From b127b42e0d74f977cec29f1073a1c9e4500c42df Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 10:33:26 +0200 Subject: [PATCH 01/44] [Tuning] Win DR Tuning for UEBA --- .../discovery_generic_account_groups.toml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 640a15c10e8..c52ca3ed688 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -4,7 +4,8 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -12,8 +13,7 @@ description = """ This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,7 +21,14 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "UEBA: Discovery" + ] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -52,7 +59,8 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "set" ) ) -) and not user.id : "S-1-5-18" +) and not process.parent.args: "C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\*.ps1" +and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' From 92ebe05c4fcbb597fe55073825933664f815d2a7 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 10:45:05 +0200 Subject: [PATCH 02/44] Need to get used to Windows formatting --- rules_building_block/discovery_generic_account_groups.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index c52ca3ed688..e66489742e4 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -59,7 +59,7 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "set" ) ) -) and not process.parent.args: "C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\*.ps1" +) and not process.parent.args: "C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\*.ps1" and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' From 5df753feb1efd1c22753e9fd3e0eed2471b95ed7 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 11:03:25 +0200 Subject: [PATCH 03/44] Added additional content --- .../discovery_generic_account_groups.toml | 10 ++-- .../discovery_generic_process_discovery.toml | 17 ++++--- .../discovery_generic_registry_query.toml | 47 ++++++++++++------- 3 files changed, 46 insertions(+), 28 deletions(-) diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index e66489742e4..c6fbeb318c7 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -26,8 +26,7 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", - "Data Source: Elastic Defend", - "UEBA: Discovery" + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" building_block_type = "default" @@ -63,17 +62,19 @@ process where host.os.type == "windows" and event.type == "start" and and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" @@ -88,16 +89,17 @@ reference = "https://attack.mitre.org/techniques/T1201/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index fc1b1cb2819..79021f38ebe 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -4,7 +4,8 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -12,8 +13,7 @@ description = """ This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,7 +21,13 @@ name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -37,15 +43,14 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 8eb94c19d9d..8d9bb62daaf 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -4,7 +4,8 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/13" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -12,45 +13,55 @@ description = """ This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and -( +host.os.type:windows and event.type:start and ( + (process.name:reg.exe and process.args:query) or ( - process.name == "reg.exe" and process.args : "query" and - not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") - ) or - ( - process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and - (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and - process.args : ("*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*")) + process.name:(powershell.exe or pwsh.exe or powershell_ise.exe) and + ( + process.args: (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and + process.args: (*HKLM* or *HKCU* or *HKEY_LOCAL_MACHINE* or *HKEY_CURRENT_USER* or *Registry\:\:*) + ) ) -) and not user.id : "S-1-5-18" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From 1cb38b2e3b24901406dd614808ade8e2ab676c84 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 11:05:04 +0200 Subject: [PATCH 04/44] Updated min stack --- rules_building_block/discovery_generic_registry_query.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 8d9bb62daaf..063e45783b7 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -2,8 +2,8 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" updated_date = "2023/09/14" bypass_bbr_timing = true From 7750c9fe77f80e19e5c199aab2c8a64973d8bba6 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 11:15:54 +0200 Subject: [PATCH 05/44] Added additional tuning --- .../discovery_generic_registry_query.toml | 2 +- .../discovery_internet_capabilities.toml | 39 +++++++++++++------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 063e45783b7..48e55385deb 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -39,7 +39,7 @@ host.os.type:windows and event.type:start and ( process.name:(powershell.exe or pwsh.exe or powershell_ise.exe) and ( process.args: (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and - process.args: (*HKLM* or *HKCU* or *HKEY_LOCAL_MACHINE* or *HKEY_CURRENT_USER* or *Registry\:\:*) + process.args: (*HKLM* or *HKCU* or *HKEY_LOCAL_MACHINE* or *HKEY_CURRENT_USER* or *Registry*) ) ) ) diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 9bc90cdf6b5..29fcbbb99e3 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -2,9 +2,10 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -13,39 +14,53 @@ Identifies the use of built-in tools attackers can use to check for Internet con results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("ping.exe", "tracert.exe", "pathping.exe") and - not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*") +host.os.type:windows and event.type:start and process.name:(ping.exe or tracert.exe or pathping.exe) and +not process.args:(127.0.0.1 or 0.0.0.0 or localhost or 1.1.1.1 or 1.2.3.4) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From 7cd575026f4d8581c48d0c9825cced60368127a0 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 11:26:38 +0200 Subject: [PATCH 06/44] Fixed unit testing for KQL optimization --- .../discovery_generic_registry_query.toml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 48e55385deb..d3a6f65a9f6 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -34,13 +34,10 @@ type = "new_terms" query = ''' host.os.type:windows and event.type:start and ( - (process.name:reg.exe and process.args:query) or - ( - process.name:(powershell.exe or pwsh.exe or powershell_ise.exe) and - ( - process.args: (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and - process.args: (*HKLM* or *HKCU* or *HKEY_LOCAL_MACHINE* or *HKEY_CURRENT_USER* or *Registry*) - ) + process.name:reg.exe and process.args:query or + process.name:(powershell.exe or powershell_ise.exe or pwsh.exe) and process.args:( + (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or + *HKLM* or *Registry*) ) ) ''' From 4778cb7d79f3eec4e9ed859e92a4351898939243 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 14 Sep 2023 11:33:31 +0200 Subject: [PATCH 07/44] Update rules_building_block/discovery_internet_capabilities.toml --- rules_building_block/discovery_internet_capabilities.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 29fcbbb99e3..b642272bbaa 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -36,7 +36,7 @@ building_block_type = "default" query = ''' host.os.type:windows and event.type:start and process.name:(ping.exe or tracert.exe or pathping.exe) and -not process.args:(127.0.0.1 or 0.0.0.0 or localhost or 1.1.1.1 or 1.2.3.4) +not process.args:(127.0.0.1 or 0.0.0.0 or localhost or 1.1.1.1 or 1.2.3.4 or "::1") ''' [[rule.threat]] From 802a06b63c1edae63d77fe161c032a458e78514a Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 11:59:43 +0200 Subject: [PATCH 08/44] Additional tuning --- .../discovery_generic_registry_query.toml | 2 +- .../discovery_win_network_connections.toml | 49 ++++++++++------- ..._windows_system_information_discovery.toml | 53 ++++++++++--------- 3 files changed, 60 insertions(+), 44 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index d3a6f65a9f6..56f8682e892 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -37,7 +37,7 @@ host.os.type:windows and event.type:start and ( process.name:reg.exe and process.args:query or process.name:(powershell.exe or powershell_ise.exe or pwsh.exe) and process.args:( (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or - *HKLM* or *Registry*) + *HKLM* or "*Registry::*") ) ) ''' diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 071b80bc83e..ca9ffeb14b9 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -2,9 +2,10 @@ creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/14" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -12,51 +13,63 @@ description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where event.type == "start" and +host.os.type:windows and event.type:start and ( - process.name : "netstat.exe" or + process.name:netstat.exe or ( ( - (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + (process.name:net.exe or process.pe.original_file_name:net.exe) or ( - (process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and - not process.parent.name : "net.exe" + (process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe ) - ) and process.args : ("use", "user", "session", "config") and not process.args: ("/persistent:*", "/delete", "\\\\*") + ) and process.args:(use or session or config) ) or - (process.name : "nbtstat.exe" and process.args : "-s*") -) and not user.id : "S-1-5-18" + (process.name:nbtstat.exe and process.args:-s*) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index d5c4eb011e3..4fb8c1baa22 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -2,9 +2,10 @@ creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/26" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -12,42 +13,36 @@ description = """ Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. """ -from = "now-119m" -interval = "60m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -process where host.os.type == "windows" and event.type == "start" and +host.os.type:windows and event.type:start and ( - ( - process.name : "cmd.exe" and process.args : "ver*" and not - process.parent.executable : ( - "?:\\Users\\*\\AppData\\Local\\Keybase\\upd.exe", - "?:\\Users\\*\\python*.exe" - ) - ) or - process.name : ("systeminfo.exe", "hostname.exe") or - (process.name : "wmic.exe" and process.args : "os" and process.args : "get") -) and not -process.parent.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\ProgramData\\*" -) and not user.id : "S-1-5-18" + (process.name:cmd.exe and process.args:ver*) or + process.name:(systeminfo.exe or hostname.exe) or + (process.name:wmic.exe and process.args:os and process.args:get) +) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -57,3 +52,11 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From 2c18c5d4a9ccbc7aac037f822ac76b5c4f8afcdf Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 12:55:05 +0200 Subject: [PATCH 09/44] Kuery optimization --- .../discovery_win_network_connections.toml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index ca9ffeb14b9..c6b5f68d94c 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -33,18 +33,11 @@ building_block_type = "default" type = "new_terms" query = ''' -host.os.type:windows and event.type:start and -( - process.name:netstat.exe or - ( - ( - (process.name:net.exe or process.pe.original_file_name:net.exe) or - ( - (process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe - ) - ) and process.args:(use or session or config) - ) or - (process.name:nbtstat.exe and process.args:-s*) +host.os.type:windows and event.type:start and ( + process.name:netstat.exe or ( + process.name:net.exe or process.pe.original_file_name:net.exe or + (process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe + ) and process.args:(config or session or use) or process.name:nbtstat.exe and process.args:-s* ) ''' From 8e682a3737e65ee0fef1ab30ccd359ac43bc4aca Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 13:08:25 +0200 Subject: [PATCH 10/44] Additional tuning --- rules/windows/discovery_admin_recon.toml | 22 +++++++++++++------ ..._windows_system_information_discovery.toml | 9 ++++---- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 309acb7d0c6..6a9ef6d4aa4 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -56,7 +56,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -74,42 +81,43 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) -) +) and not process.parent.name : ("gc_worker.exe", "wazuh-agent.exe", "evolve-xdr-agent.exe") and not user.id:S-1-5-18 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 4fb8c1baa22..de863b3bef1 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -32,11 +32,10 @@ type = "new_terms" building_block_type = "default" query = ''' -host.os.type:windows and event.type:start and -( - (process.name:cmd.exe and process.args:ver*) or - process.name:(systeminfo.exe or hostname.exe) or - (process.name:wmic.exe and process.args:os and process.args:get) +host.os.type:windows and event.type:start and ( + process.name:cmd.exe and process.args:ver* or + process.name:(hostname.exe or systeminfo.exe) or + process.name:wmic.exe and process.args:(get and os) ) ''' From f6e93152e8a23c8f187bf7658f91ff1158393e62 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 13:18:26 +0200 Subject: [PATCH 11/44] Additional tuning --- rules/windows/discovery_admin_recon.toml | 2 +- ..._enumerating_domain_trusts_via_nltest.toml | 19 ++++++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 6a9ef6d4aa4..807d28de5f1 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -81,7 +81,7 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) -) and not process.parent.name : ("gc_worker.exe", "wazuh-agent.exe", "evolve-xdr-agent.exe") and not user.id:S-1-5-18 +) and not user.id : "S-1-5-18" ''' [[rule.threat]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 7b337ff6535..f1010716457 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -62,7 +62,14 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -71,16 +78,19 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "nltest.exe" and process.args : ( "/DCLIST:*", "/DCNAME:*", "/DSGET*", "/LSAQUERYFTI:*", "/PARENTDOMAIN", - "/DOMAIN_TRUSTS", "/BDC_QUERY:*") + "/DOMAIN_TRUSTS", "/BDC_QUERY:*" + ) and +not process.parent.name : "PDQInventoryScanner.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -90,4 +100,3 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - From ef1779a3d70220a75ab30fb06de42dbd80839633 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 13:59:36 +0200 Subject: [PATCH 12/44] Additional tuning --- ...iscovery_files_dir_systeminfo_via_cmd.toml | 42 ++++++---- rules/windows/discovery_net_view.toml | 47 +++++------ ..._post_exploitation_external_ip_lookup.toml | 77 +++++++------------ .../discovery_generic_registry_query.toml | 2 +- .../discovery_internet_capabilities.toml | 3 +- .../discovery_win_network_connections.toml | 2 +- ..._windows_system_information_discovery.toml | 2 +- 7 files changed, 86 insertions(+), 89 deletions(-) diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 680fcfcf0b2..c3cc87ea5f8 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -2,18 +2,19 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Command Shell. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" note = """## Triage and analysis @@ -50,19 +51,25 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") and - not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") +host.os.type:windows and event.category:process and event.type:start and +process.name:cmd.exe and process.args:/c and process.args:(set or dir) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -73,26 +80,33 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index f79ecd709d8..c403b5871d9 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -2,16 +2,16 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Windows Network Enumeration" note = """## Triage and analysis @@ -49,30 +49,27 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or - ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and - not process.parent.name : "net.exe")) and - (process.args : "view" or (process.args : "time" and process.args : "\\\\*")) - - - /* expand when ancestry is available - and not descendant of [process where event.type == "start" and process.name : "cmd.exe" and - ((process.parent.name : "userinit.exe") or - (process.parent.name : "gpscript.exe") or - (process.parent.name : "explorer.exe" and - process.args : "C:\\*\\Start Menu\\Programs\\Startup\\*.bat*"))] - */ +host.os.type:windows and event.category:process and event.type:start and + ((process.name:net.exe or process.pe.original_file_name:net.exe) or + ((process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe)) and + (process.args:view or (process.args:time and process.args:\\\\*)) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -83,9 +80,15 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index d3d963d15e7..3fe8110a195 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "External IP Lookup from Non-Browser Process" note = """## Triage and analysis @@ -62,74 +62,53 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -network where host.os.type == "windows" and network.protocol == "dns" and - process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and - event.action == "lookup_requested" and - /* Add new external IP lookup services here */ - dns.question.name : - ( - "*api.ipify.org", - "*freegeoip.app", - "*checkip.amazonaws.com", - "*checkip.dyndns.org", - "*freegeoip.app", - "*icanhazip.com", - "*ifconfig.*", - "*ipecho.net", - "*ipgeoapi.com", - "*ipinfo.io", - "*ip.anysrc.net", - "*myexternalip.com", - "*myipaddress.com", - "*showipaddress.com", - "*whatismyipaddress.com", - "*wtfismyip.com", - "*ipapi.co", - "*ip-lookup.net", - "*ipstack.com" - ) and - /* Insert noisy false positives here */ - not process.executable : - ( - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\System32\\WWAHost.exe", - "?:\\Windows\\System32\\smartscreen.exe", - "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" - ) +host.os.type:windows and event.category:network and network.protocol:dns and process.name:* and +event.action:lookup_requested and dns.question.name:( + *api.ipify.org or *freegeoip.app or *checkip.amazonaws.com or *checkip.dyndns.org or *freegeoip.app or + *icanhazip.com or *ifconfig.* or *ipecho.net or *ipgeoapi.com or *ipinfo.io or *ip.anysrc.net or *myexternalip.com or + *myipaddress.com or *showipaddress.com or *whatismyipaddress.com or *wtfismyip.com or *ipapi.co or *ip-lookup.net or + *ipstack.com + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.name", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 56f8682e892..3a018e15f6d 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -33,7 +33,7 @@ building_block_type = "default" type = "new_terms" query = ''' -host.os.type:windows and event.type:start and ( +host.os.type:windows and event.category:process and event.type:start and ( process.name:reg.exe and process.args:query or process.name:(powershell.exe or powershell_ise.exe or pwsh.exe) and process.args:( (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index b642272bbaa..91e8e08b2db 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -35,7 +35,8 @@ type = "new_terms" building_block_type = "default" query = ''' -host.os.type:windows and event.type:start and process.name:(ping.exe or tracert.exe or pathping.exe) and +host.os.type:windows and event.category:process and event.type:start and +process.name:(ping.exe or tracert.exe or pathping.exe) and not process.args:(127.0.0.1 or 0.0.0.0 or localhost or 1.1.1.1 or 1.2.3.4 or "::1") ''' diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index c6b5f68d94c..48292df2a0d 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -33,7 +33,7 @@ building_block_type = "default" type = "new_terms" query = ''' -host.os.type:windows and event.type:start and ( +host.os.type:windows and event.category:process and event.type:start and ( process.name:netstat.exe or ( process.name:net.exe or process.pe.original_file_name:net.exe or (process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index de863b3bef1..1ff4ae96793 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -32,7 +32,7 @@ type = "new_terms" building_block_type = "default" query = ''' -host.os.type:windows and event.type:start and ( +host.os.type:windows and event.category:process and event.type:start and ( process.name:cmd.exe and process.args:ver* or process.name:(hostname.exe or systeminfo.exe) or process.name:wmic.exe and process.args:(get and os) From 83f63b545588cd50d0880375e63dddcb28335ac4 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 15:16:57 +0200 Subject: [PATCH 13/44] Additional tuning --- ..._post_exploitation_external_ip_lookup.toml | 2 +- ...very_privileged_localgroup_membership.toml | 80 ++++++------------- ...ote_system_discovery_commands_windows.toml | 50 +++++++----- .../discovery_security_software_wmic.toml | 23 ++++-- .../discovery_system_service_discovery.toml | 42 ++++++---- .../discovery_system_time_discovery.toml | 35 +++++--- 6 files changed, 124 insertions(+), 108 deletions(-) diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 3fe8110a195..990e4c4fb25 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -107,7 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.name", "process.executable"] +value = ["user.name", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 17764a8ba55..1b476e1f8cd 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [transform] [[transform.osquery]] @@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -40,7 +39,7 @@ Administrators or Remote Desktop users. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" note = """## Triage and analysis @@ -112,75 +111,44 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -iam where event.action == "user-member-enumerated" and - - /* excluding machine account */ - not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and - - /* noisy and usual legit processes excluded */ - not winlog.event_data.CallerProcessName: - ("-", - "?:\\Windows\\System32\\VSSVC.exe", - "?:\\Windows\\System32\\SearchIndexer.exe", - "?:\\Windows\\System32\\CompatTelRunner.exe", - "?:\\Windows\\System32\\oobe\\msoobe.exe", - "?:\\Windows\\System32\\net1.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\Netplwiz.exe", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\SysWOW64\\msiexec.exe", - "?:\\Windows\\System32\\CloudExperienceHostBroker.exe", - "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\System32\\SrTasks.exe", - "?:\\Windows\\System32\\lsass.exe", - "?:\\Windows\\System32\\diskshadow.exe", - "?:\\Windows\\System32\\dfsrs.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\WindowsAzure\\*\\WaAppAgent.exe", - "?:\\Windows\\System32\\vssadmin.exe", - "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", - "?:\\Windows\\System32\\dllhost.exe", - "?:\\Windows\\System32\\mmc.exe", - "?:\\Windows\\System32\\SettingSyncHost.exe", - "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", - "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", - "?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\$WINDOWS.~BT\\Sources\\*.exe", - "?:\\Windows\\System32\\wsmprovhost.exe", - "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe", - "?:\\Windows\\System32\\mstsc.exe", - "?:\\Windows\\System32\\esentutl.exe", - "?:\\Windows\\System32\\RecoveryDrive.exe", - "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and - - /* privileged local groups */ - (group.name:("*admin*","RemoteDesktopUsers") or - winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555")) +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and ( + group.name:(*admin* or RemoteDesktopUsers) or + winlog.event_data.TargetSid:(S-1-5-32-544 or S-1-5-32-555) +) and not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "winlog.event_data.SubjectUserName"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 90c6d2c9930..d5b6f3dc97d 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -2,16 +2,16 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Remote System Discovery Commands" note = """## Triage and analysis @@ -49,26 +49,32 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or - (process.name : "arp.exe" and process.args : "-a") or - (process.name : "nltest.exe" and process.args : ("/dclist", "/dsgetdc")) or - (process.name : "nslookup.exe" and process.args : "*_ldap._tcp.dc.*") or - (process.name: ("dsquery.exe", "dsget.exe") and process.args: "subnet") or - ((((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or - ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not - process.parent.name : "net.exe")) and - process.args : "group" and process.args : "/domain" and not process.args : "/add"))) +host.os.type:windows and event.category:process and event.type:start and + ((process.name:nbtstat.exe and process.args:(-n or -s)) or + (process.name:ARP.EXE and process.args:-a) or + (process.name:nltest.exe and process.args:(/dclist or /dsgetdc)) or + (process.name:nslookup.exe and process.args:*_ldap._tcp.dc.*) or + (process.name:(dsquery.exe or dsget.exe) and process.args: subnet) or + ((((process.name:net.exe or process.pe.original_file_name:net.exe) or + ((process.name:net1.exe or process.pe.original_file_name:net1.exe) and not + process.parent.name:net.exe)) and + process.args:group and process.args:/domain and not process.args:/add))) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -79,9 +85,15 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 8e3377602b7..14f13b804da 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -52,32 +52,39 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and - process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get" +(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and +process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" and +not process.parent.executable : "?:*\\JetBrains*" and not process.parent.name : ("jp2launcher.exe", "Remote Access.exe", +"idea64.exe", "pycharm64.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 1e9af9b7815..c5f9a9793ff 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -13,29 +13,35 @@ Detects the usage of commonly used system service discovery techniques, which at after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and +host.os.type:windows and event.category:process and event.type:start and ( - ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or - ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or - ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or - (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe") - ) and not user.id : "S-1-5-18" + ((process.name:net.exe or process.pe.original_file_name:net.exe or (process.name:net1.exe and not process.parent.name:net.exe)) and process.args:(start or use) and process.args_count:2) or + ((process.name: sc.exe or process.pe.original_file_name:sc.exe) and process.args: (query or q*)) or + ((process.name: tasklist.exe or process.pe.original_file_name:tasklist.exe) and process.args: /svc) or + (process.name:psservice.exe or process.pe.original_file_name:psservice.exe) + ) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -44,4 +50,12 @@ reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index a340cb45f48..e2abfd127cf 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -13,27 +13,34 @@ Detects the usage of commonly used system time discovery techniques, which attac """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and +host.os.type:windows and event.category:process and event.type:start and ( - ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or - (process.name: "w32tm.exe" and process.args: "/tz") or - (process.name: "tzutil.exe" and process.args: "/g") + ((process.name:net.exe or (process.name:net1.exe and not process.parent.name:net.exe)) and process.args:time) or + (process.name:w32tm.exe and process.args:/tz) or + (process.name:tzutil.exe and process.args:/g) ) and not user.id : "S-1-5-18" ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" @@ -43,3 +50,11 @@ reference = "https://attack.mitre.org/techniques/T1124/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From 16d20fd0f47a7571601d323c43ed7c96fbbb5989 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 15:29:46 +0200 Subject: [PATCH 14/44] Unit testing optimization fix --- rules/windows/discovery_files_dir_systeminfo_via_cmd.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index c3cc87ea5f8..2e6ac1d4a68 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -63,8 +63,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and -process.name:cmd.exe and process.args:/c and process.args:(set or dir) +host.os.type:windows and event.category:process and event.type:start and process.name:cmd.exe and +process.args:(/c and (dir or set)) ''' [[rule.threat]] From 8fcae0ecada8e473ccc89240e5f48c49d3cb0296 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 15:43:59 +0200 Subject: [PATCH 15/44] optimization --- rules/windows/discovery_net_view.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index c403b5871d9..849216f4a2e 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -61,10 +61,10 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and - ((process.name:net.exe or process.pe.original_file_name:net.exe) or - ((process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe)) and - (process.args:view or (process.args:time and process.args:\\\\*)) +host.os.type:windows and event.category:process and event.type:start and +(process.name:net.exe or process.pe.original_file_name:net.exe or +(process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe) and +process.args:(view or time and \\\\\\\\*) ''' [[rule.threat]] From 120024a2d27274fe0879c8c0dfcfe5a063d71314 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 15:52:38 +0200 Subject: [PATCH 16/44] tuning --- ...mote_system_discovery_commands_windows.toml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index d5b6f3dc97d..ec029ed0bee 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -60,16 +60,14 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and - ((process.name:nbtstat.exe and process.args:(-n or -s)) or - (process.name:ARP.EXE and process.args:-a) or - (process.name:nltest.exe and process.args:(/dclist or /dsgetdc)) or - (process.name:nslookup.exe and process.args:*_ldap._tcp.dc.