elastic · terrancedejesus · Apr 25, 2022 · Apr 25, 2022 · Apr 25, 2022 · Apr 25, 2022
@@ -1,5 +1,10 @@
 # newer versions go on top
 # NOTE: please use pre-release versions (e.g. -dev.0) until a package is ready for production
+- changes:
+    - description: Release security rules update
+      link: https://github.com/elastic/integrations/pulls/0000
+      type: enhancement
+  version: 0.16.2
 - changes:
     - description: Release security rules update
       link: https://github.com/elastic/integrations/pull/2709

@@ -13,6 +13,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Potential Credential Access via Windows Utilities",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
         "references": [
             "https://lolbas-project.github.io/"
@@ -58,7 +59,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 5
+        "version": 6
     },
     "id": "00140285-b827-4aee-aa09-8113f58a08f3",
     "type": "security-rule"

@@ -13,6 +13,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "System Shells via Services",
+        "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from\nadministrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree).\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to\nservice activities (for example, 4697 and/or 7045).\n  - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for similar behavior in other hosts on the environment.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).\n- Delete the service or restore it to the original configuration.\n- Investigate the initial attack vector.\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
         "risk_score": 47,
         "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
@@ -50,7 +51,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 10
+        "version": 11
     },
     "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
     "type": "security-rule"

@@ -18,6 +18,7 @@
         "license": "Elastic License v2",
         "max_signals": 33,
         "name": "Potential Cookies Theft via Browser Debugging",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name in (\n             \"Microsoft Edge\",\n             \"chrome.exe\",\n             \"Google Chrome\",\n             \"google-chrome-stable\",\n             \"google-chrome-beta\",\n             \"google-chrome\",\n             \"msedge.exe\") and\n   process.args : (\"--remote-debugging-port=*\", \n                   \"--remote-debugging-targets=*\",  \n                   \"--remote-debugging-pipe=*\") and\n   process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
         "references": [
             "https://github.com/defaultnamehere/cookie_crimes",
@@ -56,7 +57,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 1
+        "version": 2
     },
     "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
     "type": "security-rule"

@@ -12,6 +12,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Potential Credential Access via DuplicateHandle in LSASS",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
         "references": [
             "https://github.com/CCob/MirrorDump"
@@ -52,7 +53,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 2
+        "version": 3
     },
     "id": "02a4576a-7480-4284-9327-548a806b5e48",
     "type": "security-rule"

@@ -13,6 +13,7 @@
         "language": "kuery",
         "license": "Elastic License v2",
         "name": "High Number of Process and/or Service Terminations",
+        "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated\nwith business applications and databases to release the lock on files used by these applications so they may be encrypted,\nor stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same\nhost within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Confirm whether the account owner is aware of the operation, and why it was performed.\n- Investigate other alerts related to the user/host in the last 48 hours.\n- Check for similar behavior in other hosts on the environment.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Reset the password of the involved accounts.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n",
         "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
         "risk_score": 47,
         "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
@@ -48,7 +49,7 @@
             "value": 10
         },
         "type": "threshold",
-        "version": 3
+        "version": 4
     },
     "id": "035889c4-2686-4583-a7df-67f89c292f2c",
     "type": "security-rule"

@@ -3,7 +3,7 @@
         "author": [
             "Elastic"
         ],
-        "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.",
+        "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.",
         "from": "now-25m",
         "index": [
             "filebeat-*",
@@ -54,7 +54,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "query",
-        "version": 1
+        "version": 2
     },
     "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f",
     "type": "security-rule"

@@ -17,6 +17,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n",
         "references": [
             "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
@@ -57,7 +58,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 2
+        "version": 3
     },
     "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
     "type": "security-rule"

@@ -14,6 +14,7 @@
         "license": "Elastic License v2",
         "max_signals": 33,
         "name": "Microsoft IIS Service Account Password Dumped",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
         "references": [
             "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
@@ -47,7 +48,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 4
+        "version": 5
     },
     "id": "0564fb9d-90b9-4234-a411-82a546dc1343",
     "type": "security-rule"

@@ -13,6 +13,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Conhost Spawned By Suspicious Parent Process",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n                         \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n                         \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n",
         "references": [
             "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
@@ -46,7 +47,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 4
+        "version": 5
     },
     "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
     "type": "security-rule"

@@ -13,6 +13,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Remote System Discovery Commands",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
         "risk_score": 21,
         "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
@@ -43,7 +44,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 3
+        "version": 4
     },
     "id": "0635c542-1b96-4335-9b47-126582d2c19a",
     "type": "security-rule"

@@ -13,6 +13,7 @@
         "language": "eql",
         "license": "Elastic License v2",
         "name": "Potential Evasion via Filter Manager",
+        "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n",
         "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
         "risk_score": 47,
         "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
@@ -50,7 +51,7 @@
         ],
         "timestamp_override": "event.ingested",
         "type": "eql",
-        "version": 8
+        "version": 9
     },
     "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
     "type": "security-rule"