From 09f7158761efda48f66cabd01cbed4527133bc5a Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 25 Sep 2024 15:19:20 -0500 Subject: [PATCH] [Docs | Rule Tuning] Add blog references to rules (#4097) * [Docs | Rule Tuning] Add blog references to rules * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestions from code review * Update google_workspace blog references * add okta blog references * Update dates --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Removed changes from: - rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml - rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml - rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml - rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml (selectively cherry picked from commit b80d8342d6b54e0a2b17d021174ab5aee1de6dba) --- ...deletion_of_bash_command_line_history.toml | 3 +- .../execution_revershell_via_shell_cmd.toml | 3 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 3 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 11 ++- ...privilege_escalation_sudoers_file_mod.toml | 3 +- ...istence_suspicious_file_modifications.toml | 55 ++++++------ ...ship_transferred_via_google_workspace.toml | 8 +- ...ustom_gmail_route_created_or_modified.toml | 8 +- ...yption_key_accessed_by_anonymous_user.toml | 8 +- ...ed_from_blocklist_in_google_workspace.toml | 8 +- ...d_to_google_workspace_trusted_domains.toml | 8 +- ..._workspace_bitlocker_setting_disabled.toml | 8 +- ...th_login_from_third_party_application.toml | 3 +- ...marketplace_modified_to_allow_any_app.toml | 8 +- ...ogle_workspace_alert_center_promotion.toml | 8 +- ..._google_workspace_admin_role_deletion.toml | 8 +- ...le_workspace_mfa_enforcement_disabled.toml | 8 +- ..._user_added_to_google_workspace_group.toml | 8 +- ...ogle_workspace_suspended_user_renewed.toml | 8 +- ...ed_to_external_drive_with_app_consent.toml | 3 +- ...tion_added_to_google_workspace_domain.toml | 8 +- ..._google_workspace_2sv_policy_disabled.toml | 8 +- ...workspace_admin_role_assigned_to_user.toml | 8 +- ..._workspace_api_access_granted_via_dwd.toml | 8 +- ...e_workspace_custom_admin_role_created.toml | 8 +- ...le_workspace_password_policy_modified.toml | 7 +- ...stence_google_workspace_role_modified.toml | 8 +- ...pace_user_organizational_unit_changed.toml | 8 +- ...led_for_google_workspace_organization.toml | 7 +- ...l_access_attempted_bypass_of_okta_mfa.toml | 5 +- ...mpts_to_brute_force_okta_user_account.toml | 4 +- ...vents_from_single_device_behind_proxy.toml | 4 +- ...okta_brute_force_or_password_spraying.toml | 4 +- ...ta_mfa_bombing_via_push_notifications.toml | 4 +- ...l_okta_bombing_via_push_notifications.toml | 4 +- ...tial_access_user_impersonation_access.toml | 5 +- ...tempt_to_deactivate_okta_network_zone.toml | 4 +- ...n_attempt_to_delete_okta_network_zone.toml | 4 +- ..._app_client_credential_token_exchange.toml | 6 +- ...kta_attempt_to_deactivate_okta_policy.toml | 4 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 4 +- ...on_okta_attempt_to_delete_okta_policy.toml | 4 +- ...ta_attempt_to_delete_okta_policy_rule.toml | 4 +- ...a_attempt_to_modify_okta_network_zone.toml | 4 +- ...on_okta_attempt_to_modify_okta_policy.toml | 4 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 4 +- ...ser_password_reset_or_unlock_attempts.toml | 4 +- ...pact_attempt_to_revoke_okta_api_token.toml | 4 +- ...ttempt_to_deactivate_okta_application.toml | 4 +- ...ta_attempt_to_delete_okta_application.toml | 4 +- ...ta_attempt_to_modify_okta_application.toml | 4 +- .../okta/impact_possible_okta_dos_attack.toml | 4 +- ...rrence_user_session_started_via_proxy.toml | 4 +- ...new_authentication_behavior_detection.toml | 4 +- ...initial_access_okta_fastpass_phishing.toml | 4 +- ...ta_user_attempted_unauthorized_access.toml | 4 +- ...ss_sign_in_events_via_third_party_idp.toml | 4 +- ...icious_activity_reported_by_okta_user.toml | 4 +- ...ent_multiple_sessions_for_single_user.toml | 4 +- ...eatinsight_threat_suspected_promotion.toml | 4 +- ...tor_privileges_assigned_to_okta_group.toml | 4 +- ...inistrator_role_assigned_to_okta_user.toml | 5 +- ...ence_attempt_to_create_okta_api_token.toml | 4 +- ...set_mfa_factors_for_okta_user_account.toml | 5 +- ...mfa_deactivation_with_no_reactivation.toml | 4 +- ...e_new_idp_successfully_added_by_admin.toml | 4 +- ..._or_delete_application_sign_on_policy.toml | 4 +- ...login_to_okta_account_after_mfa_reset.toml | 4 +- ...tempt_to_disable_iptables_or_firewall.toml | 9 +- ...ion_attempt_to_disable_syslog_service.toml | 3 +- ...binary_copied_to_suspicious_directory.toml | 20 +++-- .../defense_evasion_log_files_deleted.toml | 9 +- .../discovery_suid_sguid_enumeration.toml | 3 +- .../discovery_yum_dnf_plugin_detection.toml | 18 ++-- ...ion_netcon_from_rwx_mem_region_binary.toml | 7 +- .../execution_shell_evasion_linux_binary.toml | 3 +- ...execution_shell_via_meterpreter_linux.toml | 6 +- ...ution_shell_via_udp_cli_utility_linux.toml | 4 +- ...nknown_rwx_mem_region_binary_executed.toml | 15 ++-- ...istence_apt_package_manager_execution.toml | 20 ++--- ...nce_apt_package_manager_file_creation.toml | 21 +++-- ...ersistence_apt_package_manager_netcon.toml | 17 ++-- rules/linux/persistence_at_job_creation.toml | 20 +++-- .../linux/persistence_cron_job_creation.toml | 3 +- ..._package_manager_plugin_file_creation.toml | 21 +++-- .../linux/persistence_etc_file_creation.toml | 4 +- .../linux/persistence_git_hook_execution.toml | 22 +++-- .../persistence_git_hook_file_creation.toml | 18 ++-- rules/linux/persistence_git_hook_netcon.toml | 18 ++-- ...ersistence_git_hook_process_execution.toml | 18 ++-- .../persistence_init_d_file_creation.toml | 9 +- ...ersistence_kde_autostart_modification.toml | 3 +- ...sistence_linux_backdoor_user_creation.toml | 3 +- .../persistence_linux_group_creation.toml | 3 +- ...rsistence_linux_user_account_creation.toml | 3 +- ..._linux_user_added_to_privileged_group.toml | 3 +- ...rsistence_message_of_the_day_creation.toml | 13 ++- ...persistence_script_executable_bit_set.toml | 24 ++--- ...persistence_rc_local_error_via_syslog.toml | 23 +++-- ...ence_rc_local_service_already_running.toml | 12 ++- .../linux/persistence_rc_script_creation.toml | 10 ++- ...ence_shell_configuration_modification.toml | 16 ++-- .../linux/persistence_ssh_key_generation.toml | 17 ++-- ...e_suspicious_ssh_execution_xzbackdoor.toml | 8 +- ...ersistence_systemd_generator_creation.toml | 21 +++-- ...tence_systemd_scheduled_timer_created.toml | 27 +++--- .../persistence_systemd_service_creation.toml | 34 +++---- .../persistence_systemd_service_started.toml | 3 +- .../linux/persistence_udev_rule_creation.toml | 16 ++-- ...ser_or_group_creation_or_modification.toml | 12 ++- .../persistence_user_password_change.toml | 17 ++-- .../persistence_xdg_autostart_netcon.toml | 24 ++--- ..._package_manager_plugin_file_creation.toml | 23 +++-- ...tion_potential_suid_sgid_exploitation.toml | 29 +++--- .../privilege_escalation_sudo_hijacking.toml | 17 ++-- ...istence_emond_rules_process_execution.toml | 7 +- .../windows/collection_winrar_encryption.toml | 7 +- ...ommand_and_control_common_webservices.toml | 89 +++++++++++-------- .../credential_access_cmdline_dump_tool.toml | 7 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 3 +- ...tial_access_dcsync_replication_rights.toml | 3 +- ...ccess_suspicious_lsass_access_memdump.toml | 3 +- ...e_evasion_clearing_windows_event_logs.toml | 3 +- ...ion_defender_exclusion_via_powershell.toml | 5 +- ...disabling_windows_defender_powershell.toml | 4 +- ...efense_evasion_from_unusual_directory.toml | 6 +- ...defense_evasion_masquerading_werfault.toml | 3 +- ..._evasion_microsoft_defender_tampering.toml | 3 +- .../windows/defense_evasion_mshta_beacon.toml | 5 +- ...e_evasion_parent_process_pid_spoofing.toml | 7 +- ..._evasion_suspicious_certutil_commands.toml | 3 +- ...sion_unsigned_dll_loaded_from_suspdir.toml | 5 +- .../execution_from_unusual_path_cmdline.toml | 6 +- ...tion_scheduled_task_powershell_source.toml | 3 +- .../windows/execution_suspicious_cmd_wmi.toml | 6 +- ...ecution_suspicious_powershell_imgload.toml | 3 +- ...al_access_script_executing_powershell.toml | 3 +- ...vement_direct_outbound_smb_connection.toml | 13 ++- ...movement_executable_tool_transfer_smb.toml | 6 +- ..._movement_execution_from_tsclient_mup.toml | 7 +- ...nt_execution_via_file_shares_sequence.toml | 3 +- .../lateral_movement_rdp_sharprdp_target.toml | 3 +- ...ovement_remote_file_copy_hidden_share.toml | 3 +- .../lateral_movement_remote_services.toml | 3 +- ...ateral_movement_scheduled_task_target.toml | 3 +- ...ement_suspicious_rdp_client_imageload.toml | 7 +- ...l_movement_via_startup_folder_rdp_smb.toml | 7 +- ...egistry_startup_shell_folder_modified.toml | 6 +- ...istence_local_scheduled_task_creation.toml | 4 +- ...persistence_run_key_and_startup_broad.toml | 3 +- .../persistence_service_dll_unsigned.toml | 5 +- ...er_file_written_by_suspicious_process.toml | 7 +- ...nce_suspicious_scheduled_task_runtime.toml | 5 +- ...ilege_escalation_disable_uac_registry.toml | 3 +- ...on_service_control_spawned_script_int.toml | 3 +- ...tion_unusual_parentchild_relationship.toml | 3 +- ...on_windows_service_via_unusual_client.toml | 11 ++- rules_building_block/discovery_net_view.toml | 5 +- 158 files changed, 898 insertions(+), 457 deletions(-) diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 3e7e4817622..d741251924d 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/07/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Tampering of Shell Command-Line History" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" setup = """## Setup diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index c872f64da64..62a96f31eb4 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -48,6 +48,7 @@ references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", ] risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7b589072395..d6509cbfe32 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Potential Privilege Escalation via Sudoers File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 1bc428d0f15..d23c490865c 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/19" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "SUID/SGID Bit Set" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" @@ -32,6 +33,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or @@ -48,24 +50,24 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -73,3 +75,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 23c493369ad..b0d2ae7d57e 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Sudoers File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 86533f3e521..c8d56a9db78 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -1,27 +1,30 @@ [metadata] creation_date = "2024/06/03" -maturity = "production" integration = ["fim"] -updated_date = "2024/07/09" +maturity = "production" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are -commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for -cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, -init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the -paths specified in the query need to be added to the FIM policy in the Elastic Security app. +commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron +jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init +daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths +specified in the query need to be added to the FIM policy in the Elastic Security app. """ from = "now-9m" index = ["logs-fim.event-*", "auditbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Persistence via File Modification" +references = [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98" -setup = """ -## Setup +setup = """## Setup This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration. @@ -46,10 +49,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: File Integrity Monitoring" + "Data Source: File Integrity Monitoring", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and file.path : ( @@ -112,29 +116,39 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -144,51 +158,42 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 3b0bb139b97..8b50df9d34a 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/1247799?hl=en"] +references = [ + "https://support.google.com/a/answer/1247799?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 2f9485b97b3..8b3387a9e9d 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2685650?hl=en"] +references = [ + "https://support.google.com/a/answer/2685650?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32ca309972a..5af838db9fc 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/drive/answer/2494822"] +references = [ + "https://support.google.com/drive/answer/2494822", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc" severity = "high" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 422ba0189ba..ba8f4a4f7f8 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 1b92225d220..50b9fd776ed 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6160020?hl=en"] +references = [ + "https://support.google.com/a/answer/6160020?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0" severity = "high" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index e16f5f51216..3da71e49a09 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 96946ea3b8f..35730889fc6 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/07/10" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -35,6 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = [ "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2", ] diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index e8e9160fce5..09ecde61c16 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6089179?hl=en"] +references = [ + "https://support.google.com/a/answer/6089179?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index 65f289b2659..bdf24ad3254 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" promotion = true -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -31,7 +31,11 @@ note = """## Setup This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events. """ -references = ["https://workspace.google.com/products/admin/alert-center/"] +references = [ + "https://workspace.google.com/products/admin/alert-center/", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 747f1ff2ffa..b55c2591321 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf" severity = "medium" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 9999e04f1b5..5c62a0f8be1 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en#"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index c023a887bf0..9da5f09028e 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/33329"] +references = [ + "https://support.google.com/a/answer/33329", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" severity = "medium" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 379476c08dc..a1022b5fa15 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/1110339"] +references = [ + "https://support.google.com/a/answer/1110339", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 039e134fa1b..1a25f272c6e 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,6 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = [ "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links", ] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d7eb4ce5531..90cf5ef9b6e 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 0d47da77d01..4647fb4aed4 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 78b80ba643e..a23661911b2 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/172176?hl=en"] +references = [ + "https://support.google.com/a/answer/172176?