*) or - (process.name:(dsquery.exe or dsget.exe) and process.args: subnet) or - ((((process.name:net.exe or process.pe.original_file_name:net.exe) or - ((process.name:net1.exe or process.pe.original_file_name:net1.exe) and not - process.parent.name:net.exe)) and - process.args:group and process.args:/domain and not process.args:/add))) +host.os.type:windows and event.category:process and event.type:start and ( +process.name:nbtstat.exe and process.args:(-n or -s) or +process.name:ARP.EXE and process.args:-a or process.name:nltest.exe and process.args:(/dclist or /dsgetdc) or +process.name:nslookup.exe and process.args:*_ldap._tcp.dc.* or +process.name:(dsget.exe or dsquery.exe) and process.args:subnet or +(process.name:net.exe or process.pe.original_file_name:net.exe or +(process.name:net1.exe or process.pe.original_file_name:net1.exe) and +not process.parent.name:net.exe) and process.args:(/domain and group and not /add)) ''' [[rule.threat]] From 2276ebaf25b010af6f561932e762d8191a51b088 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 14 Sep 2023 16:05:09 +0200 Subject: [PATCH 17/44] Optimization --- .../windows/discovery_system_service_discovery.toml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index c5f9a9793ff..9c56dff4458 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -30,13 +30,12 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and - ( - ((process.name:net.exe or process.pe.original_file_name:net.exe or (process.name:net1.exe and not process.parent.name:net.exe)) and process.args:(start or use) and process.args_count:2) or - ((process.name: sc.exe or process.pe.original_file_name:sc.exe) and process.args: (query or q*)) or - ((process.name: tasklist.exe or process.pe.original_file_name:tasklist.exe) and process.args: /svc) or - (process.name:psservice.exe or process.pe.original_file_name:psservice.exe) - ) +host.os.type:windows and event.category:process and event.type:start and +((process.name:net.exe or process.pe.original_file_name:net.exe or process.name:net1.exe and + not process.parent.name:net.exe) and process.args:(start or use) and process.args_count:2 or +(process.name:sc.exe or process.pe.original_file_name:sc.exe) and process.args:(query or q*) or +(process.name:tasklist.exe or process.pe.original_file_name:tasklist.exe) and process.args:/svc or +process.name:psservice.exe or process.pe.original_file_name:psservice.exe) ''' [[rule.threat]] From c50714a7429dfc80550a692fd0a7c2cd70f2958c Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 19 Sep 2023 13:31:45 +0200 Subject: [PATCH 18/44] Update rules/windows/discovery_privileged_localgroup_membership.toml --- rules/windows/discovery_privileged_localgroup_membership.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 1b476e1f8cd..ff21b4014db 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -122,7 +122,7 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:iam and event.action:user-member-enumerated and ( - group.name:(*admin* or RemoteDesktopUsers) or + group.name:(*Admin* or RemoteDesktopUsers) or winlog.event_data.TargetSid:(S-1-5-32-544 or S-1-5-32-555) ) and not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") ''' From fec72d4d069ee3acf77cc76e6df76b6bd2c26ffa Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 20 Sep 2023 09:59:44 +0200 Subject: [PATCH 19/44] Added feedback --- ...iscovery_files_dir_systeminfo_via_cmd.toml | 8 ++++---- rules/windows/discovery_net_view.toml | 10 +++++----- ...very_privileged_localgroup_membership.toml | 8 ++++---- ...ote_system_discovery_commands_windows.toml | 19 ++++++++++--------- .../discovery_system_service_discovery.toml | 14 +++++++------- .../discovery_system_time_discovery.toml | 16 +++++++++------- .../discovery_generic_registry_query.toml | 10 +++++----- .../discovery_internet_capabilities.toml | 9 ++++----- .../discovery_win_network_connections.toml | 12 ++++++------ ..._windows_system_information_discovery.toml | 10 +++++----- 10 files changed, 59 insertions(+), 57 deletions(-) diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 2e6ac1d4a68..b904c25e0a1 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -63,8 +63,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and process.name:cmd.exe and -process.args:(/c and (dir or set)) +host.os.type:windows and event.category:process and event.type:start and process.name.caseless:"cmd.exe" and +process.args:("/c" and ("dir" or "set")) ''' [[rule.threat]] @@ -105,7 +105,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 849216f4a2e..53baa048a71 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -62,9 +62,9 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and -(process.name:net.exe or process.pe.original_file_name:net.exe or -(process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe) and -process.args:(view or time and \\\\\\\\*) +(process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or +(process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and not process.parent.name:"net.exe") and +process.args:("view" or "time" and \\\\\\\\*) ''' [[rule.threat]] @@ -87,7 +87,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index ff21b4014db..f468a36f53c 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [transform] [[transform.osquery]] @@ -122,8 +122,8 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:iam and event.action:user-member-enumerated and ( - group.name:(*Admin* or RemoteDesktopUsers) or - winlog.event_data.TargetSid:(S-1-5-32-544 or S-1-5-32-555) + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") ) and not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") ''' @@ -147,7 +147,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "winlog.event_data.SubjectUserName"] +value = ["user.id", "winlog.event_data.SubjectUserName"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index ec029ed0bee..42ef65eb308 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -61,13 +61,14 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( -process.name:nbtstat.exe and process.args:(-n or -s) or -process.name:ARP.EXE and process.args:-a or process.name:nltest.exe and process.args:(/dclist or /dsgetdc) or -process.name:nslookup.exe and process.args:*_ldap._tcp.dc.* or -process.name:(dsget.exe or dsquery.exe) and process.args:subnet or -(process.name:net.exe or process.pe.original_file_name:net.exe or -(process.name:net1.exe or process.pe.original_file_name:net1.exe) and -not process.parent.name:net.exe) and process.args:(/domain and group and not /add)) +process.name.caseless:"nbtstat.exe" and process.args:("-n" or "-s") or +process.name.caseless:"ARP.EXE" and process.args:"-a" or +process.name.caseless:"nltest.exe" and process.args:("/dclist" or "/dsgetdc") or +process.name.caseless:"nslookup.exe" and process.args:*_ldap._tcp.dc.* or +process.name.caseless:("dsget.exe" or "dsquery.exe") and process.args:"subnet" or +(process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or +(process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and +not process.parent.name:"net.exe") and process.args:("/domain" and "group" and not "/add")) ''' [[rule.threat]] @@ -90,7 +91,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 9c56dff4458..339cbac156d 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -31,11 +31,11 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and -((process.name:net.exe or process.pe.original_file_name:net.exe or process.name:net1.exe and - not process.parent.name:net.exe) and process.args:(start or use) and process.args_count:2 or -(process.name:sc.exe or process.pe.original_file_name:sc.exe) and process.args:(query or q*) or -(process.name:tasklist.exe or process.pe.original_file_name:tasklist.exe) and process.args:/svc or -process.name:psservice.exe or process.pe.original_file_name:psservice.exe) +((process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or process.name.caseless:"net1.exe" and + not process.parent.name:"net.exe") and process.args:("start" or "use") and process.args_count:2 or +(process.name.caseless:"sc.exe" or process.pe.original_file_name:"sc.exe") and process.args:("query" or q*) or +(process.name.caseless:"tasklist.exe" or process.pe.original_file_name:"tasklist.exe") and process.args:"/svc" or +process.name.caseless:"psservice.exe" or process.pe.original_file_name:"psservice.exe") ''' [[rule.threat]] @@ -53,7 +53,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index e2abfd127cf..46e4229d9ca 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "System Time Discovery" @@ -23,7 +23,6 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", - "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" @@ -32,9 +31,12 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( - ((process.name:net.exe or (process.name:net1.exe and not process.parent.name:net.exe)) and process.args:time) or - (process.name:w32tm.exe and process.args:/tz) or - (process.name:tzutil.exe and process.args:/g) + ( + (process.name.caseless:"net.exe" or (process.name.caseless:"net1.exe" and not process.parent.name:"net.exe")) and + process.args:"time" + ) or + (process.name.caseless:"w32tm.exe" and process.args:"/tz") or + (process.name.caseless:"tzutil.exe" and process.args:"/g") ) and not user.id : "S-1-5-18" ''' @@ -53,7 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 3a018e15f6d..6d63b71641f 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" bypass_bbr_timing = true [rule] @@ -34,10 +34,10 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( - process.name:reg.exe and process.args:query or - process.name:(powershell.exe or powershell_ise.exe or pwsh.exe) and process.args:( + process.name.caseless:"reg.exe" and process.args:"query" or + process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and process.args:( (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or - *HKLM* or "*Registry::*") + *HKLM* or *Registry\:\:*) ) ) ''' @@ -57,7 +57,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 91e8e08b2db..28635476939 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" bypass_bbr_timing = true [rule] @@ -26,7 +26,6 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", - "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend" ] @@ -36,8 +35,8 @@ building_block_type = "default" query = ''' host.os.type:windows and event.category:process and event.type:start and -process.name:(ping.exe or tracert.exe or pathping.exe) and -not process.args:(127.0.0.1 or 0.0.0.0 or localhost or 1.1.1.1 or 1.2.3.4 or "::1") +process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and +not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1") ''' [[rule.threat]] @@ -60,7 +59,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 48292df2a0d..6fc19eb0379 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" bypass_bbr_timing = true [rule] @@ -34,10 +34,10 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( - process.name:netstat.exe or ( - process.name:net.exe or process.pe.original_file_name:net.exe or - (process.name:net1.exe or process.pe.original_file_name:net1.exe) and not process.parent.name:net.exe - ) and process.args:(config or session or use) or process.name:nbtstat.exe and process.args:-s* + process.name.caseless:"netstat.exe" or ( + process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or + (process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and not process.parent.name:"net.exe" + ) and process.args:("config" or "session" or "use") or process.name.caseless:"nbtstat.exe" and process.args:-s* ) ''' @@ -61,7 +61,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 1ff4ae96793..4c77f104964 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/14" +updated_date = "2023/09/20" bypass_bbr_timing = true [rule] @@ -33,9 +33,9 @@ building_block_type = "default" query = ''' host.os.type:windows and event.category:process and event.type:start and ( - process.name:cmd.exe and process.args:ver* or - process.name:(hostname.exe or systeminfo.exe) or - process.name:wmic.exe and process.args:(get and os) + process.name.caseless:"cmd.exe" and process.args:ver* or + process.name.caseless:("hostname.exe" or "systeminfo.exe") or + process.name.caseless:"wmic.exe" and process.args:("get" and "os") ) ''' @@ -54,7 +54,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "process.command_line"] +value = ["user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" From 0b733e30d73225ec2ed03c0c0c8aac58051cb1b2 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:48:21 +0200 Subject: [PATCH 20/44] Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../discovery_privileged_localgroup_membership.toml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index f468a36f53c..cce17a8117b 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -121,10 +121,12 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:iam and event.action:user-member-enumerated and ( - group.name:(*Admin* or "RemoteDesktopUsers") or - winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") -) and not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and + ( + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") + ) and + not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") ''' [[rule.threat]] From 27d5f9bba14d5f597a831e4996f7a7d5a6434cf8 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:48:40 +0200 Subject: [PATCH 21/44] Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- ...ote_system_discovery_commands_windows.toml | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 42ef65eb308..939e6c789b0 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -60,15 +60,18 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and ( -process.name.caseless:"nbtstat.exe" and process.args:("-n" or "-s") or -process.name.caseless:"ARP.EXE" and process.args:"-a" or -process.name.caseless:"nltest.exe" and process.args:("/dclist" or "/dsgetdc") or -process.name.caseless:"nslookup.exe" and process.args:*_ldap._tcp.dc.* or -process.name.caseless:("dsget.exe" or "dsquery.exe") and process.args:"subnet" or -(process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or -(process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and -not process.parent.name:"net.exe") and process.args:("/domain" and "group" and not "/add")) +host.os.type:windows and event.category:process and event.type:start and + ( + process.name.caseless:"nbtstat.exe" and process.args:("-n" or "-s") or + process.name.caseless:"ARP.EXE" and process.args:"-a" or + process.name.caseless:"nltest.exe" and process.args:("/dclist" or "/dsgetdc") or + process.name.caseless:"nslookup.exe" and process.args:*_ldap._tcp.dc.* or + process.name.caseless:("dsget.exe" or "dsquery.exe") and process.args:"subnet" or + (process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or + (process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and + not process.parent.name:"net.exe") and + process.args:("/domain" and "group" and not "/add") + ) ''' [[rule.threat]] From f5367aefe64438af0c047d6ac7b125c8b965db1d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:51:04 +0200 Subject: [PATCH 22/44] Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/windows/discovery_system_service_discovery.