From 524d0e8d41491260d7557ad649c9fc9e509488cf Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Tue, 28 Jan 2020 17:31:31 -0700 Subject: [PATCH] [SIEM][Detection Engine] critical blocker for updated rules ## Summary Critical blocker for updated rules and content we need for the release. Given to me by randomuserid and from randomuserid ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ --- .../rules/prepackaged_rules/index.ts | 102 +++++++++--------- .../linux_shell_activity_by_web_server.json | 2 +- .../linux_ssh_forwarding.json | 43 -------- .../linux_strace_activity.json | 2 +- .../network_port_26_activity.json | 2 +- ...te_desktop_protocol_from_the_internet.json | 2 +- ...mote_procedure_call_from_the_internet.json | 2 +- ...file_sharing_activity_to_the_internet.json | 2 +- .../prepackaged_rules/null_user_agent.json | 2 +- .../prepackaged_rules/sqlmap_user_agent.json | 2 +- 10 files changed, 58 insertions(+), 103 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index cd6d899133bff1..b454501e9f563f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -69,57 +69,56 @@ import rule59 from './linux_nping_activity.json'; import rule60 from './linux_process_started_in_temp_directory.json'; import rule61 from './linux_shell_activity_by_web_server.json'; import rule62 from './linux_socat_activity.json'; -import rule63 from './linux_ssh_forwarding.json'; -import rule64 from './linux_strace_activity.json'; -import rule65 from './linux_tcpdump_activity.json'; -import rule66 from './linux_whoami_commmand.json'; -import rule67 from './network_dns_directly_to_the_internet.json'; -import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule70 from './network_nat_traversal_port_activity.json'; -import rule71 from './network_port_26_activity.json'; -import rule72 from './network_port_8000_activity_to_the_internet.json'; -import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule74 from './network_proxy_port_activity_to_the_internet.json'; -import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule80 from './network_smtp_to_the_internet.json'; -import rule81 from './network_sql_server_port_activity_to_the_internet.json'; -import rule82 from './network_ssh_secure_shell_from_the_internet.json'; -import rule83 from './network_ssh_secure_shell_to_the_internet.json'; -import rule84 from './network_telnet_port_activity.json'; -import rule85 from './network_tor_activity_to_the_internet.json'; -import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule88 from './null_user_agent.json'; -import rule89 from './sqlmap_user_agent.json'; -import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule91 from './windows_certutil_connecting_to_the_internet.json'; -import rule92 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule93 from './windows_command_shell_started_by_internet_explorer.json'; -import rule94 from './windows_command_shell_started_by_powershell.json'; -import rule95 from './windows_command_shell_started_by_svchost.json'; -import rule96 from './windows_defense_evasion_via_filter_manager.json'; -import rule97 from './windows_execution_via_compiled_html_file.json'; -import rule98 from './windows_execution_via_connection_manager.json'; -import rule99 from './windows_execution_via_net_com_assemblies.json'; -import rule100 from './windows_execution_via_regsvr32.json'; -import rule101 from './windows_execution_via_trusted_developer_utilities.json'; -import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule104 from './windows_net_command_activity_by_the_system_account.json'; -import rule105 from './windows_persistence_via_application_shimming.json'; -import rule106 from './windows_priv_escalation_via_accessibility_features.json'; -import rule107 from './windows_process_discovery_via_tasklist_command.json'; -import rule108 from './windows_process_execution_via_wmi.json'; -import rule109 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule110 from './windows_signed_binary_proxy_execution.json'; -import rule111 from './windows_signed_binary_proxy_execution_download.json'; -import rule112 from './windows_suspicious_process_started_by_a_script.json'; -import rule113 from './windows_whoami_command_activity.json'; +import rule63 from './linux_strace_activity.json'; +import rule64 from './linux_tcpdump_activity.json'; +import rule65 from './linux_whoami_commmand.json'; +import rule66 from './network_dns_directly_to_the_internet.json'; +import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule69 from './network_nat_traversal_port_activity.json'; +import rule70 from './network_port_26_activity.json'; +import rule71 from './network_port_8000_activity_to_the_internet.json'; +import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule73 from './network_proxy_port_activity_to_the_internet.json'; +import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule79 from './network_smtp_to_the_internet.json'; +import rule80 from './network_sql_server_port_activity_to_the_internet.json'; +import rule81 from './network_ssh_secure_shell_from_the_internet.json'; +import rule82 from './network_ssh_secure_shell_to_the_internet.json'; +import rule83 from './network_telnet_port_activity.json'; +import rule84 from './network_tor_activity_to_the_internet.json'; +import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule87 from './null_user_agent.json'; +import rule88 from './sqlmap_user_agent.json'; +import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule90 from './windows_certutil_connecting_to_the_internet.json'; +import rule91 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule92 from './windows_command_shell_started_by_internet_explorer.json'; +import rule93 from './windows_command_shell_started_by_powershell.json'; +import rule94 from './windows_command_shell_started_by_svchost.json'; +import rule95 from './windows_defense_evasion_via_filter_manager.json'; +import rule96 from './windows_execution_via_compiled_html_file.json'; +import rule97 from './windows_execution_via_connection_manager.json'; +import rule98 from './windows_execution_via_net_com_assemblies.json'; +import rule99 from './windows_execution_via_regsvr32.json'; +import rule100 from './windows_execution_via_trusted_developer_utilities.json'; +import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule103 from './windows_net_command_activity_by_the_system_account.json'; +import rule104 from './windows_persistence_via_application_shimming.json'; +import rule105 from './windows_priv_escalation_via_accessibility_features.json'; +import rule106 from './windows_process_discovery_via_tasklist_command.json'; +import rule107 from './windows_process_execution_via_wmi.json'; +import rule108 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule109 from './windows_signed_binary_proxy_execution.json'; +import rule110 from './windows_signed_binary_proxy_execution_download.json'; +import rule111 from './windows_suspicious_process_started_by_a_script.json'; +import rule112 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -233,5 +232,4 @@ export const rawRules = [ rule110, rule111, rule112, - rule113, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index c7d856cbe61f35..ac817762fdb713 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -32,7 +32,7 @@ { "id": "T1100", "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1215/" + "reference": "https://attack.mitre.org/techniques/T1100/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json deleted file mode 100644 index 3b61814ab66fd7..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "An SSH processes ran with the `-R` flag which can be used to forward a port to a remote destination for purposes of pivoting and persistence. This technique often used to create encrypted tunnels and circumvent firewalls, security groups or network access lists.", - "false_positives": [ - "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Potential Lateral Movement via SSH Port Forwarding", - "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", - "references": [ - "https://www.ssh.com/ssh/tunneling", - "https://www.ssh.com/ssh/tunneling/example" - ], - "risk_score": 47, - "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1184", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1184/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 6f8bc112fd0114..f5488ae49d0fb5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,5 +1,5 @@ { - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 59db16c7b7d3dd..352fc5e44dc806 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -49,7 +49,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 76528da19a57c3..e3853c30e6ad9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -45,7 +45,7 @@ }, "technique": [ { - "id": "T1190", + "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index ca6715ac487859..1570d3d155feaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -29,7 +29,7 @@ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index ee47dff73db40f..991c626c11d33a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -42,7 +42,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 87a3119ac780d3..7975c30a4ea386 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,7 +1,7 @@ { "description": "A request to a web application server contained no identifying user agent string.", "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], "filters": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 72d85dcbffc062..44e112d09a45b4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,7 +1,7 @@ { "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ", "false_positives": [ - "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + "This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], "index": [ "apm-*-transaction*"