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" severity = "high" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index da1d420be59..2a59b14eadc 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -75,7 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"] +references = [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 1a5b51af505..643c9d27e06 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", +] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 6181ee74c49..986aac4bd3d 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -77,6 +77,11 @@ The Google Workspace Fleet integration, the Filebeat module, or data that's simi - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index fae520fa6e7..040e19fdd98 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index bec0569605e..cb0bc8fec70 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -80,7 +80,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" severity = "low" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 098cfa6157e..8bc3d051239 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -75,6 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 9c8bc89dbd8..de5419e0527 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 784415774a1..4f0f19a9584 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 97acf978e6f..e27551037a9 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -67,6 +67,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 028c53515cb..c1bfee11024 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 4928a9685d1..fc158cefe1d 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -55,6 +55,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd" diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 3805fbaab8d..f65e4fc0c33 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ad52a9a46d7..5b1c06e5083 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -51,6 +51,9 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index ce7bba717cb..ea048dfbf97 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 46ef83fbb48..a89e190f88e 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 9fdcb0c41f0..ce3bbd28b07 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2024/09/11" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ license = "Elastic License v2" name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials" references = [ "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index acd680fa6f9..30acf1a49fc 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -66,6 +66,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 36613952a23..b50418ba1d3 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index cce0b1165d7..063a09b170a 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -66,6 +66,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index ed5c99bdbbf..ecdabb2216b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 59904f60144..6ee1d50fa0e 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -64,6 +64,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index c41eaf5ac22..b485eec0644 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -54,6 +54,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index aaa03a77d42..f541558e588 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -63,6 +63,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 81b03d599dd..92eed04d461 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -56,6 +56,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 4206790eec7..e21246c5d59 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -52,6 +52,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index bb616b52b4c..0d2319adf1b 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -56,6 +56,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 491434bdc50..b18b13630c4 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -27,6 +27,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 54eebeb0a7b..8a3a84e7743 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index df11b192b63..e85d110991a 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index c43477fdbc5..8fc9d03cae8 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -45,6 +45,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 7cf72503b5d..7623ecd5c1a 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -50,6 +50,8 @@ references = [ "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 054c5ca079f..066c2b4a762 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Austin Songer"] @@ -24,6 +24,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index cca876385a9..47a853e214f 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "Austin Songer"] @@ -18,6 +18,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index a752278a67a..c127cd0f9e8 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index d029b99e558..272dfd211b4 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -22,6 +22,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 31391fa335a..33289094cca 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -26,6 +26,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 16376535937..b90248f519e 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -30,6 +30,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 41a42b3eaee..9b1bc5e9e8a 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -29,6 +29,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 509a3b9c5f1..2631bf2930f 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -29,6 +29,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 21dae60efd2..2996475c434 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index ba2223c6760..3a6ad0886e2 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index edbca91a417..fd8f45c9896 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 4192b29046a..075937b532d 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -54,6 +54,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b751ae40e82..e437c4fd7cd 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index a4901c38e9f..07ead8b7c05 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index b6fe8c3808a..b9f2ca63ffa 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" setup = """## Setup @@ -74,20 +75,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 78771aa6d7e..a93d4c199cd 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" setup = """## Setup diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 17ded64869e..b53a07c4d5a 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,21 +2,24 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/31" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries -to evade detection. Copying a system binary to a different location should not occur often, so if it does, the -activity should be investigated. +This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to +evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity +should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "System Binary Moved or Copied" -references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"] +references = [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" setup = """## Setup @@ -54,6 +57,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.Ext.original.path : ( @@ -87,25 +91,27 @@ file.Ext.original.