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 339cbac156d..19b698faecf 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -31,11 +31,11 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and -((process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or process.name.caseless:"net1.exe" and - not process.parent.name:"net.exe") and process.args:("start" or "use") and process.args_count:2 or -(process.name.caseless:"sc.exe" or process.pe.original_file_name:"sc.exe") and process.args:("query" or q*) or -(process.name.caseless:"tasklist.exe" or process.pe.original_file_name:"tasklist.exe") and process.args:"/svc" or -process.name.caseless:"psservice.exe" or process.pe.original_file_name:"psservice.exe") + ((process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or process.name.caseless:"net1.exe" and + not process.parent.name:"net.exe") and process.args:("start" or "use") and process.args_count:2 or + (process.name.caseless:"sc.exe" or process.pe.original_file_name:"sc.exe") and process.args:("query" or q*) or + (process.name.caseless:"tasklist.exe" or process.pe.original_file_name:"tasklist.exe") and process.args:"/svc" or + process.name.caseless:"psservice.exe" or process.pe.original_file_name:"psservice.exe") ''' [[rule.threat]] From 4647b5dc7943a0c59fc34bd6eea15a72c43595a2 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 11:08:25 +0200 Subject: [PATCH 23/44] added host.id as additional new_terms field --- rules/windows/discovery_files_dir_systeminfo_via_cmd.toml | 2 +- rules/windows/discovery_net_view.toml | 2 +- rules/windows/discovery_privileged_localgroup_membership.toml | 2 +- .../discovery_remote_system_discovery_commands_windows.toml | 2 +- rules/windows/discovery_system_service_discovery.toml | 2 +- rules/windows/discovery_system_time_discovery.toml | 2 +- rules_building_block/discovery_generic_registry_query.toml | 2 +- rules_building_block/discovery_internet_capabilities.toml | 2 +- rules_building_block/discovery_win_network_connections.toml | 2 +- .../discovery_windows_system_information_discovery.toml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index b904c25e0a1..89873e31479 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -105,7 +105,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 53baa048a71..274d201f171 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -87,7 +87,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index cce17a8117b..1527154a433 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -149,7 +149,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "winlog.event_data.SubjectUserName"] +value = ["host.id", "user.id", "winlog.event_data.SubjectUserName"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 939e6c789b0..8416c52725b 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -94,7 +94,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 19b698faecf..b45cc7305ae 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -53,7 +53,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index 46e4229d9ca..1dcb5f54a27 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -55,7 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 6d63b71641f..e809f985499 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -57,7 +57,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 28635476939..03185f9a182 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -59,7 +59,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 6fc19eb0379..3f0428d4629 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -61,7 +61,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 4c77f104964..242c024623a 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -54,7 +54,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "process.command_line"] +value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" From c0dd57699bf48bb2dc149dedcaac98d042595fab Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 13:44:10 +0200 Subject: [PATCH 24/44] Reworked a lot. --- ...y_signal_files_dir_systeminfo_via_cmd.toml | 77 +++++++++++++++++++ rules/windows/discovery_signal_net_view.toml | 58 ++++++++++++++ ..._post_exploitation_external_ip_lookup.toml | 65 ++++++++++++++++ ...ote_system_discovery_commands_windows.toml | 58 ++++++++++++++ ...scovery_signal_security_software_wmic.toml | 54 +++++++++++++ ...overy_signal_system_service_discovery.toml | 55 +++++++++++++ ...scovery_signal_system_time_discovery.toml} | 30 +++----- ...covery_signal_win_network_connections.toml | 59 ++++++++++++++ ..._windows_system_information_discovery.toml | 54 +++++++++++++ ...iscovery_files_dir_systeminfo_via_cmd.toml | 30 ++++---- .../discovery_generic_registry_query.toml | 4 +- .../discovery_net_view.toml | 30 +++----- ..._post_exploitation_external_ip_lookup.toml | 70 ++++++++++++----- ...ote_system_discovery_commands_windows.toml | 45 +++++------ .../discovery_security_software_wmic.toml | 11 +-- .../discovery_system_service_discovery.toml | 37 ++++----- .../discovery_system_time_discovery.toml | 56 ++++++++++++++ .../discovery_win_network_connections.toml | 38 ++++----- ..._windows_system_information_discovery.toml | 45 ++++++----- 19 files changed, 710 insertions(+), 166 deletions(-) create mode 100644 rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml create mode 100644 rules/windows/discovery_signal_net_view.toml create mode 100644 rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml create mode 100644 rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml create mode 100644 rules/windows/discovery_signal_security_software_wmic.toml create mode 100644 rules/windows/discovery_signal_system_service_discovery.toml rename rules/windows/{discovery_system_time_discovery.toml => discovery_signal_system_time_discovery.toml} (52%) create mode 100644 rules/windows/discovery_signal_win_network_connections.toml create mode 100644 rules/windows/discovery_signal_windows_system_information_discovery.toml rename {rules/windows => rules_building_block}/discovery_files_dir_systeminfo_via_cmd.toml (86%) rename {rules/windows => rules_building_block}/discovery_net_view.toml (83%) rename {rules/windows => rules_building_block}/discovery_post_exploitation_external_ip_lookup.toml (72%) rename {rules/windows => rules_building_block}/discovery_remote_system_discovery_commands_windows.toml (75%) rename {rules/windows => rules_building_block}/discovery_security_software_wmic.toml (94%) rename {rules/windows => rules_building_block}/discovery_system_service_discovery.toml (52%) create mode 100644 rules_building_block/discovery_system_time_discovery.toml diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml new file mode 100644 index 00000000000..520c554f477 --- /dev/null +++ b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "System Information Discovery via Windows Command Shell" to +alert on signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule +identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Command Shell. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - System Information Discovery via Windows Command Shell" +risk_score = 21 +rule_id = "ba85cd0a-a5c9-474e-94af-722037c30d76" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"d68e95ad-1c82-4074-a12a-125fe10ac8ba" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_net_view.toml b/rules/windows/discovery_signal_net_view.toml new file mode 100644 index 00000000000..679dec0ee40 --- /dev/null +++ b/rules/windows/discovery_signal_net_view.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "Windows Network Enumeration" to alert on signals with +unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies attempts to +enumerate hosts in a network using the built-in Windows net.exe tool. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - Windows Network Enumeration" +risk_score = 21 +rule_id = "7b3d3a1a-8865-422b-900d-ee5e725f8c30" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"7b8bfc26-81d2-435e-965c-d722ee397ef1" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml new file mode 100644 index 00000000000..3cbbbf548cd --- /dev/null +++ b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "External IP Lookup from Non-Browser Process" to alert on +signals with unusual unique host.id, user.id and process.executable entries. The original underlying rule identifies +domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for internet +access and acquire their external IP address after they have gained access to a system. Among others, this has been +observed in campaigns leveraging the information stealer, Trickbot. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - External IP Lookup from Non-Browser Process" +risk_score = 21 +rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml new file mode 100644 index 00000000000..a5ab292c74f --- /dev/null +++ b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "Remote System Discovery Commands" to alert on signals with +unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the discovery +of remote system information using built-in commands, which may be used to move laterally. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - Remote System Discovery Commands" +risk_score = 21 +rule_id = "96073850-64df-46a3-8aab-75f675f273d3" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"0635c542-1b96-4335-9b47-126582d2c19a" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_security_software_wmic.toml b/rules/windows/discovery_signal_security_software_wmic.toml new file mode 100644 index 00000000000..454613fe0f7 --- /dev/null +++ b/rules/windows/discovery_signal_security_software_wmic.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "Security Software Discovery using WMIC" to alert on signals +with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the use +of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or +Host Firewall details. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - Security Software Discovery using WMIC" +risk_score = 21 +rule_id = "278afb27-4066-416c-a657-ddb317728ff7" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"6ea55c81-e2ba-42f2-a134-bccf857ba922" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_system_service_discovery.toml b/rules/windows/discovery_signal_system_service_discovery.toml new file mode 100644 index 00000000000..09352f4e151 --- /dev/null +++ b/rules/windows/discovery_signal_system_service_discovery.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "System Service Discovery through built-in Windows Utilities" +to alert on signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule +identifies the usage of commonly used system service discovery techniques, which attackers may use during the +reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or +escalate privileges. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - System Service Discovery through built-in Windows Utilities" +risk_score = 21 +rule_id = "2a492896-d0ed-4cb3-acf7-1157517da561" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"e0881d20-54ac-457f-8733-fe0bc5d44c55" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_signal_system_time_discovery.toml similarity index 52% rename from rules/windows/discovery_system_time_discovery.toml rename to rules/windows/discovery_signal_system_time_discovery.toml index 1dcb5f54a27..ed695f3c556 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_signal_system_time_discovery.toml @@ -1,43 +1,35 @@ [metadata] -creation_date = "2023/01/17" -integration = ["windows", "endpoint"] +creation_date = "2023/09/21" maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/20" +updated_date = "2023/09/21" [rule] author = ["Elastic"] description = """ -Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. +This rule leverages alert data from the building block rule "System Time Discovery" to alert on signals with unusual +unique host.id, user.id and process.command_line entries. The original underlying rule identifies the usage of commonly +used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a +system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = [".alerts-security*"] language = "kuery" license = "Elastic License v2" -name = "System Time Discovery" +name = "Unusual Signal Alert - System Time Discovery" risk_score = 21 -rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" +rule_id = "894b6996-31ba-44b7-8d70-a6c3b4d1723c" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend" + "Tactic: Discovery" ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' -host.os.type:windows and event.category:process and event.type:start and -( - ( - (process.name.caseless:"net.exe" or (process.name.caseless:"net1.exe" and not process.parent.name:"net.exe")) and - process.args:"time" - ) or - (process.name.caseless:"w32tm.exe" and process.args:"/tz") or - (process.name.caseless:"tzutil.exe" and process.args:"/g") -) and not user.id : "S-1-5-18" +event.kind:signal and kibana.alert.rule.rule_id:"06568a02-af29-4f20-929c-f3af281e41aa" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_win_network_connections.toml b/rules/windows/discovery_signal_win_network_connections.toml new file mode 100644 index 00000000000..613d2988d91 --- /dev/null +++ b/rules/windows/discovery_signal_win_network_connections.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "Windows System Network Connections Discovery" to alert on +signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies +the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of +network connections to or from a compromised system to identify targets within an environment. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - Windows System Network Connections Discovery" +risk_score = 21 +rule_id = "17c61b9e-3521-4be9-9155-b40c2be64875" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_windows_system_information_discovery.toml b/rules/windows/discovery_signal_windows_system_information_discovery.toml new file mode 100644 index 00000000000..9e9514bd8a9 --- /dev/null +++ b/rules/windows/discovery_signal_windows_system_information_discovery.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/09/21" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from the building block rule "Windows System Information Discovery" to alert on signals +with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the +execution of commands used to discover information about the system, which attackers may use after compromising a system +to gain situational awareness. +""" +from = "now-9m" +index = [".alerts-security*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Signal Alert - Windows System Information Discovery" +risk_score = 21 +rule_id = "5fbab7f5-c2e4-4186-9621-f2ab9deb6d6b" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.kind:signal and kibana.alert.rule.rule_id:"51176ed2-2d90-49f2-9f3d-17196428b169" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml similarity index 86% rename from rules/windows/discovery_files_dir_systeminfo_via_cmd.toml rename to rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 89873e31479..eae4c239b80 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -2,9 +2,10 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -14,7 +15,7 @@ Command Shell. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" note = """## Triage and analysis @@ -57,14 +58,19 @@ tags = ["Domain: Endpoint", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" -type = "new_terms" +building_block_type = "default" +type = "eql" query = ''' -host.os.type:windows and event.category:process and event.type:start and process.name.caseless:"cmd.exe" and -process.args:("/c" and ("dir" or "set")) +registry where host.os.type == "windows" and event.action != "deletion" and + registry.path : + ("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and + registry.data.strings : "0" ''' [[rule.threat]] @@ -102,11 +108,3 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index e809f985499..f875db34ed6 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/20" +updated_date = "2023/09/21" bypass_bbr_timing = true [rule] @@ -35,7 +35,7 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( process.name.caseless:"reg.exe" and process.args:"query" or - process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and process.args:( + process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and process.command_line.caseless:( (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\:\:*) ) diff --git a/rules/windows/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml similarity index 83% rename from rules/windows/discovery_net_view.toml rename to rules_building_block/discovery_net_view.toml index 274d201f171..6b100bf2939 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -2,16 +2,17 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Windows Network Enumeration" note = """## Triage and analysis @@ -55,16 +56,17 @@ tags = ["Domain: Endpoint", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" -type = "new_terms" +building_block_type = "default" +type = "eql" query = ''' -host.os.type:windows and event.category:process and event.type:start and -(process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or -(process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and not process.parent.name:"net.exe") and -process.args:("view" or "time" and \\\\\\\\*) +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") and + not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' [[rule.threat]] @@ -84,11 +86,3 @@ reference = "https://attack.mitre.org/techniques/T1135/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml similarity index 72% rename from rules/windows/discovery_post_exploitation_external_ip_lookup.toml rename to rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index 990e4c4fb25..b2e1e730e53 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -2,9 +2,10 @@ creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -21,7 +22,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "External IP Lookup from Non-Browser Process" note = """## Triage and analysis @@ -67,19 +68,54 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" -type = "new_terms" +building_block_type = "default" +type = "eql" query = ''' -host.os.type:windows and event.category:network and network.protocol:dns and process.name:* and -event.action:lookup_requested and dns.question.name:( - *api.ipify.org or *freegeoip.app or *checkip.amazonaws.com or *checkip.dyndns.org or *freegeoip.app or - *icanhazip.com or *ifconfig.* or *ipecho.net or *ipgeoapi.com or *ipinfo.io or *ip.anysrc.net or *myexternalip.com or - *myipaddress.com or *showipaddress.com or *whatismyipaddress.com or *wtfismyip.com or *ipapi.co or *ip-lookup.net or - *ipstack.com - ) +network where host.os.type == "windows" and network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and + event.action == "lookup_requested" and + /* Add new external IP lookup services here */ + dns.question.name : + ( + "*api.ipify.org", + "*freegeoip.app", + "*checkip.amazonaws.com", + "*checkip.dyndns.org", + "*freegeoip.app", + "*icanhazip.com", + "*ifconfig.*", + "*ipecho.net", + "*ipgeoapi.com", + "*ipinfo.io", + "*ip.anysrc.net", + "*myexternalip.com", + "*myipaddress.com", + "*showipaddress.com", + "*whatismyipaddress.com", + "*wtfismyip.com", + "*ipapi.co", + "*ip-lookup.net", + "*ipstack.com" + ) and + /* Insert noisy false positives here */ + not process.executable : + ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" + ) ''' [[rule.threat]] @@ -104,11 +140,3 @@ reference = "https://attack.mitre.org/techniques/T1614/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["user.name", "process.executable"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml similarity index 75% rename from rules/windows/discovery_remote_system_discovery_commands_windows.toml rename to rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 8416c52725b..0955a1af2c4 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -2,16 +2,17 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Remote System Discovery Commands" note = """## Triage and analysis @@ -54,24 +55,24 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" -type = "new_terms" +building_block_type = "default" +type = "eql" query = ''' -host.os.type:windows and event.category:process and event.type:start and - ( - process.name.caseless:"nbtstat.exe" and process.args:("-n" or "-s") or - process.name.caseless:"ARP.EXE" and process.args:"-a" or - process.name.caseless:"nltest.exe" and process.args:("/dclist" or "/dsgetdc") or - process.name.caseless:"nslookup.exe" and process.args:*_ldap._tcp.dc.* or - process.name.caseless:("dsget.exe" or "dsquery.exe") and process.args:"subnet" or - (process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or - (process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and - not process.parent.name:"net.exe") and - process.args:("/domain" and "group" and not "/add") - ) +process where host.os.type == "windows" and event.type == "start" and + ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or + (process.name : "arp.exe" and process.args : "-a") or + (process.name : "nltest.exe" and process.args : ("/dclist", "/dsgetdc")) or + (process.name : "nslookup.exe" and process.args : "*_ldap._tcp.dc.*") or + (process.name: ("dsquery.exe", "dsget.exe") and process.args: "subnet") or + ((((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not + process.parent.name : "net.exe")) and + process.args : "group" and process.args : "/domain" and not process.args : "/add"))) ''' [[rule.threat]] @@ -91,11 +92,3 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml similarity index 94% rename from rules/windows/discovery_security_software_wmic.toml rename to rules_building_block/discovery_security_software_wmic.toml index 14f13b804da..12707e0d3ef 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -4,7 +4,8 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/14" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -58,17 +59,17 @@ tags = ["Domain: Endpoint", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and -process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" and -not process.parent.executable : "?:*\\JetBrains*" and not process.parent.name : ("jp2launcher.exe", "Remote Access.exe", -"idea64.exe", "pycharm64.exe") +process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' [[rule.threat]] diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml similarity index 52% rename from rules/windows/discovery_system_service_discovery.toml rename to rules_building_block/discovery_system_service_discovery.toml index b45cc7305ae..4ade73edb15 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -2,9 +2,10 @@ creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -14,7 +15,7 @@ after compromising a system in order to gain a better understanding of the envir """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 @@ -24,18 +25,22 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Rule Type: BBR" ] timestamp_override = "event.ingested" -type = "new_terms" +building_block_type = "default" +type = "eql" query = ''' -host.os.type:windows and event.category:process and event.type:start and - ((process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or process.name.caseless:"net1.exe" and - not process.parent.name:"net.exe") and process.args:("start" or "use") and process.args_count:2 or - (process.name.caseless:"sc.exe" or process.pe.original_file_name:"sc.exe") and process.args:("query" or q*) or - (process.name.caseless:"tasklist.exe" or process.pe.original_file_name:"tasklist.exe") and process.args:"/svc" or - process.name.caseless:"psservice.exe" or process.pe.original_file_name:"psservice.exe") +process where host.os.type == "windows" and event.type == "start" and + ( + ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and + not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or + ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or + ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or + (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe") + ) and not user.id : "S-1-5-18" ''' [[rule.threat]] @@ -50,11 +55,3 @@ reference = "https://attack.mitre.org/techniques/T1007/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml new file mode 100644 index 00000000000..69cf8c63213 --- /dev/null +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/01/24" +integration = ["windows", "endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance +phase after compromising a system. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "System Time Discovery" +risk_score = 21 +rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and +( + ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and + process.args : "time") or + (process.name: "w32tm.exe" and process.args: "/tz") or + (process.name: "tzutil.exe" and process.args: "/g") +) and not user.id : "S-1-5-18" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1124" +name = "System Time Discovery" +reference = "https://attack.mitre.org/techniques/T1124/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 3f0428d4629..fab06d6a452 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ attempt to get a listing of network connections to or from a compromised system """ from = "now-9m" index = ["logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Windows System Network Connections Discovery" risk_score = 21 @@ -30,15 +30,23 @@ tags = ["Domain: Endpoint", ] timestamp_override = "event.ingested" building_block_type = "default" -type = "new_terms" +type = "eql" query = ''' -host.os.type:windows and event.category:process and event.type:start and ( - process.name.caseless:"netstat.exe" or ( - process.name.caseless:"net.exe" or process.pe.original_file_name:"net.exe" or - (process.name.caseless:"net1.exe" or process.pe.original_file_name:"net1.exe") and not process.parent.name:"net.exe" - ) and process.args:("config" or "session" or "use") or process.name.caseless:"nbtstat.exe" and process.args:-s* -) +process where event.type == "start" and +( + process.name : "netstat.exe" or + ( + ( + (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ( + (process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe" + ) + ) and process.args : ("use", "user", "session", "config") and not process.args: ("/persistent:*", "/delete", "\\\\*") + ) or + (process.name : "nbtstat.exe" and process.args : "-s*") +) and not user.id : "S-1-5-18" ''' [[rule.threat]] @@ -58,11 +66,3 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 242c024623a..3527fd1e9af 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" bypass_bbr_timing = true [rule] @@ -14,8 +14,8 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] -language = "kuery" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" risk_score = 21 @@ -26,17 +26,30 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", - "Data Source: Elastic Defend"] + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "new_terms" +type = "eql" building_block_type = "default" query = ''' -host.os.type:windows and event.category:process and event.type:start and ( - process.name.caseless:"cmd.exe" and process.args:ver* or - process.name.caseless:("hostname.exe" or "systeminfo.exe") or - process.name.caseless:"wmic.exe" and process.args:("get" and "os") -) +process where host.os.type == "windows" and event.type == "start" and +( + ( + process.name : "cmd.exe" and process.args : "ver*" and not + process.parent.executable : ( + "?:\\Users\\*\\AppData\\Local\\Keybase\\upd.exe", + "?:\\Users\\*\\python*.exe" + ) + ) or + process.name : ("systeminfo.exe", "hostname.exe") or + (process.name : "wmic.exe" and process.args : "os" and process.args : "get") +) and not +process.parent.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\ProgramData\\*" +) and not user.id : "S-1-5-18" ''' [[rule.threat]] @@ -51,11 +64,3 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" From 299ce9e172f74a048a370dc1aed92c28d111567c Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:02:47 +0200 Subject: [PATCH 25/44] kibana.alert.rule.rule_id to non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ba80df95a53..408ca42a9c5 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -114,7 +114,8 @@ }, ".alerts-security.*": { "signal.rule.name": "keyword", - "kibana.alert.rule.threat.tactic.id": "keyword" + "kibana.alert.rule.threat.tactic.id": "keyword", + "kibana.alert.rule.rule_id": "keyword" }, "logs-google_workspace*": { "gsuite.admin": "keyword", From da33c09b1c8c24012f27f4a766f9529ef8330e2c Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:17:11 +0200 Subject: [PATCH 26/44] Fixed index by adding a dot --- ...y_signal_files_dir_systeminfo_via_cmd.toml | 2 +- rules/windows/discovery_signal_net_view.toml | 2 +- ..._post_exploitation_external_ip_lookup.toml | 2 +- ...ote_system_discovery_commands_windows.toml | 2 +- ...scovery_signal_security_software_wmic.toml | 2 +- ...overy_signal_system_service_discovery.toml | 31 ++++++++++++++++--- ...iscovery_signal_system_time_discovery.toml | 2 +- ...covery_signal_win_network_connections.toml | 2 +- ..._windows_system_information_discovery.toml | 2 +- rules_building_block/discovery_net_view.toml | 15 +++++++-- ...ote_system_discovery_commands_windows.toml | 3 +- .../discovery_system_service_discovery.toml | 3 +- .../discovery_system_time_discovery.toml | 3 +- 13 files changed, 54 insertions(+), 17 deletions(-) diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml index 520c554f477..214725b3e80 100644 --- a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml @@ -14,7 +14,7 @@ identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - System Information Discovery via Windows Command Shell" diff --git a/rules/windows/discovery_signal_net_view.toml b/rules/windows/discovery_signal_net_view.toml index 679dec0ee40..b0960eb0c51 100644 --- a/rules/windows/discovery_signal_net_view.toml +++ b/rules/windows/discovery_signal_net_view.toml @@ -13,7 +13,7 @@ unusual unique host.id, user.id and process.command_line entries. The original u enumerate hosts in a network using the built-in Windows net.exe tool. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Windows Network Enumeration" diff --git a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml index 3cbbbf548cd..68dba5e08b3 100644 --- a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml @@ -15,7 +15,7 @@ access and acquire their external IP address after they have gained access to a observed in campaigns leveraging the information stealer, Trickbot. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - External IP Lookup from Non-Browser Process" diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml index a5ab292c74f..6466ced1f9a 100644 --- a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml @@ -13,7 +13,7 @@ unusual unique host.id, user.id and process.command_line entries. The original u of remote system information using built-in commands, which may be used to move laterally. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-securit.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Remote System Discovery Commands" diff --git a/rules/windows/discovery_signal_security_software_wmic.toml b/rules/windows/discovery_signal_security_software_wmic.toml index 454613fe0f7..6209f73b341 100644 --- a/rules/windows/discovery_signal_security_software_wmic.toml +++ b/rules/windows/discovery_signal_security_software_wmic.toml @@ -14,7 +14,7 @@ of Windows Management Instrumentation Command (WMIC) to discover certain System Host Firewall details. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Security Software Discovery using WMIC" diff --git a/rules/windows/discovery_signal_system_service_discovery.toml b/rules/windows/discovery_signal_system_service_discovery.toml index 09352f4e151..729edcf61bc 100644 --- a/rules/windows/discovery_signal_system_service_discovery.toml +++ b/rules/windows/discovery_signal_system_service_discovery.toml @@ -15,7 +15,7 @@ reconnaissance phase after compromising a system in order to gain a better under escalate privileges. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - System Service Discovery through built-in Windows Utilities" @@ -37,15 +37,38 @@ event.kind:signal and kibana.alert.rule.rule_id:"e0881d20-54ac-457f-8733-fe0bc5d framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1007" -name = "System Service Discovery" -reference = "https://attack.mitre.org/techniques/T1007/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] diff --git a/rules/windows/discovery_signal_system_time_discovery.toml b/rules/windows/discovery_signal_system_time_discovery.toml index ed695f3c556..283edd19de3 100644 --- a/rules/windows/discovery_signal_system_time_discovery.toml +++ b/rules/windows/discovery_signal_system_time_discovery.toml @@ -14,7 +14,7 @@ used system time discovery techniques, which attackers may use during the reconn system. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - System Time Discovery" diff --git a/rules/windows/discovery_signal_win_network_connections.toml b/rules/windows/discovery_signal_win_network_connections.toml index 613d2988d91..31c289e79b7 100644 --- a/rules/windows/discovery_signal_win_network_connections.toml +++ b/rules/windows/discovery_signal_win_network_connections.toml @@ -14,7 +14,7 @@ the execution of commands that can be used to enumerate network connections. Adv network connections to or from a compromised system to identify targets within an environment. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Windows System Network Connections Discovery" diff --git a/rules/windows/discovery_signal_windows_system_information_discovery.toml b/rules/windows/discovery_signal_windows_system_information_discovery.toml index 9e9514bd8a9..69939c4c560 100644 --- a/rules/windows/discovery_signal_windows_system_information_discovery.toml +++ b/rules/windows/discovery_signal_windows_system_information_discovery.toml @@ -14,7 +14,7 @@ execution of commands used to discover information about the system, which attac to gain situational awareness. """ from = "now-9m" -index = [".alerts-security*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Windows System Information Discovery" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 6b100bf2939..b13cfcf8d90 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -65,8 +65,19 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") and - not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") + ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + (process.args : "view" or (process.args : "time" and process.args : "\\\\*")) + + + /* expand when ancestry is available + and not descendant of [process where event.type == "start" and process.name : "cmd.exe" and + ((process.parent.name : "userinit.exe") or + (process.parent.name : "gpscript.exe") or + (process.parent.name : "explorer.exe" and + process.args : "C:\\*\\Start Menu\\Programs\\Startup\\*.bat*"))] + */ ''' [[rule.threat]] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 0955a1af2c4..4208141134d 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -11,7 +11,7 @@ bypass_bbr_timing = true author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote System Discovery Commands" @@ -56,6 +56,7 @@ tags = ["Domain: Endpoint", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "Rule Type: BBR" ] timestamp_override = "event.ingested" diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 4ade73edb15..be5cd2c93b3 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -14,7 +14,7 @@ Detects the usage of commonly used system service discovery techniques, which at after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" @@ -26,6 +26,7 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "Rule Type: BBR" ] timestamp_override = "event.ingested" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 69cf8c63213..4bfac601a5d 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -14,7 +14,7 @@ Detects the usage of commonly used system time discovery techniques, which attac phase after compromising a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "System Time Discovery" @@ -26,6 +26,7 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "Rule Type: BBR" ] timestamp_override = "event.ingested" From aee101f8f15adc60d72df1a4fefea26f92e5248b Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:21:11 +0200 Subject: [PATCH 27/44] fixed typo --- ...scovery_signal_remote_system_discovery_commands_windows.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml index 6466ced1f9a..0813ab6e90e 100644 --- a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml @@ -13,7 +13,7 @@ unusual unique host.id, user.id and process.command_line entries. The original u of remote system information using built-in commands, which may be used to move laterally. """ from = "now-9m" -index = [".alerts-securit.*"] +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Unusual Signal Alert - Remote System Discovery Commands" From 2909d31a2f01b356f099e356d6f61b993a0322a6 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:30:20 +0200 Subject: [PATCH 28/44] Added host.os.type:windows for signals --- .../windows/discovery_signal_files_dir_systeminfo_via_cmd.toml | 2 +- rules/windows/discovery_signal_net_view.toml | 2 +- .../discovery_signal_post_exploitation_external_ip_lookup.toml | 2 +- ...scovery_signal_remote_system_discovery_commands_windows.toml | 2 +- rules/windows/discovery_signal_security_software_wmic.toml | 2 +- rules/windows/discovery_signal_system_service_discovery.toml | 2 +- rules/windows/discovery_signal_system_time_discovery.toml | 2 +- rules/windows/discovery_signal_win_network_connections.toml | 2 +- .../discovery_signal_windows_system_information_discovery.toml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml index 214725b3e80..d2adfbac4f7 100644 --- a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml @@ -29,7 +29,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"d68e95ad-1c82-4074-a12a-125fe10ac8ba" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"d68e95ad-1c82-4074-a12a-125fe10ac8ba" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_net_view.toml b/rules/windows/discovery_signal_net_view.toml index b0960eb0c51..61dcf3d9c02 100644 --- a/rules/windows/discovery_signal_net_view.toml +++ b/rules/windows/discovery_signal_net_view.toml @@ -28,7 +28,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"7b8bfc26-81d2-435e-965c-d722ee397ef1" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"7b8bfc26-81d2-435e-965c-d722ee397ef1" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml index 68dba5e08b3..93d5ad48a6c 100644 --- a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml @@ -30,7 +30,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml index 0813ab6e90e..bbf565e30e3 100644 --- a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml @@ -28,7 +28,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"0635c542-1b96-4335-9b47-126582d2c19a" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"0635c542-1b96-4335-9b47-126582d2c19a" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_security_software_wmic.toml b/rules/windows/discovery_signal_security_software_wmic.toml index 6209f73b341..459f7e9ffd5 100644 --- a/rules/windows/discovery_signal_security_software_wmic.toml +++ b/rules/windows/discovery_signal_security_software_wmic.toml @@ -29,7 +29,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"6ea55c81-e2ba-42f2-a134-bccf857ba922" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"6ea55c81-e2ba-42f2-a134-bccf857ba922" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_system_service_discovery.toml b/rules/windows/discovery_signal_system_service_discovery.toml index 729edcf61bc..bb99b14c163 100644 --- a/rules/windows/discovery_signal_system_service_discovery.toml +++ b/rules/windows/discovery_signal_system_service_discovery.toml @@ -30,7 +30,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"e0881d20-54ac-457f-8733-fe0bc5d44c55" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"e0881d20-54ac-457f-8733-fe0bc5d44c55" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_system_time_discovery.toml b/rules/windows/discovery_signal_system_time_discovery.toml index 283edd19de3..8d0d398957a 100644 --- a/rules/windows/discovery_signal_system_time_discovery.toml +++ b/rules/windows/discovery_signal_system_time_discovery.toml @@ -29,7 +29,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"06568a02-af29-4f20-929c-f3af281e41aa" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"06568a02-af29-4f20-929c-f3af281e41aa" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_win_network_connections.toml b/rules/windows/discovery_signal_win_network_connections.toml index 31c289e79b7..a6c61106ecb 100644 --- a/rules/windows/discovery_signal_win_network_connections.toml +++ b/rules/windows/discovery_signal_win_network_connections.toml @@ -29,7 +29,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" ''' [[rule.threat]] diff --git a/rules/windows/discovery_signal_windows_system_information_discovery.toml b/rules/windows/discovery_signal_windows_system_information_discovery.toml index 69939c4c560..fcd8dda5917 100644 --- a/rules/windows/discovery_signal_windows_system_information_discovery.toml +++ b/rules/windows/discovery_signal_windows_system_information_discovery.toml @@ -29,7 +29,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.kind:signal and kibana.alert.rule.rule_id:"51176ed2-2d90-49f2-9f3d-17196428b169" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"51176ed2-2d90-49f2-9f3d-17196428b169" ''' [[rule.threat]] From 079c2c3a52ebd883ba22241fb75f3c1ea355bbbc Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:38:37 +0200 Subject: [PATCH 29/44] Added additional tag --- .../windows/discovery_signal_files_dir_systeminfo_via_cmd.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml index d2adfbac4f7..f12c9c04d02 100644 --- a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml @@ -24,7 +24,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Tactic: Execution" ] timestamp_override = "event.ingested" type = "new_terms" From 438f592616d4bbc3608ca068fcfee08faff880e1 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 21 Sep 2023 14:46:35 +0200 Subject: [PATCH 30/44] Added Higher-Order Rule tag --- .../windows/discovery_signal_files_dir_systeminfo_via_cmd.toml | 3 ++- rules/windows/discovery_signal_net_view.toml | 3 ++- .../discovery_signal_post_exploitation_external_ip_lookup.toml | 3 ++- ...covery_signal_remote_system_discovery_commands_windows.toml | 3 ++- rules/windows/discovery_signal_security_software_wmic.toml | 3 ++- rules/windows/discovery_signal_system_service_discovery.toml | 3 ++- rules/windows/discovery_signal_system_time_discovery.toml | 3 ++- rules/windows/discovery_signal_win_network_connections.toml | 3 ++- .../discovery_signal_windows_system_information_discovery.toml | 3 ++- 9 files changed, 18 insertions(+), 9 deletions(-) diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml index f12c9c04d02..b06c5be51d4 100644 --- a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml @@ -25,7 +25,8 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", - "Tactic: Execution" + "Tactic: Execution", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_net_view.toml b/rules/windows/discovery_signal_net_view.toml index 61dcf3d9c02..eeb34bab291 100644 --- a/rules/windows/discovery_signal_net_view.toml +++ b/rules/windows/discovery_signal_net_view.toml @@ -23,7 +23,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml index 93d5ad48a6c..e2040aa3f80 100644 --- a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml @@ -25,7 +25,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml index bbf565e30e3..dbb6d851ca8 100644 --- a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml @@ -23,7 +23,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_security_software_wmic.toml b/rules/windows/discovery_signal_security_software_wmic.toml index 459f7e9ffd5..cd9840e56f8 100644 --- a/rules/windows/discovery_signal_security_software_wmic.toml +++ b/rules/windows/discovery_signal_security_software_wmic.toml @@ -24,7 +24,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_system_service_discovery.toml b/rules/windows/discovery_signal_system_service_discovery.toml index bb99b14c163..74a25669710 100644 --- a/rules/windows/discovery_signal_system_service_discovery.toml +++ b/rules/windows/discovery_signal_system_service_discovery.toml @@ -25,7 +25,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_system_time_discovery.toml b/rules/windows/discovery_signal_system_time_discovery.toml index 8d0d398957a..04fd9edc75f 100644 --- a/rules/windows/discovery_signal_system_time_discovery.toml +++ b/rules/windows/discovery_signal_system_time_discovery.toml @@ -24,7 +24,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_win_network_connections.toml b/rules/windows/discovery_signal_win_network_connections.toml index a6c61106ecb..9ab6a406f13 100644 --- a/rules/windows/discovery_signal_win_network_connections.toml +++ b/rules/windows/discovery_signal_win_network_connections.toml @@ -24,7 +24,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_signal_windows_system_information_discovery.toml b/rules/windows/discovery_signal_windows_system_information_discovery.toml index fcd8dda5917..a86f50ecc07 100644 --- a/rules/windows/discovery_signal_windows_system_information_discovery.toml +++ b/rules/windows/discovery_signal_windows_system_information_discovery.toml @@ -24,7 +24,8 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Discovery" + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" type = "new_terms" From 347716b335a70ae996570f742b22db24a7101f77 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 22 Sep 2023 10:18:26 +0200 Subject: [PATCH 31/44] Stripped down signal rules down to two --- ...y_signal_files_dir_systeminfo_via_cmd.toml | 79 ------------------- rules/windows/discovery_signal_net_view.toml | 59 -------------- ..._post_exploitation_external_ip_lookup.toml | 66 ---------------- ...ote_system_discovery_commands_windows.toml | 59 -------------- ...overy_signal_system_service_discovery.toml | 79 ------------------- ...nusual_discovery_signal_proc_cmdline.toml} | 26 +++--- ...ual_discovery_signal_proc_executable.toml} | 23 ++---- ...covery_signal_win_network_connections.toml | 60 -------------- ..._windows_system_information_discovery.toml | 55 ------------- 9 files changed, 20 insertions(+), 486 deletions(-) delete mode 100644 rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml delete mode 100644 rules/windows/discovery_signal_net_view.toml delete mode 100644 rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml delete mode 100644 rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml delete mode 100644 rules/windows/discovery_signal_system_service_discovery.toml rename rules/windows/{discovery_signal_system_time_discovery.toml => discovery_signal_unusual_discovery_signal_proc_cmdline.toml} (58%) rename rules/windows/{discovery_signal_security_software_wmic.toml => discovery_signal_unusual_discovery_signal_proc_executable.toml} (54%) delete mode 100644 rules/windows/discovery_signal_win_network_connections.toml delete mode 100644 rules/windows/discovery_signal_windows_system_information_discovery.toml diff --git a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml deleted file mode 100644 index b06c5be51d4..00000000000 --- a/rules/windows/discovery_signal_files_dir_systeminfo_via_cmd.toml +++ /dev/null @@ -1,79 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "System Information Discovery via Windows Command Shell" to -alert on signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule -identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows -Command Shell. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - System Information Discovery via Windows Command Shell" -risk_score = 21 -rule_id = "ba85cd0a-a5c9-474e-94af-722037c30d76" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"d68e95ad-1c82-4074-a12a-125fe10ac8ba" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_net_view.toml b/rules/windows/discovery_signal_net_view.toml deleted file mode 100644 index eeb34bab291..00000000000 --- a/rules/windows/discovery_signal_net_view.toml +++ /dev/null @@ -1,59 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "Windows Network Enumeration" to alert on signals with -unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies attempts to -enumerate hosts in a network using the built-in Windows net.exe tool. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - Windows Network Enumeration" -risk_score = 21 -rule_id = "7b3d3a1a-8865-422b-900d-ee5e725f8c30" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"7b8bfc26-81d2-435e-965c-d722ee397ef1" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - -[[rule.threat.technique]] -id = "T1135" -name = "Network Share Discovery" -reference = "https://attack.mitre.org/techniques/T1135/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml deleted file mode 100644 index e2040aa3f80..00000000000 --- a/rules/windows/discovery_signal_post_exploitation_external_ip_lookup.toml +++ /dev/null @@ -1,66 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "External IP Lookup from Non-Browser Process" to alert on -signals with unusual unique host.id, user.id and process.executable entries. The original underlying rule identifies -domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for internet -access and acquire their external IP address after they have gained access to a system. Among others, this has been -observed in campaigns leveraging the information stealer, Trickbot. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - External IP Lookup from Non-Browser Process" -risk_score = 21 -rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - -[[rule.threat.technique]] -id = "T1614" -name = "System Location Discovery" -reference = "https://attack.mitre.org/techniques/T1614/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml deleted file mode 100644 index dbb6d851ca8..00000000000 --- a/rules/windows/discovery_signal_remote_system_discovery_commands_windows.toml +++ /dev/null @@ -1,59 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "Remote System Discovery Commands" to alert on signals with -unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the discovery -of remote system information using built-in commands, which may be used to move laterally. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - Remote System Discovery Commands" -risk_score = 21 -rule_id = "96073850-64df-46a3-8aab-75f675f273d3" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"0635c542-1b96-4335-9b47-126582d2c19a" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_system_service_discovery.toml b/rules/windows/discovery_signal_system_service_discovery.toml deleted file mode 100644 index 74a25669710..00000000000 --- a/rules/windows/discovery_signal_system_service_discovery.toml +++ /dev/null @@ -1,79 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "System Service Discovery through built-in Windows Utilities" -to alert on signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule -identifies the usage of commonly used system service discovery techniques, which attackers may use during the -reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or -escalate privileges. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - System Service Discovery through built-in Windows Utilities" -risk_score = 21 -rule_id = "2a492896-d0ed-4cb3-acf7-1157517da561" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"e0881d20-54ac-457f-8733-fe0bc5d44c55" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_system_time_discovery.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml similarity index 58% rename from rules/windows/discovery_signal_system_time_discovery.toml rename to rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index 04fd9edc75f..d36364dc97f 100644 --- a/rules/windows/discovery_signal_system_time_discovery.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,25 +1,23 @@ [metadata] -creation_date = "2023/09/21" +creation_date = "2023/09/22" maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/21" +updated_date = "2023/09/22" [rule] author = ["Elastic"] description = """ -This rule leverages alert data from the building block rule "System Time Discovery" to alert on signals with unusual -unique host.id, user.id and process.command_line entries. The original underlying rule identifies the usage of commonly -used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a -system. +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.command_line entries. """ from = "now-9m" index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" -name = "Unusual Signal Alert - System Time Discovery" +name = "Unusual Discovery Signal Alert with Unusual Process Command-line" risk_score = 21 -rule_id = "894b6996-31ba-44b7-8d70-a6c3b4d1723c" +rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", @@ -30,17 +28,17 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"06568a02-af29-4f20-929c-f3af281e41aa" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" +) ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1124" -name = "System Time Discovery" -reference = "https://attack.mitre.org/techniques/T1124/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/discovery_signal_security_software_wmic.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml similarity index 54% rename from rules/windows/discovery_signal_security_software_wmic.toml rename to rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index cd9840e56f8..f4241868889 100644 --- a/rules/windows/discovery_signal_security_software_wmic.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,25 +1,23 @@ [metadata] -creation_date = "2023/09/21" +creation_date = "2023/09/22" maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/21" +updated_date = "2023/09/22" [rule] author = ["Elastic"] description = """ -This rule leverages alert data from the building block rule "Security Software Discovery using WMIC" to alert on signals -with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the use -of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or -Host Firewall details. +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.executable entries. """ from = "now-9m" index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" -name = "Unusual Signal Alert - Security Software Discovery using WMIC" +name = "Unusual Discovery Signal Alert with Unusual Process Executable" risk_score = 21 -rule_id = "278afb27-4066-416c-a657-ddb317728ff7" +rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", @@ -30,17 +28,12 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"6ea55c81-e2ba-42f2-a134-bccf857ba922" +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1007" -name = "System Service Discovery" -reference = "https://attack.mitre.org/techniques/T1007/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -48,7 +41,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] +value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/discovery_signal_win_network_connections.toml b/rules/windows/discovery_signal_win_network_connections.toml deleted file mode 100644 index 9ab6a406f13..00000000000 --- a/rules/windows/discovery_signal_win_network_connections.toml +++ /dev/null @@ -1,60 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "Windows System Network Connections Discovery" to alert on -signals with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies -the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of -network connections to or from a compromised system to identify targets within an environment. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - Windows System Network Connections Discovery" -risk_score = 21 -rule_id = "17c61b9e-3521-4be9-9155-b40c2be64875" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1049" -name = "System Network Connections Discovery" -reference = "https://attack.mitre.org/techniques/T1049/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" diff --git a/rules/windows/discovery_signal_windows_system_information_discovery.toml b/rules/windows/discovery_signal_windows_system_information_discovery.toml deleted file mode 100644 index a86f50ecc07..00000000000 --- a/rules/windows/discovery_signal_windows_system_information_discovery.toml +++ /dev/null @@ -1,55 +0,0 @@ -[metadata] -creation_date = "2023/09/21" -maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/21" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages alert data from the building block rule "Windows System Information Discovery" to alert on signals -with unusual unique host.id, user.id and process.command_line entries. The original underlying rule identifies the -execution of commands used to discover information about the system, which attackers may use after compromising a system -to gain situational awareness. -""" -from = "now-9m" -index = [".alerts-security.*"] -language = "kuery" -license = "Elastic License v2" -name = "Unusual Signal Alert - Windows System Information Discovery" -risk_score = 21 -rule_id = "5fbab7f5-c2e4-4186-9621-f2ab9deb6d6b" -severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] -timestamp_override = "event.ingested" -type = "new_terms" -query = ''' -host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"51176ed2-2d90-49f2-9f3d-17196428b169" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] - -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" From 9ec4b71bb33ad2957f850dab699edf64ee776f32 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Tue, 10 Oct 2023 09:16:51 +0200 Subject: [PATCH 32/44] revert --- .../discovery_files_dir_systeminfo_via_cmd.toml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index eae4c239b80..ab41832230e 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2023/10/10" bypass_bbr_timing = true [rule] @@ -66,11 +66,9 @@ building_block_type = "default" type = "eql" query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and - registry.path : - ("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and - registry.data.strings : "0" +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") and + not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' [[rule.threat]] From cc95dda791909a4e3242d62b66d2b85bc7e93131 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:40:45 +0200 Subject: [PATCH 33/44] Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules/windows/discovery_admin_recon.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 807d28de5f1..640e7c0902f 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -81,7 +81,7 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) -) and not user.id : "S-1-5-18" +) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] From 0428a4341102811389f4cb7ef4d650ea63e871f7 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:40:59 +0200 Subject: [PATCH 34/44] Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- .../discovery_enumerating_domain_trusts_via_nltest.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index f1010716457..b730a152686 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -80,7 +80,8 @@ process where host.os.type == "windows" and event.type == "start" and "/LSAQUERYFTI:*", "/PARENTDOMAIN", "/DOMAIN_TRUSTS", "/BDC_QUERY:*" ) and -not process.parent.name : "PDQInventoryScanner.exe" and not user.id : "S-1-5-18" +not process.parent.name : "PDQInventoryScanner.exe" and +not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] From ae154e3ac8588b0411ed7792fc3555882f66793e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:41:12 +0200 Subject: [PATCH 35/44] Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules_building_block/discovery_generic_registry_query.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index f875db34ed6..388c1d243e9 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -57,7 +57,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.command_line"] +value = ["host.id", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" From 522cc3efe5f32975e12932c0ad0a99b105544b43 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:41:30 +0200 Subject: [PATCH 36/44] Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules_building_block/discovery_system_time_discovery.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 4bfac601a5d..c00474be0fd 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -40,7 +40,7 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "time") or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g") -) and not user.id : "S-1-5-18" +) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] From 85d11ed3cb03a37d0193f1b7bfa82a6c5bf52d83 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:42:08 +0200 Subject: [PATCH 37/44] Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules/windows/discovery_privileged_localgroup_membership.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 1527154a433..2bca3fff979 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -149,7 +149,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "winlog.event_data.SubjectUserName"] +value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] [[rule.new_terms.history_window_start]] field = "history_window_start" From 2507943790b6a939759737036730341e2945ae38 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:43:36 +0200 Subject: [PATCH 38/44] Update discovery_generic_registry_query.toml --- .../discovery_generic_registry_query.toml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 388c1d243e9..364340ba82d 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -34,12 +34,10 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( - process.name.caseless:"reg.exe" and process.args:"query" or - process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and process.command_line.caseless:( - (*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or - *HKLM* or *Registry\:\:*) - ) -) + (process.name.caseless:"reg.exe" and process.args:"query") or + (process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and + process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or + *HKLM* or *Registry\:\:*)))) ''' [[rule.threat]] From 97b1536748aa461f0b64c301e97514fad21fb3ab Mon Sep 17 00:00:00 2001 From: Aegrah Date: Tue, 10 Oct 2023 13:26:33 +0200 Subject: [PATCH 39/44] Readded exclusions --- ...very_privileged_localgroup_membership.toml | 39 ++++++++++++- .../discovery_signal_unusual_user_host.toml | 56 +++++++++++++++++++ 2 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 rules_building_block/discovery_signal_unusual_user_host.toml diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 2bca3fff979..714376332dc 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/20" +updated_date = "2023/10/10" [transform] [[transform.osquery]] @@ -126,7 +126,42 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera group.name:(*Admin* or "RemoteDesktopUsers") or winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") ) and - not winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") + not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or + winlog.event_data.CallerProcessName:("-" or + ?