Google Workspace Role Modified
editGoogle Workspace Role Modified
editDetects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.
Rule type: query
Rule indices:
- filebeat-*
- logs-google_workspace*
Severity: medium
Risk score: 47
Runs every: 10 minutes
Searches indices from: now-130m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Google Workspace
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editGoogle Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
Investigation guide
edit<<<<<<< HEAD ** Important Information Regarding Google Workspace Event Lag Times
## Config The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. ### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html
==== Rule query
event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Halfbaked Command and Control Beacon
Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.
Rule type: query
Rule indices:
- packetbeat-*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- Command and Control
Version: 4 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.
==== Investigation guide
This activity has been observed in FIN7 campaigns.
==== Rule query
event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.11.2 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
- Formatting only
=== Hex Encoding/Decoding Activity
Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Defense Evasion
Version: 7 (version history)
Added (Elastic Stack release): 7.8.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Deobfuscate/Decode Files or Information
- ID: T1140
- Reference URL: https://attack.mitre.org/techniques/T1140/
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.11.0 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.1 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
-
Updated query, changed from:
event.action:(executed or process_started) and process.name:(hex or xxd)
-
=== High Number of Okta User Password Reset or Unlock Attempts
Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.
Rule type: threshold
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Identity
- Okta
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.
==== Investigation guide
The Okta Filebeat module must be enabled to use this rule.
==== Rule query
event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
- Formatting only
=== High Number of Process and/or Service Terminations
This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. This may indicate a defense evasion attempt.
Rule type: threshold
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
- Version 2 (7.12.0 release)
-
- Formatting only
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.
Rule type: query
Rule indices:
- auditbeat-*
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Windows
- macOS
- Threat Detection
- Impact
Version: 4 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Investigation guide
For Windows systems using Auditbeat, this rule requires adding C:/Windows/System32/drivers/etc as an additional path in the file_integrity module of auditbeat.yml.
==== Rule query
event.category:file and event.type:(change or creation) and file.path:("/private/etc/hosts" or "/etc/hosts" or "C:\Windows\System32\drivers\etc\hosts")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Data Manipulation
- ID: T1565
- Reference URL: https://attack.mitre.org/techniques/T1565/
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.11.2 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
- Formatting only
Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
Version: 7 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon.
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.1 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
process.name:(hping or hping2 or hping3) and event.action:executed
-
- Version 2 (7.7.0 release)
-
-
Updated query, changed from:
process.name: (hping3 or hping2 or hping) and event.action:executed
-
Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 33
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 4 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\:\"True\" and not process.parent.name:iissetup.exe
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Indicator Removal on Host
- ID: T1070
- Reference URL: https://attack.mitre.org/techniques/T1070/
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.11.2 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
-
Updated query, changed from:
event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\:\"True\" and not process.parent.name:iissetup.exe
-
=== IPSEC NAT Traversal Port Activity
Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.
Rule type: query
Rule indices:
- filebeat-*
- packetbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Network
- Threat Detection
- Command and Control
Version: 7 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.
==== Rule query
event.category:(network or network_traffic) and network.transport:udp and destination.port:4500
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.11.0 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
network.transport:udp and destination.port:4500
-
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.
=== IRC (Internet Relay Chat) Protocol Activity to the Internet
Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.
Rule type: query
Rule indices:
- filebeat-*
- packetbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Network
- Threat Detection
- Command and Control
Version: 8 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.
==== Rule query
event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" )
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Exfiltration Over Alternative Protocol
- ID: T1048
- Reference URL: https://attack.mitre.org/techniques/T1048/
- Version 8 (7.12.0 release)
-
- Formatting only
- Version 7 (7.11.2 release)
-
- Formatting only
- Version 6 (7.11.0 release)
-
-
Updated query, changed from:
event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.0 release)
-
-
Updated query, changed from:
network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 3 (7.7.0 release)
-
-
Updated query, changed from:
network.transport: tcp and destination.port:(6667 or 6697) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
-
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.