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index c18de6fb41c..391cd6f5e04 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ license = "Elastic License v2" name = "System Log File Deletion" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", ] risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" @@ -92,20 +93,22 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 73fd48e341d..131a1e897c6 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" setup = """## Setup diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 61a81cc9cfa..364f6df1e2d 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,14 +2,14 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/25" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is -used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an -attacker is attempting to establish persistence in a YUM or DNF plugin. +This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used +to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is +attempting to establish persistence in a YUM or DNF plugin. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -17,8 +17,9 @@ language = "eql" license = "Elastic License v2" name = "Yum/DNF Plugin Status Discovery" references = [ - "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", - "https://pwnshift.github.io/2020/10/01/persistence.html" + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://pwnshift.github.io/2020/10/01/persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "78390eb5-c838-4c1d-8240-69dd7397cfb7" @@ -54,6 +55,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "grep" and process.args : "plugins*" and process.args : ( @@ -62,15 +64,17 @@ process.name == "grep" and process.args : "plugins*" and process.args : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 205b2b1e18a..6dd51edc00b 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*" language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 648294234e5..d3fb45fdd5f 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -87,6 +87,7 @@ references = [ "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 789d77cf14f..c279ac88981 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,6 +16,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Meterpreter Reverse Shell" +references = [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" setup = """## Setup diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0a453512b3b..e4c42a2a178 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,8 @@ license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 35f4658247f..72ddcdf21c0 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -58,19 +61,20 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -79,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 3e1ab66f57e..129eef327c6 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005" setup = """## Setup @@ -75,50 +76,48 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -126,3 +125,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 25ba3771ac3..0ff8b8a97d1 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "APT Package Manager Configuration File Creation" -references = ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"] +references = [ + "https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/etc/apt/apt.conf.d/*" and not ( @@ -84,34 +88,34 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -119,3 +123,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 212eef6dbac..4fbac8005de 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c" setup = """## Setup @@ -77,34 +78,34 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -112,7 +113,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -120,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index 765b41883a3..cebef39e692 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "At Job Created or Modified" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "84755a05-78c8-4430-8681-89cd6c857d71" setup = """## Setup @@ -56,6 +57,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/*" and not ( @@ -78,56 +80,56 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 456ee59213e..144d4f96aee 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -135,6 +135,7 @@ This rule monitors the creation of cron jobs by monitoring for file creation and """ references = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 0592e8ee083..00531a50ec6 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "DNF Package Manager Plugin File Creation" -references = ["https://pwnshift.github.io/2020/10/01/persistence.html"] +references = [ + "https://pwnshift.github.io/2020/10/01/persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "3fe4e20c-a600-4a86-9d98-3ecb1ef23550" setup = """## Setup @@ -58,6 +61,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not ( @@ -81,34 +85,34 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 49a478b6814..b9ef7388dae 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -136,6 +136,8 @@ This rule monitors for the creation of the most common system-wide configuration references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 3c2a8be6285..74aeb658187 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,21 +2,24 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/15" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git -executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute -arbitrary commands on the system and establish persistence. +executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary +commands on the system and establish persistence. """ from = "now-9m" index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Git Hook Command Execution" -references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"] +references = [ + "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "dc61f382-dc0c-4cc0-a845-069f2a071704" setup = """## Setup @@ -55,6 +58,7 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" + query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -65,9 +69,9 @@ sequence by host.id with maxspan=3s process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -78,29 +82,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -108,3 +111,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 6b2db4215ac..7222f3faf3b 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/26" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Git Hook Created or Modified" -references = ["https://git-scm.com/docs/githooks/2.26.0"] +references = [ + "https://git-scm.com/docs/githooks/2.26.0", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "ac531fcc-1d3b-476d-bbb5-1357728c9a37" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and