forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Engine] Adds 8.0 rules (elastic#123786)
* [Detection Rules] Add 8.0 rules * rollback changes for python tty rule elastic/detection-rules#1731 (cherry picked from commit 36722fa)
- Loading branch information
1 parent
1cbe4ff
commit f698ae5
Showing
58 changed files
with
878 additions
and
349 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
...n/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).", | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-windows.*" | ||
], | ||
"language": "kuery", | ||
"license": "Elastic License v2", | ||
"name": "PowerShell Suspicious Script with Screenshot Capabilities", | ||
"query": "event.category:process and \n powershell.file.script_block_text : (\n CopyFromScreen and\n (System.Drawing.Bitmap or Drawing.Bitmap)\n )\n", | ||
"references": [ | ||
"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "959a7353-1129-4aa7-9084-30746b256a70", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Collection" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0009", | ||
"name": "Collection", | ||
"reference": "https://attack.mitre.org/tactics/TA0009/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1113", | ||
"name": "Screen Capture", | ||
"reference": "https://attack.mitre.org/techniques/T1113/" | ||
} | ||
] | ||
}, | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0002", | ||
"name": "Execution", | ||
"reference": "https://attack.mitre.org/tactics/TA0002/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1059", | ||
"name": "Command and Scripting Interpreter", | ||
"reference": "https://attack.mitre.org/techniques/T1059/", | ||
"subtechnique": [ | ||
{ | ||
"id": "T1059.001", | ||
"name": "PowerShell", | ||
"reference": "https://attack.mitre.org/techniques/T1059/001/" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "query", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
...ic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
{ | ||
"author": [ | ||
"Austin Songer" | ||
], | ||
"description": "Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.", | ||
"false_positives": [ | ||
"Legitimate administrative activity related to shadow copies" | ||
], | ||
"from": "now-9m", | ||
"index": [ | ||
"winlogbeat-*", | ||
"logs-endpoint.events.*", | ||
"logs-windows.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Symbolic Link to Shadow Copy Created", | ||
"query": "process where event.type in (\"start\", \"process_started\") and\nprocess.pe.original_file_name == \"Cmd.Exe\" and\nprocess.args : \"*mklink*\" and\nprocess.args : \"*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\"\n", | ||
"references": [ | ||
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", | ||
"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf" | ||
], | ||
"risk_score": 47, | ||
"rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", | ||
"severity": "medium", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"Windows", | ||
"Threat Detection", | ||
"Credential Access" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0006", | ||
"name": "Credential Access", | ||
"reference": "https://attack.mitre.org/tactics/TA0006/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1003", | ||
"name": "OS Credential Dumping", | ||
"reference": "https://attack.mitre.org/techniques/T1003/" | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.