Skip to content

Commit

Permalink
[Detection Rules] Add 7.14 rules (elastic#104772)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rw-access @FrankHassanabad
rw-access authored and FrankHassanabad committed Jul 15, 2021
1 parent b03534c commit b1d29ab
Show file tree
Hide file tree
Showing 9 changed files with 396 additions and 3 deletions.
59 changes: 59 additions & 0 deletions ...engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
"false_positives": [
"Planned Windows Defender configuration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Disabling Windows Defender Security Settings via PowerShell",
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
],
"risk_score": 47,
"rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
56 changes: 56 additions & 0 deletions ...n_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
"false_positives": [
"Host Windows Firewall planned system administration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Enable Host Network Discovery via Netsh",
"query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
"risk_score": 47,
"rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
59 changes: 59 additions & 0 deletions ...tion_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
"false_positives": [
"Microsoft Antimalware Service Executable installed on non default installation path."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"query": "process where event.type == \"start\" and\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n",
"references": [
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
],
"risk_score": 73,
"rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1574",
"name": "Hijack Execution Flow",
"reference": "https://attack.mitre.org/techniques/T1574/",
"subtechnique": [
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"reference": "https://attack.mitre.org/techniques/T1574/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
4 changes: 2 additions & 2 deletions ...rver/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS EC2 VM Export Failure",
"note": "## Config\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
"references": [
"https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
Expand Down Expand Up @@ -66,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}
16 changes: 15 additions & 1 deletion ...ck/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -562,7 +562,14 @@ import rule549 from './ml_auth_rare_user_logon.json';
import rule550 from './ml_auth_spike_in_failed_logon_events.json';
import rule551 from './ml_auth_spike_in_logon_events.json';
import rule552 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule553 from './persistence_via_bits_job_notify_command.json';
import rule553 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
import rule554 from './privilege_escalation_printspooler_malicious_registry_modification.json';
import rule555 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
import rule556 from './privilege_escalation_unusual_printspooler_childprocess.json';
import rule557 from './defense_evasion_disabling_windows_defender_powershell.json';
import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
import rule560 from './persistence_via_bits_job_notify_command.json';

export const rawRules = [
rule1,
Expand Down Expand Up @@ -1118,4 +1125,11 @@ export const rawRules = [
rule551,
rule552,
rule553,
rule554,
rule555,
rule556,
rule557,
rule558,
rule559,
rule560,
];
50 changes: 50 additions & 0 deletions ...es/prepackaged_rules/privilege_escalation_printspooler_malicious_driver_file_changes.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare File Modification",
"query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
49 changes: 49 additions & 0 deletions .../prepackaged_rules/privilege_escalation_printspooler_malicious_registry_modification.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare Exploit Registry Modification",
"query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
53 changes: 53 additions & 0 deletions ...e/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
"false_positives": [
"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious Print Spooler File Deletion",
"query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 47,
"rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
Loading

0 comments on commit b1d29ab

Please sign in to comment.