file.extension == null and process.executable != null and not ( @@ -77,9 +81,9 @@ file.extension == null and process.executable != null and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -90,29 +94,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -120,3 +123,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 9ff0fd8a717..9e7e71207fd 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/15" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*", "logs-endpoint.events.network*"] language = "eql" license = "Elastic License v2" name = "Git Hook Egress Network Connection" -references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"] +references = [ + "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "9822c5a1-1494-42de-b197-487197bb540c" setup = """## Setup @@ -56,6 +59,7 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" + query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -73,9 +77,9 @@ sequence by host.id with maxspan=3s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +90,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +119,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 8caf97ff310..106d3ee1d5a 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/26" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Git Hook Child Process" -references = ["https://git-scm.com/docs/githooks/2.26.0"] +references = [ + "https://git-scm.com/docs/githooks/2.26.0", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "7ce5e1c7-6a49-45e6-a101-0720d185667f" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( "applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit", @@ -73,9 +77,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not process.name in ("git", "dirname") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +90,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +119,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index ef21a58c38f..7b02bcdfb3c 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -30,6 +30,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -109,6 +110,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -149,6 +151,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") and file.path : "/etc/init.d/*" and not ( @@ -172,15 +175,17 @@ and file.path : "/etc/init.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index e3e716a8fd4..a292105787d 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -151,6 +151,7 @@ references = [ "https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index cf4f8a430af..ef29d7ff160 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -87,6 +87,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" setup = """## Setup diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index be5b7c048d5..0d580e43d19 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -77,6 +77,7 @@ This rule identifies the usages of `groupadd` and `addgroup` to create new group - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" setup = """## Setup diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 0806394a0dd..fe3149e23d3 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -76,6 +76,7 @@ This rule identifies the usage of `useradd` and `adduser` to create new accounts - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" setup = """## Setup diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index d08a4139b9d..259b2283cc7 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -79,6 +79,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" setup = """## Setup diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 585569c5224..a2d5969edc3 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -30,6 +30,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -37,8 +38,8 @@ This rule detects the creation of potentially malicious files within the default day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create -malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing -a backdoor script or command. +malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a +backdoor script or command. """ from = "now-9m" index = ["logs-endpoint.events.file*"] @@ -105,6 +106,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -144,6 +146,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/etc/update-motd.d/*" and not ( @@ -168,15 +171,17 @@ file.path : "/etc/update-motd.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index aff47b44942..bdc886bc4f7 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,15 +2,15 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/30" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule monitors for the addition of an executable bit for scripts that are located in directories which are -commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up -within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set -interval to gain persistence onto the system. +This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly +abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your +environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain +persistence onto the system. """ from = "now-9m" index = ["logs-endpoint.events.process*", "endgame-*"] @@ -21,6 +21,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "94418745-529f-4259-8d25-a713a6feb6ae" @@ -56,10 +57,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.args : ( @@ -81,40 +83,42 @@ process.args : ( ) and not process.parent.executable : "/var/lib/dpkg/*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.013" name = "XDG Autostart Entries" reference = "https://attack.mitre.org/techniques/T1547/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 17927befe85..6a62b00b786 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,16 +2,16 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute -malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," -"No such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file -has been tampered with. +malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," "No +such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file has +been tampered with. """ from = "now-9m" index = ["logs-system.syslog-*"] @@ -22,6 +22,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "69c116bb-d86f-48b0-857d-3648511a6cac" @@ -47,33 +48,31 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and message:("Connection refused" or "No such file or directory" or "command not found") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index 55ce9d6dfb7..0027fc21226 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "7318affb-bfe8-4d50-a425-f617833be160" @@ -58,29 +59,32 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.args == "/etc/rc.local" and process.parent.args == "start" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index cd66c007748..b1e95625e72 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -24,6 +24,7 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -101,6 +102,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -165,20 +167,22 @@ file.path in ("/etc/rc.local", "/etc/rc.common") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index dac44fc63ad..028902e2099 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Shell Configuration Creation or Modification" -references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"] +references = [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "28f6f34b-8e16-487a-b5fd-9d22eb903db8" setup = """## Setup @@ -52,10 +55,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( // system-wide configurations @@ -95,20 +99,22 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_ssh_key_generation.toml b/rules/linux/persistence_ssh_key_generation.toml index f3f0f036024..39724968b1a 100644 --- a/rules/linux/persistence_ssh_key_generation.toml +++ b/rules/linux/persistence_ssh_key_generation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "SSH Key Generated via ssh-keygen" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c" severity = "low" @@ -31,54 +32,56 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and not file.name : "known_hosts.