Skip to content

[7.14] [Detection Rules] Add 7.14 rules (#104772) #104786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 8, 2021
Merged

[7.14] [Detection Rules] Add 7.14 rules (#104772) #104786

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions ...engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
"false_positives": [
"Planned Windows Defender configuration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Disabling Windows Defender Security Settings via PowerShell",
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
],
"risk_score": 47,
"rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
56 changes: 56 additions & 0 deletions ...n_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
"false_positives": [
"Host Windows Firewall planned system administration changes."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Enable Host Network Discovery via Netsh",
"query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
"risk_score": 47,
"rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
59 changes: 59 additions & 0 deletions ...tion_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
"false_positives": [
"Microsoft Antimalware Service Executable installed on non default installation path."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"query": "process where event.type == \"start\" and\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n",
"references": [
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
],
"risk_score": 73,
"rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1574",
"name": "Hijack Execution Flow",
"reference": "https://attack.mitre.org/techniques/T1574/",
"subtechnique": [
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"reference": "https://attack.mitre.org/techniques/T1574/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
4 changes: 2 additions & 2 deletions ...rver/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS EC2 VM Export Failure",
"note": "## Config\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
"references": [
"https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
Expand Down Expand Up @@ -66,5 +66,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}
16 changes: 15 additions & 1 deletion ...ck/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -562,7 +562,14 @@ import rule549 from './ml_auth_rare_user_logon.json';
import rule550 from './ml_auth_spike_in_failed_logon_events.json';
import rule551 from './ml_auth_spike_in_logon_events.json';
import rule552 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule553 from './persistence_via_bits_job_notify_command.json';
import rule553 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
import rule554 from './privilege_escalation_printspooler_malicious_registry_modification.json';
import rule555 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
import rule556 from './privilege_escalation_unusual_printspooler_childprocess.json';
import rule557 from './defense_evasion_disabling_windows_defender_powershell.json';
import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
import rule560 from './persistence_via_bits_job_notify_command.json';

export const rawRules = [
rule1,
Expand Down Expand Up @@ -1118,4 +1125,11 @@ export const rawRules = [
rule551,
rule552,
rule553,
rule554,
rule555,
rule556,
rule557,
rule558,
rule559,
rule560,
];
50 changes: 50 additions & 0 deletions ...es/prepackaged_rules/privilege_escalation_printspooler_malicious_driver_file_changes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare File Modification",
"query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
49 changes: 49 additions & 0 deletions .../prepackaged_rules/privilege_escalation_printspooler_malicious_registry_modification.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential PrintNightmare Exploit Registry Modification",
"query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 73,
"rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
53 changes: 53 additions & 0 deletions ...e/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"author": [
"Elastic"
],
"description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
"false_positives": [
"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious Print Spooler File Deletion",
"query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
"references": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare"
],
"risk_score": 47,
"rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Privilege Escalation"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
}
Loading