[Detection Rules] Add 7.14 rules (#104772) (#105790)

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Author: FrankHassanabad

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json

@@ -0,0 +1,59 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
+  "false_positives": [
+    "Planned Windows Defender configuration changes."
+  ],
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Disabling Windows Defender Security Settings via PowerShell",
+  "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+  "references": [
+    "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
+  ],
+  "risk_score": 47,
+  "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1562",
+          "name": "Impair Defenses",
+          "reference": "https://attack.mitre.org/techniques/T1562/",
+          "subtechnique": [
+            {
+              "id": "T1562.001",
+              "name": "Disable or Modify Tools",
+              "reference": "https://attack.mitre.org/techniques/T1562/001/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json

@@ -0,0 +1,56 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
+  "false_positives": [
+    "Host Windows Firewall planned system administration changes."
+  ],
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Enable Host Network Discovery via Netsh",
+  "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+  "risk_score": 47,
+  "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1562",
+          "name": "Impair Defenses",
+          "reference": "https://attack.mitre.org/techniques/T1562/",
+          "subtechnique": [
+            {
+              "id": "T1562.001",
+              "name": "Disable or Modify Tools",
+              "reference": "https://attack.mitre.org/techniques/T1562/001/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json

@@ -0,0 +1,59 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
+  "false_positives": [
+    "Microsoft Antimalware Service Executable installed on non default installation path."
+  ],
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+  "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n",
+  "references": [
+    "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+  ],
+  "risk_score": 73,
+  "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
+  "severity": "high",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1574",
+          "name": "Hijack Execution Flow",
+          "reference": "https://attack.mitre.org/techniques/T1574/",
+          "subtechnique": [
+            {
+              "id": "T1574.002",
+              "name": "DLL Side-Loading",
+              "reference": "https://attack.mitre.org/techniques/T1574/002/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json

@@ -16,7 +16,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "AWS EC2 VM Export Failure",
-  "note": "## Config\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+  "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
   "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
   "references": [
     "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
@@ -66,5 +66,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts

@@ -562,7 +562,14 @@ import rule549 from './ml_auth_rare_user_logon.json';
 import rule550 from './ml_auth_spike_in_failed_logon_events.json';
 import rule551 from './ml_auth_spike_in_logon_events.json';
 import rule552 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
-import rule553 from './persistence_via_bits_job_notify_command.json';
+import rule553 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
+import rule554 from './privilege_escalation_printspooler_malicious_registry_modification.json';
+import rule555 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
+import rule556 from './privilege_escalation_unusual_printspooler_childprocess.json';
+import rule557 from './defense_evasion_disabling_windows_defender_powershell.json';
+import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
+import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
+import rule560 from './persistence_via_bits_job_notify_command.json';
 
 export const rawRules = [
   rule1,
@@ -1118,4 +1125,11 @@ export const rawRules = [
   rule551,
   rule552,
   rule553,
+  rule554,
+  rule555,
+  rule556,
+  rule557,
+  rule558,
+  rule559,
+  rule560,
 ];

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_malicious_driver_file_changes.json

@@ -0,0 +1,50 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Potential PrintNightmare File Modification",
+  "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
+  "references": [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare"
+  ],
+  "risk_score": 73,
+  "rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
+  "severity": "high",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Privilege Escalation"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "technique": [
+        {
+          "id": "T1068",
+          "name": "Exploitation for Privilege Escalation",
+          "reference": "https://attack.mitre.org/techniques/T1068/"
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_malicious_registry_modification.json

@@ -0,0 +1,49 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+  "from": "now-9m",
+  "index": [
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Potential PrintNightmare Exploit Registry Modification",
+  "query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n   registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
+  "references": [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare"
+  ],
+  "risk_score": 73,
+  "rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
+  "severity": "high",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Privilege Escalation"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "technique": [
+        {
+          "id": "T1068",
+          "name": "Exploitation for Privilege Escalation",
+          "reference": "https://attack.mitre.org/techniques/T1068/"
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json

@@ -0,0 +1,53 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
+  "false_positives": [
+    "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
+  ],
+  "from": "now-9m",
+  "index": [
+    "winlogbeat-*",
+    "logs-endpoint.events.*",
+    "logs-windows.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Suspicious Print Spooler File Deletion",
+  "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
+  "references": [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare"
+  ],
+  "risk_score": 47,
+  "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Privilege Escalation"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0004",
+        "name": "Privilege Escalation",
+        "reference": "https://attack.mitre.org/tactics/TA0004/"
+      },
+      "technique": [
+        {
+          "id": "T1068",
+          "name": "Exploitation for Privilege Escalation",
+          "reference": "https://attack.mitre.org/techniques/T1068/"
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}