*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 5273d85f306..96c14581eca 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/03" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,11 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references = [ + "https://github.com/amlweems/xzbot", + "https://access.redhat.com/security/cve/CVE-2024-3094", + "https://www.elastic.co/security-labs/500ms-to-midnight", +] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 91fe055173e..b54e71bb37f 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/19" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Systemd Generator Created" -references = ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"] +references = [ + "https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "39c06367-b700-4380-848a-cab06e7afede" setup = """## Setup @@ -53,10 +56,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/run/systemd/system-generators/*", "/etc/systemd/system-generators/*", @@ -81,38 +85,39 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 3e772d3115e..311211a1fb0 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -12,11 +12,11 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' -OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' -OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE +'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE +'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR +path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,9 +27,9 @@ file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path +LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' +OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -40,6 +40,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -115,6 +116,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati references = [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -154,6 +156,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", @@ -184,20 +187,22 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index e5b77cf1a24..2833777b7dd 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -12,11 +12,11 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' -OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' -OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE +'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE +'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR +path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,9 +27,9 @@ file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path +LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' +OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -56,6 +56,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -144,6 +145,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -179,10 +181,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", @@ -215,38 +218,39 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 505f5f00c3b..5c7ffea2221 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -135,6 +135,7 @@ This rule monitors the execution of the systemctl binary to start, enable or ree references = [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "b605f262-f7dc-41b5-9ebc-06bafe7a83b6" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index 5b9acb7f718..df2279c94f1 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Systemd-udevd Rule File Creation" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 21 rule_id = "054db96b-fd34-43b3-9af2-587b3bd33964" setup = """## Setup @@ -51,10 +52,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and file.extension == "rules" and @@ -82,20 +84,22 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index a8f2d3bb912..3c1f2b7696b 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,19 +2,20 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/07/11" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux -systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system. +systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "User or Group Creation/Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "fcf733d5-7801-4eb0-92ac-8ffacf3658f2" setup = """## Setup @@ -66,25 +67,28 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and event.action in ("changed-password", "added-user-account", "added-group-account-to") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_user_password_change.toml b/rules/linux/persistence_user_password_change.toml index 6c0185b9900..ec53be1c324 100644 --- a/rules/linux/persistence_user_password_change.toml +++ b/rules/linux/persistence_user_password_change.toml @@ -2,20 +2,21 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password -change or user addition event. Threat actors may attempt to create new users or change the password of a user -account to maintain access to a system. +change or user addition event. Threat actors may attempt to create new users or change the password of a user account to +maintain access to a system. """ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Shadow File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "cdf1a39b-1ca5-4e2a-9739-17fc4d026029" setup = """## Setup @@ -51,37 +52,39 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.path == "/etc/shadow" and file.Ext.original.path != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index b7bfd566e04..f9a8948444a 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,15 +2,15 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based -Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. -This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts -to establish persistence on the system. +Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux +distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule +helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish +persistence on the system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -18,8 +18,9 @@ language = "eql" license = "Elastic License v2" name = "Network Connections Initiated Through XDG Autostart Entry" references = [ - "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", - "https://hadess.io/the-art-of-linux-persistence/" + "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", + "https://hadess.io/the-art-of-linux-persistence/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "dd52d45a-4602-4195-9018-ebe0f219c273" @@ -69,10 +70,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -96,20 +98,22 @@ sequence by host.id, process.entity_id with maxspan=1s ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.013" name = "XDG Autostart Entries" reference = "https://attack.mitre.org/techniques/T1547/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index 