=== Image File Execution Options Injection
The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 41
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
registry where length(registry.data.strings) > 0 and registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /* add FPs here */ not registry.data.strings : ("C:\\Program Files*\\ThinKiosk\\thinkiosk.exe", "*\\PSAppDeployToolkit\\*")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== ImageLoad via Windows Update Auto Update Client
Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
process where event.type in ("start", "process_started") and (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and /* necessary windows update client args to load a dll */ process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and /* common paths writeable by a standard user where the target DLL can be placed */ process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Signed Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Inbound Connection to an Unsecure Elasticsearch Node
Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.
Rule type: query
Rule indices:
- packetbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- Initial Access
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy.
==== Investigation guide
This rule requires the addition of port 9200
and send_all_headers
to the HTTP
protocol configuration in packetbeat.yml
. See the References section for additional configuration documentation.
==== Rule query
event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Incoming DCOM Lateral Movement via MSHTA
Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
sequence with maxspan=1m [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and process.args : "-Embedding" ] by host.id, process.entity_id [network where event.type == "start" and process.name : "mshta.exe" and network.direction == "incoming" and network.transport == "tcp" and source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") ] by host.id, process.entity_id
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Incoming DCOM Lateral Movement with MMC
Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
sequence by host.id with maxspan=1m [network where event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") and network.direction == "incoming" and network.transport == "tcp" ] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe" ] by process.parent.entity_id
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
sequence by host.id with maxspan=5s [network where event.type == "start" and process.name : "explorer.exe" and network.direction == "incoming" and network.transport == "tcp" and source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") ] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "explorer.exe" ] by process.parent.entity_id
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Incoming Execution via PowerShell Remoting
Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It’s important to baseline your environment to determine the amount of noise to expect from this tool.
==== Rule query
sequence by host.id with maxspan = 30s [network where network.direction == "incoming" and destination.port in (5985, 5986) and network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1" ] [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Incoming Execution via WinRM Remote Shell
Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
WinRM is a dual-use protocol that can be used for benign or malicious activity. It’s important to baseline your environment to determine the amount of noise to expect from this tool.
==== Rule query
sequence by host.id with maxspan=30s [network where process.pid == 4 and network.direction == "incoming" and destination.port in (5985, 5986) and network.protocol == "http" and not source.address in ("::1", "127.0.0.1") ] [process where event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 2 (7.12.0 release)
-
- Formatting only
=== InstallUtil Process Making Network Connections
Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ sequence by process.entity_id [process where event.type in ("start", "process_started") and process.name : "installutil.exe"] [network where process.name : "installutil.exe" and network.direction == "outgoing"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Signed Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
- Formatting only
=== Installation of Custom Shim Databases
Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
sequence by process.entity_id with maxspan = 5m [process where event.type in ("start", "process_started") and not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry where event.type in ("creation", "change") and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
- Version 3 (7.12.0 release)
-
-
Updated query, changed from:
sequence by process.entity_id with maxspan=5m [process where event.type in ("start", "process_started") and not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry where event.type in ("creation", "change") and wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")]
-
- Version 2 (7.11.0 release)
-
- Formatting only
=== Installation of Security Support Provider
Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
registry where registry.path : ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages*", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages*") and not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Interactive Terminal Spawned via Perl
Identifies when a terminal (tty
) is spawned via Perl. Attackers may upgrade a
simple reverse shell to a fully interactive tty
after obtaining initial
access to a host.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Execution
Version: 6 (version history)
Added (Elastic Stack release): 7.8.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
- Version 6 (7.12.0 release)
-
- Formatting only
- Version 5 (7.11.2 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.1 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
-
Updated query, changed from:
event.action:executed and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";")
-
=== Interactive Terminal Spawned via Python
Identifies when a terminal (tty
) is spawned via Python. Attackers may upgrade
a simple reverse shell to a fully interactive tty
after obtaining initial
access to a host.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Execution
Version: 6 (version history)
Added (Elastic Stack release): 7.8.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:python and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
- Version 6 (7.12.0 release)
-
- Formatting only
- Version 5 (7.11.2 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.1 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
-
Updated query, changed from:
event.action:executed and process.name:python and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")")
-
=== Kerberos Cached Credentials Dumping
Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Credential Access
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Kerberos Traffic from Unusual Process
Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.