\:\\\\Windows\\\\System32\\\\VSSVC.exe or + ?\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + ?\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + ?\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + ?\:\\\\Windows\\\\System32\\\\net1.exe or + ?\:\\\\Windows\\\\System32\\\\svchost.exe or + ?\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + ?\:\\\\Windows\\\\System32\\\\msiexec.exe or + ?\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + ?\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + ?\:\\\\Windows\\\\System32\\\\SrTasks.exe or + ?\:\\\\Windows\\\\System32\\\\diskshadow.exe or + ?\:\\\\Windows\\\\System32\\\\dfsrs.exe or + ?\:\\\\Windows\\\\System32\\\\vssadmin.exe or + ?\:\\\\Windows\\\\System32\\\\dllhost.exe* or + ?\:\\\\Windows\\\\System32\\\\mmc.exe or + ?\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + ?\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + ?\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + ?\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + ?\:\\\\Windows\\\\System32\\\\mstsc.exe or + ?\:\\\\Windows\\\\System32\\\\esentutl.exe or + ?\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + ?\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + ?\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + ?\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + ?\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + ?\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe* or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe + ) + ) ''' [[rule.threat]] diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml new file mode 100644 index 00000000000..696a5a64e59 --- /dev/null +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/10" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id and user.id entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Signal Alert with Unusual Host/User ID Combination" +risk_score = 21 +rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" or + "1d72d014-e2ab-4707-b056-9b96abe7b511" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From d6a8c3aac567298b9710211577d3b8a441548a3d Mon Sep 17 00:00:00 2001 From: Aegrah Date: Tue, 10 Oct 2023 13:35:20 +0200 Subject: [PATCH 40/44] Added trailing wildcards for KQL --- ...very_privileged_localgroup_membership.toml | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 714376332dc..3ae3f82dbcd 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -128,39 +128,39 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera ) and not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or winlog.event_data.CallerProcessName:("-" or - ?\:\\\\Windows\\\\System32\\\\VSSVC.exe or - ?\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or - ?\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or - ?\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or - ?\:\\\\Windows\\\\System32\\\\net1.exe or - ?\:\\\\Windows\\\\System32\\\\svchost.exe or - ?\:\\\\Windows\\\\System32\\\\Netplwiz.exe or - ?\:\\\\Windows\\\\System32\\\\msiexec.exe or - ?\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or - ?\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or - ?\:\\\\Windows\\\\System32\\\\SrTasks.exe or - ?\:\\\\Windows\\\\System32\\\\diskshadow.exe or - ?\:\\\\Windows\\\\System32\\\\dfsrs.exe or - ?\:\\\\Windows\\\\System32\\\\vssadmin.exe or - ?\:\\\\Windows\\\\System32\\\\dllhost.exe* or - ?\:\\\\Windows\\\\System32\\\\mmc.exe or - ?\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or - ?\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or - ?\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or - ?\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or - ?\:\\\\Windows\\\\System32\\\\mstsc.exe or - ?\:\\\\Windows\\\\System32\\\\esentutl.exe or - ?\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or - ?\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or - ?\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or - ?\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or - ?\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or - ?\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe* or - ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or - ?\:\\\\Program?Files?\(x86\)\\\\*.exe or - ?\:\\\\Program?Files\\\\*.exe or - ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe - ) + ?\:\\\\Windows\\\\System32\\\\VSSVC.exe* or + ?\:\\\\Windows\\\\System32\\\\SearchIndexer.exe* or + ?\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe* or + ?\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe* or + ?\:\\\\Windows\\\\System32\\\\net1.exe* or + ?\:\\\\Windows\\\\System32\\\\svchost.exe* or + ?\:\\\\Windows\\\\System32\\\\Netplwiz.exe* or + ?\:\\\\Windows\\\\System32\\\\msiexec.exe* or + ?\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe* or + ?\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe* or + ?\:\\\\Windows\\\\System32\\\\SrTasks.exe* or + ?\:\\\\Windows\\\\System32\\\\diskshadow.exe* or + ?\:\\\\Windows\\\\System32\\\\dfsrs.exe* or + ?\:\\\\Windows\\\\System32\\\\vssadmin.exe* or + ?\:\\\\Windows\\\\System32\\\\dllhost.exe* or + ?\:\\\\Windows\\\\System32\\\\mmc.exe* or + ?\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe* or + ?\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe* or + ?\:\\\\Windows\\\\System32\\\\wsmprovhost.exe* or + ?\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe* or + ?\:\\\\Windows\\\\System32\\\\mstsc.exe* or + ?\:\\\\Windows\\\\System32\\\\esentutl.exe* or + ?\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe* or + ?\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe* or + ?\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe* or + ?\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe* or + ?\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe* or + ?\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe* or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe* or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe* or + ?\:\\\\Program?Files\\\\*.exe* or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe* + ) ) ''' From 5f3966008a5129b6fe5e66bbc520b57f2c890edf Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:49:12 +0200 Subject: [PATCH 41/44] Update discovery_privileged_localgroup_membership.toml --- ...very_privileged_localgroup_membership.toml | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 3ae3f82dbcd..744c5f3f9eb 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -128,38 +128,38 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera ) and not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or winlog.event_data.CallerProcessName:("-" or - ?\:\\\\Windows\\\\System32\\\\VSSVC.exe* or - ?\:\\\\Windows\\\\System32\\\\SearchIndexer.exe* or - ?\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe* or - ?\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe* or - ?\:\\\\Windows\\\\System32\\\\net1.exe* or - ?\:\\\\Windows\\\\System32\\\\svchost.exe* or - ?\:\\\\Windows\\\\System32\\\\Netplwiz.exe* or - ?\:\\\\Windows\\\\System32\\\\msiexec.exe* or - ?\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe* or - ?\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe* or - ?\:\\\\Windows\\\\System32\\\\SrTasks.exe* or - ?\:\\\\Windows\\\\System32\\\\diskshadow.exe* or - ?\:\\\\Windows\\\\System32\\\\dfsrs.exe* or - ?\:\\\\Windows\\\\System32\\\\vssadmin.exe* or - ?\:\\\\Windows\\\\System32\\\\dllhost.exe* or - ?\:\\\\Windows\\\\System32\\\\mmc.exe* or - ?\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe* or - ?\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe* or - ?\:\\\\Windows\\\\System32\\\\wsmprovhost.exe* or - ?\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe* or - ?\:\\\\Windows\\\\System32\\\\mstsc.exe* or - ?\:\\\\Windows\\\\System32\\\\esentutl.exe* or - ?\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe* or - ?\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe* or - ?\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe* or - ?\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe* or - ?\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe* or - ?\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe* or - ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe* or - ?\:\\\\Program?Files?\(x86\)\\\\*.exe* or - ?\:\\\\Program?Files\\\\*.exe* or - ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe* + *\:\\\\Windows\\\\System32\\\\VSSVC.exe or + *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + *\:\\\\Windows\\\\System32\\\\net1.exe or + *\:\\\\Windows\\\\System32\\\\svchost.exe or + *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + *\:\\\\Windows\\\\System32\\\\msiexec.exe or + *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + *\:\\\\Windows\\\\System32\\\\SrTasks.exe or + *\:\\\\Windows\\\\System32\\\\diskshadow.exe or + *\:\\\\Windows\\\\System32\\\\dfsrs.exe or + *\:\\\\Windows\\\\System32\\\\vssadmin.exe or + *\:\\\\Windows\\\\System32\\\\dllhost.exe or + *\:\\\\Windows\\\\System32\\\\mmc.exe or + *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + *\:\\\\Windows\\\\System32\\\\mstsc.exe or + *\:\\\\Windows\\\\System32\\\\esentutl.exe or + *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe ) ) ''' From f1585f7b153f38d25e8bd3cf07c95dea5085f504 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 10 Oct 2023 17:59:25 +0200 Subject: [PATCH 42/44] Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- rules_building_block/discovery_signal_unusual_user_host.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index 696a5a64e59..dbfa6ca3d80 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -16,7 +16,7 @@ from = "now-9m" index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" -name = "Unusual Discovery Signal Alert with Unusual Host/User ID Combination" +name = "Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" From eed00f947e621013e520d62847db5832ad28af1d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 11 Oct 2023 09:19:43 +0200 Subject: [PATCH 43/44] Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../discovery_signal_unusual_discovery_signal_proc_cmdline.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index d36364dc97f..f6108af2a7c 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -15,7 +15,7 @@ from = "now-9m" index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" -name = "Unusual Discovery Signal Alert with Unusual Process Command-line" +name = "Unusual Discovery Signal Alert with Unusual Process Command Line" risk_score = 21 rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" From 1fbec65a6a53189019b81de567d1df80e9a1e5f5 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 11 Oct 2023 09:27:31 +0200 Subject: [PATCH 44/44] Formatting fix --- .../discovery_files_dir_systeminfo_via_cmd.toml | 2 +- rules_building_block/discovery_generic_account_groups.toml | 2 +- .../discovery_generic_process_discovery.toml | 2 +- rules_building_block/discovery_generic_registry_query.toml | 6 +++--- rules_building_block/discovery_internet_capabilities.toml | 2 +- rules_building_block/discovery_net_view.toml | 2 +- .../discovery_post_exploitation_external_ip_lookup.toml | 2 +- .../discovery_remote_system_discovery_commands_windows.toml | 2 +- .../discovery_signal_unusual_user_host.toml | 2 +- .../discovery_system_service_discovery.toml | 2 +- rules_building_block/discovery_system_time_discovery.toml | 2 +- rules_building_block/discovery_win_network_connections.toml | 2 +- .../discovery_windows_system_information_discovery.toml | 2 +- 13 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index ab41832230e..25178ed9ff3 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. @@ -62,7 +63,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index c6fbeb318c7..06080aad74c 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. @@ -29,7 +30,6 @@ tags = ["Domain: Endpoint", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index 79021f38ebe..69bef326de3 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions. @@ -29,7 +30,6 @@ tags = ["Domain: Endpoint", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 364340ba82d..75a97996080 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. @@ -29,15 +30,14 @@ tags = ["Domain: Endpoint", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( (process.name.caseless:"reg.exe" and process.args:"query") or (process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and - process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or - *HKLM* or *Registry\:\:*)))) + process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and + (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\:\:*)))) ''' [[rule.threat]] diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 03185f9a182..6fcf1b7cac2 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and @@ -31,7 +32,6 @@ tags = ["Domain: Endpoint", ] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" query = ''' host.os.type:windows and event.category:process and event.type:start and diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index b13cfcf8d90..a4342f2661c 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -60,7 +61,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index b2e1e730e53..40219c503ef 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this @@ -72,7 +73,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 4208141134d..0b70e684c97 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -60,7 +61,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index dbfa6ca3d80..5c46f340044 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -8,6 +8,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries. @@ -27,7 +28,6 @@ tags = ["Domain: Endpoint", "Rule Type: Higher-Order Rule" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "new_terms" query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index be5cd2c93b3..97efd276284 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. @@ -30,7 +31,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index c00474be0fd..6ec48630391 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. @@ -30,7 +31,6 @@ tags = ["Domain: Endpoint", "Rule Type: BBR" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index fab06d6a452..16ce86012a4 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. @@ -29,7 +30,6 @@ tags = ["Domain: Endpoint", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 3527fd1e9af..61bfa2d8ca9 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -9,6 +9,7 @@ bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. @@ -30,7 +31,6 @@ tags = ["Domain: Endpoint", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and