From 6b8217ebd29b008ca33d60d9c4df125e0bc58253 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Fri, 13 Sep 2024 13:10:59 +0530 Subject: [PATCH] Remove Development Rules from 8.12 security docs --- .../prebuilt-rules-reference.asciidoc | 10 --- .../prebuilt-rules/rule-desc-index.asciidoc | 5 -- ...ft-365-impossible-travel-activity.asciidoc | 72 ---------------- ...65-mass-download-by-a-single-user.asciidoc | 68 --------------- ...script-execution-via-command-line.asciidoc | 85 ------------------- .../windows-user-account-creation.asciidoc | 70 --------------- .../wpad-service-exploit.asciidoc | 74 ---------------- 7 files changed, 384 deletions(-) delete mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 654e6aec84..d5f112dac5 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -996,12 +996,8 @@ and their rule type is `machine_learning`. |<> |In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Persistence] |None |206 -|<> |Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |None |1 - |<> |Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Collection] |None |206 -|<> |Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Exfiltration] |None |1 - |<> |Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Impact] |None |206 |<> |Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Persistence] |None |207 @@ -1656,8 +1652,6 @@ and their rule type is `machine_learning`. |<> |Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |109 -|<> |Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |None |1 - |<> |Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |109 |<> |This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |105 @@ -2328,8 +2322,6 @@ and their rule type is `machine_learning`. |<> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame], [Data Source: System] |None |6 -|<> |Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1 - |<> |Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Rule Type: BBR], [Data Source: System] |None |5 |<> |A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. |[Data Source: APM] |None |102 @@ -2380,8 +2372,6 @@ and their rule type is `machine_learning`. |<> |This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |4 -|<> |Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: System] |None |1 - |<> |Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: System] |None |9 |<> |Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |2 diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc index 30b832ab55..f33a80689b 100644 --- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -489,9 +489,7 @@ include::rule-details/microsoft-365-exchange-safe-link-policy-disabled.asciidoc[ include::rule-details/microsoft-365-exchange-transport-rule-creation.asciidoc[] include::rule-details/microsoft-365-exchange-transport-rule-modification.asciidoc[] include::rule-details/microsoft-365-global-administrator-role-assigned.asciidoc[] -include::rule-details/microsoft-365-impossible-travel-activity.asciidoc[] include::rule-details/microsoft-365-inbox-forwarding-rule-created.asciidoc[] -include::rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc[] include::rule-details/microsoft-365-potential-ransomware-activity.asciidoc[] include::rule-details/microsoft-365-teams-custom-application-interaction-allowed.asciidoc[] include::rule-details/microsoft-365-teams-external-access-enabled.asciidoc[] @@ -819,7 +817,6 @@ include::rule-details/program-files-directory-masquerading.asciidoc[] include::rule-details/prompt-for-credentials-with-osascript.asciidoc[] include::rule-details/proxychains-activity.asciidoc[] include::rule-details/psexec-network-connection.asciidoc[] -include::rule-details/python-script-execution-via-command-line.asciidoc[] include::rule-details/quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc[] include::rule-details/query-registry-using-built-in-tools.asciidoc[] include::rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc[] @@ -1155,7 +1152,6 @@ include::rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc[] include::rule-details/wmi-incoming-lateral-movement.asciidoc[] include::rule-details/wmi-wbemtest-utility-execution.asciidoc[] include::rule-details/wmic-remote-command.asciidoc[] -include::rule-details/wpad-service-exploit.asciidoc[] include::rule-details/writedac-access-on-active-directory-object.asciidoc[] include::rule-details/web-application-suspicious-activity-post-request-declined.asciidoc[] include::rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc[] @@ -1181,7 +1177,6 @@ include::rule-details/windows-subsystem-for-linux-distribution-installed.asciido include::rule-details/windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc[] include::rule-details/windows-system-information-discovery.asciidoc[] include::rule-details/windows-system-network-connections-discovery.asciidoc[] -include::rule-details/windows-user-account-creation.asciidoc[] include::rule-details/wireless-credential-dumping-using-netsh-command.asciidoc[] include::rule-details/yum-package-manager-plugin-file-creation.asciidoc[] include::rule-details/yum-dnf-plugin-status-discovery.asciidoc[] diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc deleted file mode 100644 index 72ac7bbc9c..0000000000 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc +++ /dev/null @@ -1,72 +0,0 @@ -[[microsoft-365-impossible-travel-activity]] -=== Microsoft 365 Impossible travel activity - -Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. - -*Rule type*: query - -*Rule indices*: - -* filebeat-* -* logs-o365* - -*Severity*: medium - -*Risk score*: 47 - -*Runs every*: 5m - -*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum alerts per execution*: 100 - -*References*: - -* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy -* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference - -*Tags*: - -* Domain: Cloud -* Data Source: Microsoft 365 -* Use Case: Configuration Audit -* Tactic: Initial Access - -*Version*: 1 - -*Rule authors*: - -* Austin Songer - -*Rule license*: Elastic License v2 - - -==== Investigation guide - - - - -==== Setup - - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. - -==== Rule query - - -[source, js] ----------------------------------- -event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Impossible travel activity" and event.outcome:success - ----------------------------------- - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Initial Access -** ID: TA0001 -** Reference URL: https://attack.mitre.org/tactics/TA0001/ -* Technique: -** Name: Valid