics/TA0011/"
       },
       "technique": [
         {
-          "id": "T1021",
-          "name": "Remote Services",
-          "reference": "https://attack.mitre.org/techniques/T1021/"
+          "id": "T1572",
+          "name": "Protocol Tunneling",
+          "reference": "https://attack.mitre.org/techniques/T1572/"
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }
diff --git a/...etection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json b/...etection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json
@@ -12,7 +12,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Remote File Download via Script Interpreter",
-  "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+  "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
   "risk_score": 47,
   "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
   "severity": "medium",
@@ -41,5 +41,5 @@
     }
   ],
   "type": "eql",
-  "version": 2
+  "version": 3
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json b/...ction_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json
@@ -39,11 +39,16 @@
           "id": "T1105",
           "name": "Ingress Tool Transfer",
           "reference": "https://attack.mitre.org/techniques/T1105/"
+        },
+        {
+          "id": "T1219",
+          "name": "Remote Access Software",
+          "reference": "https://attack.mitre.org/techniques/T1219/"
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...ver/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json b/...ver/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json
@@ -38,12 +38,24 @@
         {
           "id": "T1003",
           "name": "OS Credential Dumping",
-          "reference": "https://attack.mitre.org/techniques/T1003/"
+          "reference": "https://attack.mitre.org/techniques/T1003/",
+          "subtechnique": [
+            {
+              "id": "T1003.001",
+              "name": "LSASS Memory",
+              "reference": "https://attack.mitre.org/techniques/T1003/001/"
+            },
+            {
+              "id": "T1003.003",
+              "name": "NTDS",
+              "reference": "https://attack.mitre.org/techniques/T1003/003/"
+            }
+          ]
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...n_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json b/...n_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json
@@ -41,12 +41,19 @@
         {
           "id": "T1003",
           "name": "OS Credential Dumping",
-          "reference": "https://attack.mitre.org/techniques/T1003/"
+          "reference": "https://attack.mitre.org/techniques/T1003/",
+          "subtechnique": [
+            {
+              "id": "T1003.002",
+              "name": "Security Account Manager",
+              "reference": "https://attack.mitre.org/techniques/T1003/002/"
+            }
+          ]
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 4
+  "version": 5
 }
diff --git a/...on_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json b/...on_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json
@@ -48,11 +48,16 @@
               "reference": "https://attack.mitre.org/techniques/T1552/004/"
             }
           ]
+        },
+        {
+          "id": "T1555",
+          "name": "Credentials from Password Stores",
+          "reference": "https://attack.mitre.org/techniques/T1555/"
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 5
+  "version": 6
 }
diff --git a/...r/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json b/...r/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json
@@ -38,12 +38,24 @@
         {
           "id": "T1003",
           "name": "OS Credential Dumping",
-          "reference": "https://attack.mitre.org/techniques/T1003/"
+          "reference": "https://attack.mitre.org/techniques/T1003/",
+          "subtechnique": [
+            {
+              "id": "T1003.002",
+              "name": "Security Account Manager",
+              "reference": "https://attack.mitre.org/techniques/T1003/002/"
+            },
+            {
+              "id": "T1003.004",
+              "name": "LSA Secrets",
+              "reference": "https://attack.mitre.org/techniques/T1003/004/"
+            }
+          ]
         }
       ]
     }
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }
diff --git a/...ction_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json b/...ction_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json
@@ -15,7 +15,7 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Kerberos Traffic from Unusual Process",
-  "query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+  "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
   "risk_score": 47,
   "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
   "severity": "medium",
@@ -45,5 +45,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 3
+  "version": 4
 }