==== Rule query
network where event.type == "start" and network.direction == "outgoing" and destination.port == 88 and source.port >= 49152 and process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and /* insert False Positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Defense Evasion
Version: 7 (version history)
Added (Elastic Stack release): 7.8.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.
==== Rule query
event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and ("--remove" or "-r")))
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.11.0 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.1 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
-
Updated query, changed from:
event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and ("--remove" or "-r"))
-
=== Keychain Password Retrieval via Command Line
Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Credential Access
Version: 1
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Trusted parent processes accessing their respective application passwords.
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:security and process.args:("find-generic-password" or "find-internet-password")
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Credentials from Password Stores
- ID: T1555
- Reference URL: https://attack.mitre.org/techniques/T1555/
=== LSASS Memory Dump Creation
Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
=== Lateral Movement via Startup Folder
Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
file where event.type in ("creation", "change") and /* via RDP TSClient mounted share or SMB */ (process.name : "mstsc.exe" or process.pid == 4) and file.path : "C:\\*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only
Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
sequence by host.id with maxspan=30s [network where event.type == "start" and process.pid == 4 and destination.port == 445 and network.direction == "incoming" and network.transport == "tcp" and source.address != "127.0.0.1" and source.address != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Lateral Tool Transfer
- ID: T1570
- Reference URL: https://attack.mitre.org/techniques/T1570/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Launch Agent Creation or Modification and Immediate Loading
An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Trusted applications persisting via LaunchAgent
==== Rule query
sequence by host.id with maxspan=1m [file where event.type != "deletion" and file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ] [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
- Version 2 (7.12.0 release)
-
- Formatting only
=== LaunchDaemon Creation or Modification and Immediate Loading
Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Trusted applications persisting via LaunchDaemons
==== Rule query
sequence by host.id with maxspan=1m [file where event.type != "deletion" and file.path in ("/System/Library/LaunchDaemons/*", " /Library/LaunchDaemons/*")] [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
- Version 2 (7.12.0 release)
-
- Formatting only
=== Local Scheduled Task Commands
A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 7 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
Legitimate scheduled tasks may be created during installation of new software.
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.1 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
event.action:"Process Create (rule: ProcessCreate)" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)
-
- Version 2 (7.7.0 release)
-
-
Updated query, changed from:
event.action:"Process Create (rule: ProcessCreate)" and process.name:schtasks.exe and process.args:("/create" or "-create" or "/S" or "-s" or "/run" or "-run" or "/change" or "-change")
-
Identifies use of sc.exe
to create, modify, or start services on remote hosts.
This could be indicative of adversary lateral movement but will be noisy if
commonly done by admins.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 8 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Rule query
event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)
==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
- Version 8 (7.12.0 release)
-
- Formatting only
- Version 7 (7.11.2 release)
-
- Formatting only
- Version 6 (7.11.0 release)
-
- Formatting only
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.1 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start)
-
- Version 2 (7.7.0 release)
-
-
Updated query, changed from:
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:("create" or "config" or "failure" or "start")
-
=== MFA Disabled for Google Workspace Organization
Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.
Rule type: query
Rule indices:
- filebeat-*
- logs-google_workspace*
Severity: medium
Risk score: 47
Runs every: 10 minutes
Searches indices from: now-130m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Cloud
- Google Workspace
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
==== Potential false positives
MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
==== Investigation guide
- Important Information Regarding Google Workspace Event Lag Times
## Config The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. ### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html
Rule query
editevent.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false
Rule version history
edit- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only