7bb523abc9c..59930d14b24 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,12 +2,12 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, +Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Yum Package Manager Plugin File Creation" -references = ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"] +references = [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "0b15bcad-aff1-4250-a5be-5d1b7eb56d07" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( @@ -81,34 +85,34 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index b846122f6e5..2423ff06061 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/17" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via SUID/SGID" -references = ["https://gtfobins.github.io/#+suid"] +references = [ + "https://gtfobins.github.io/#+suid", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "28eb3afe-131d-48b0-a8fc-9784f3d54f3c" setup = """## Setup @@ -47,15 +50,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.user.id == "0" and process.real_user.id != "0") or @@ -91,9 +95,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,17 +107,17 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -121,3 +125,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 1f9c23cd593..c188f2396b4 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/03" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,7 +16,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Hijacking" -references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] +references = [ + "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" setup = """## Setup @@ -55,6 +58,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "rename") and file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( @@ -76,33 +80,34 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index c597f0d3fe8..ba4a84be2bd 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,7 +16,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Emond Child Process" -references = ["https://www.xorrior.com/emond-persistence/"] +references = [ + "https://www.xorrior.com/emond-persistence/", + "https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer", +] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" setup = """## Setup diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 9c69091a8f2..84b949641fe 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -47,7 +47,10 @@ These steps are usually done in preparation for exfiltration, meaning the attack - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] +references = [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", +] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" setup = """## Setup diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index b1edfe82939..7efd26eeec8 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,9 +2,40 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/09" +updated_date = "2024/09/23" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -29,38 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] @@ -128,10 +127,21 @@ This rule looks for processes outside known legitimate program locations communi - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ +"https://www.elastic.co/security-labs/operation-bleeding-bear", +"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" +] risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -286,7 +296,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and "Cisco Systems, Inc.", "Dropbox, Inc", "Amazon.com Services LLC")) - ) + ) ''' @@ -301,11 +311,12 @@ reference = "https://attack.mitre.org/techniques/T1102/" id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + - [[rule.threat.technique.subtechnique]] - id = "T1568.002" - name = "Domain Generation Algorithms" - reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index b05996e519b..8e894002cb4 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -55,7 +55,10 @@ This rule looks for the execution of utilities that can extract credential data - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://lolbas-project.github.io/"] +references = [ + "https://lolbas-project.github.io/", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" setup = """## Setup diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 9d059bfe2d7..1ce0f190355 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -108,6 +108,7 @@ references = [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index ad74216afe7..41e1120be0b 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -60,6 +60,7 @@ references = [ "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ad39fc43cbb..663b7605067 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ name = "Potential Credential Access via LSASS Memory Dump" references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f19adef7747..f860425b844 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -53,6 +53,7 @@ This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-Ev - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" setup = """## Setup diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 57c27fe3ae2..d3eb6f48b35 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -70,6 +70,9 @@ Microsoft Windows Defender is an antivirus product built into Microsoft Windows. """ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 0142c7a465f..a5babe6d6d3 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ This rule monitors the execution of commands that can tamper the Windows Defende """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 883950cadae..c7d5deb8ba1 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,10 @@ This rule identifies processes that are executed from suspicious default Windows - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ +"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", +"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" +] risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" setup = """## Setup diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index c4832f2ec1e..dca4f49ea9e 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,7 @@ references = [ "https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", ] risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index ee2732a0629..4d9a24bf4ad 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Austin Songer"] @@ -62,6 +62,7 @@ references = [ "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 16ce875c645..45747d454c5 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -20,6 +20,9 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 84aecaea7c3..6cdf87d08fc 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Parent Process PID Spoofing" -references = ["https://blog.didierstevens.com/2017/03/20/"] +references = [ + "https://blog.didierstevens.com/2017/03/20/", + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", +] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 3842a423466..c2e3ee568ba 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -103,6 +103,7 @@ references = [ "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 052d4bb6f3d..17af2ccdeeb 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,6 +16,9 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Side-Loading from a Suspicious Folder" +references = [ + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", +] risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" setup = """## Setup diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 782d47629ee..b9e98348ed5 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -98,6 +98,10 @@ This rule looks for the execution of scripts from unusual directories. Attackers - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" setup = """## Setup diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index afa9ece3f6d..970a63b9847 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 6c9dd403656..57bde7b254d 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,10 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/operation-bleeding-bear", +] risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" setup = """## Setup diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 04bf6f51e73..9a59c84b8db 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,7 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit"] risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 54732f29f89..e0af096a22a 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,7 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" setup = """## Setup diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 6face005472..71e80066c1e 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,8 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" - +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -34,7 +33,11 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [rule] author = ["Elastic"] description = """ -Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections. +Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server +Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which +communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This +rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral +movement within the network by leveraging SMB connections. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -95,6 +98,10 @@ This rule looks for unexpected processes or LOLBins making network connections o - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" +] risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index f9b06fa6f47..5c039bad93b 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -56,6 +56,10 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 44e6569815b..058de4b6475 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,7 +21,10 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" setup = """## Setup diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index af04a2b7128..b8ee94c421c 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/11" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -91,6 +91,7 @@ Adversaries can use network shares to host tooling to support the compromise of """ references = [ "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 7246879cb03..ea6733fab44 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ name = "Potential SharpRDP Behavior" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 1fb1ba34c75..aebc227ae13 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" setup = """## Setup diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index da85d66e7cb..cf677477a2c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,7 @@ This rule detects the remote creation or start of a service by correlating a `se """ references = [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 3d39517673e..43f0b5604e5 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -45,6 +45,7 @@ note = """## Triage and analysis - Remove scheduled task and any other related artifacts. - Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. """ +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index b68fdf713de..d7c22ad7b9d 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" -references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" setup = """## Setup diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 650371712a9..ce5854fca8d 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] +references = [ + "https://www.mdsec.co.uk/2017/06/rdpinception/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" setup = """## Setup diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index b146663bfd9..204561141bc 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -93,6 +93,10 @@ Techniques used within malware and by adversaries often leverage the Windows reg - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", + "https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", +] risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 26e1a4dbada..4cea0244e98 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,8 @@ name = "Local Scheduled Task Creation" references = [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 1d66c483ef1..28db6018352 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -98,6 +98,7 @@ Adversaries may achieve persistence by referencing a program with a registry run - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign"] risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 4c9bda1fc63..63ce6c7c0e4 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,9 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by Svchost" +references = [ + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", +] risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index da4b4658921..4368e7ff3e2 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -97,7 +97,10 @@ This rule monitors for commonly abused processes writing to the Startup folder l - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] +references = [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", +] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" setup = """## Setup diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index d74b17c8c9b..55d0dbe261f 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -13,6 +13,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" setup = """## Setup diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 2dd83bb73f4..b42c758aa0d 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -68,6 +68,7 @@ references = [ "https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview", + "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four", ] risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 5ae2120bc33..86d8647f79b 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -76,6 +76,7 @@ The `sc.exe` command line utility is used to manage and control Windows services - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 437adcb3415..2832d504259 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -100,6 +100,7 @@ This rule uses this information to spot suspicious parent and child processes. references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", ] risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 7f3a1f04b41..caf0ca52a2d 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ references = [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" @@ -40,7 +41,13 @@ Audit Security System Extension (Success) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: System", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 10e11ec992a..2b71644a8e7 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -42,6 +42,9 @@ This rule looks for the execution of the `net` utility to enumerate servers in t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", +] risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" setup = """## Setup