Accounts -** ID: T1078 -** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc deleted file mode 100644 index 8d013480b2..0000000000 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc +++ /dev/null @@ -1,68 +0,0 @@ -[[microsoft-365-mass-download-by-a-single-user]] -=== Microsoft 365 Mass download by a single user - -Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute. - -*Rule type*: query - -*Rule indices*: - -* filebeat-* -* logs-o365* - -*Severity*: medium - -*Risk score*: 47 - -*Runs every*: 5m - -*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum alerts per execution*: 100 - -*References*: - -* https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy -* https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference - -*Tags*: - -* Domain: Cloud -* Data Source: Microsoft 365 -* Use Case: Configuration Audit -* Tactic: Exfiltration - -*Version*: 1 - -*Rule authors*: - -* Austin Songer - -*Rule license*: Elastic License v2 - - -==== Investigation guide - - - - -==== Setup - - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. - -==== Rule query - - -[source, js] ----------------------------------- -event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Mass download by a single user" and event.outcome:success - ----------------------------------- - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Exfiltration -** ID: TA0010 -** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc b/docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc deleted file mode 100644 index 0d369b4d51..0000000000 --- a/docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc +++ /dev/null @@ -1,85 +0,0 @@ -[[python-script-execution-via-command-line]] -=== Python Script Execution via Command Line - -Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk. - -*Rule type*: eql - -*Rule indices*: - -* auditbeat-* -* logs-endpoint.events.* - -*Severity*: medium - -*Risk score*: 47 - -*Runs every*: 5m - -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum alerts per execution*: 100 - -*References*: None - -*Tags*: - -* Domain: Endpoint -* OS: Linux -* OS: macOS -* OS: Windows -* Use Case: Threat Detection -* Tactic: Execution -* Data Source: Elastic Defend - -*Version*: 1 - -*Rule authors*: - -* Elastic - -*Rule license*: Elastic License v2 - - -==== Setup - - - -*Setup* - - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - - -==== Rule query - - -[source, js] ----------------------------------- -process where event.type in ("start", "process_started") and - process.name : "python*" and process.args : "-c" and process.args : "*import*sys*" - ----------------------------------- - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ -* Technique: -** Name: Command and Scripting Interpreter -** ID: T1059 -** Reference URL: https://attack.mitre.org/techniques/T1059/ -* Sub-technique: -** Name: Python -** ID: T1059.006 -** Reference URL: https://attack.mitre.org/techniques/T1059/006/ -* Sub-technique: -** Name: Windows Command Shell -** ID: T1059.003 -** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc deleted file mode 100644 index c59ccb7936..0000000000 --- a/docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[[windows-user-account-creation]] -=== Windows User Account Creation - -Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain. - -*Rule type*: query - -*Rule indices*: - -* winlogbeat-* -* logs-system.* -* logs-windows.* - -*Severity*: low - -*Risk score*: 21 - -*Runs every*: 5m - -*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum alerts per execution*: 100 - -*References*: None - -*Tags*: - -* Domain: Endpoint -* OS: Windows -* Use Case: Threat Detection -* Tactic: Persistence -* Data Source: System - -*Version*: 1 - -*Rule authors*: - -* Skoetting - -*Rule license*: Elastic License v2 - - -==== Rule query - - -[source, js] ----------------------------------- -event.module:("system" or "security") and winlog.api:"wineventlog" and - (event.code:"4720" or event.action:"added-user-account") - ----------------------------------- - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Persistence -** ID: TA0003 -** Reference URL: https://attack.mitre.org/tactics/TA0003/ -* Technique: -** Name: Create Account -** ID: T1136 -** Reference URL: https://attack.mitre.org/techniques/T1136/ -* Sub-technique: -** Name: Local Account -** ID: T1136.001 -** Reference URL: https://attack.mitre.org/techniques/T1136/001/ -* Sub-technique: -** Name: Domain Account -** ID: T1136.002 -** Reference URL: https://attack.mitre.org/techniques/T1136/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc b/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc deleted file mode 100644 index 371729d962..0000000000 --- a/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc +++ /dev/null @@ -1,74 +0,0 @@ -[[wpad-service-exploit]] -=== WPAD Service Exploit - -Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise. - -*Rule type*: eql - -*Rule indices*: - -* logs-endpoint.events.process-* -* logs-endpoint.events.network-* -* logs-endpoint.events.library-* - -*Severity*: high - -*Risk score*: 73 - -*Runs every*: 5m - -*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) - -*Maximum alerts per execution*: 100 - -*References*: None - -*Tags*: - -* Domain: Endpoint -* OS: Windows -* Use Case: Threat Detection -* Tactic: Privilege Escalation -* Data Source: Elastic Defend - -*Version*: 1 - -*Rule authors*: - -* Elastic - -*Rule license*: Elastic License v2 - - -==== Rule query - - -[source, js] ----------------------------------- -/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */ -/* didn't trigger successfully during testing */ - -sequence with maxspan=5s - [process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and - user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id - [network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and - dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id - [network where host.os.type == "windows" and process.name : "svchost.exe" - and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id - [library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and - dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "svchost.exe"] by process.parent.entity_id - ----------------------------------- - -*Framework*: MITRE ATT&CK^TM^ - -* Tactic: -** Name: Privilege Escalation -** ID: TA0004 -** Reference URL: https://attack.mitre.org/tactics/TA0004/ -* Technique: -** Name: Exploitation for Privilege Escalation -** ID: T1068 -** Reference URL: https://attack.mitre.org/techniques/T1068/