Merge branch 'main' into terrancedejesus/issue5189

Author: terrancedejesus

rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml

@@ -0,0 +1,146 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/10/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when an administrator has manually confirmed a user or sign-in as compromised in Microsoft Entra ID
+Protection. This indicates that an administrator has reviewed the risk detection and determined that the user account or
+sign-in activity is definitively compromised. This is a high-confidence indicator of account compromise and should be
+investigated immediately.
+"""
+false_positives = [
+    """
+    Administrators may mark accounts as compromised during security testing or incident response exercises. If this is
+    expected behavior in your environment, consider adjusting the rule or adding exceptions for specific test accounts.
+    """,
+]
+from = "now-9m"
+index = ["logs-azure.identity_protection-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID Protection Admin Confirmed Compromise"
+note = """## Triage and analysis
+
+This rule detects when an administrator has manually confirmed a user or sign-in as compromised in Microsoft Entra ID Protection. This is a critical security event that requires immediate investigation and response.
+
+### Possible investigation steps
+
+- Review the `azure.identityprotection.properties.risk_detail` field to determine if the compromise was confirmed at the sign-in level (`adminConfirmedSigninCompromised`) or user level (`adminConfirmedUserCompromised`).
+- Check the `azure.identityprotection.properties.user_principal_name` field to identify the compromised user account.
+- Review the `azure.identityprotection.properties.user_display_name` field for additional user identification information.
+- Examine the `azure.identityprotection.properties.risk_level` field to understand the severity level assigned to the risk event.
+- Check the `azure.identityprotection.properties.risk_state` field to verify the current state of the risk (should be confirmed as compromised).
+- Review the `azure.correlation_id` field to correlate this event with other related security events, including the original risk detections that led to the admin confirmation.
+- Investigate the timeline of events leading up to the admin confirmation by reviewing Entra ID sign-in logs and audit logs for the affected user.
+- Check for any suspicious activities associated with the user account, including:
+    - Unusual sign-in locations or IP addresses
+    - Access to sensitive resources or applications
+    - Changes to user profile, permissions, or MFA settings
+    - Bulk email sending or data exfiltration activities
+- Review the `azure.identityprotection.properties.additional_info` field for any additional context provided by the administrator or Entra ID Protection.
+- Identify which administrator confirmed the compromise by reviewing Entra ID audit logs for risk state changes.
+
+### False positive analysis
+
+- Security testing or penetration testing exercises may result in administrators confirming test accounts as compromised. If this is expected behavior, consider excluding specific test accounts or implementing a testing account naming convention to filter.
+- Incident response drills or tabletop exercises may involve marking accounts as compromised for training purposes. Coordinate with security teams to identify planned exercises.
+
+### Response and remediation
+
+- Immediately reset the password for the compromised user account and require the user to set a new password upon next sign-in.
+- Revoke all active sessions and authentication tokens for the compromised account, including:
+    - Primary refresh tokens (PRTs)
+    - OAuth tokens
+    - Session cookies
+    - Application-specific passwords
+- Review and revoke any suspicious OAuth consent grants or application permissions added by the compromised account.
+- Enable or enforce multi-factor authentication (MFA) for the affected user account if not already enabled.
+- Review all activities performed by the compromised account, including:
+    - Email forwarding rules or inbox rules
+    - File access and downloads
+    - Changes to security settings or permissions
+    - Creation of new users or service principals
+- Assess the scope of the compromise by identifying any lateral movement or privilege escalation activities.
+- Consider disabling the account temporarily until the investigation is complete and all remediation steps are verified.
+- Implement conditional access policies to prevent future compromises, such as requiring MFA from untrusted locations or blocking legacy authentication.
+- Review and strengthen identity protection policies and risk-based conditional access rules.
+- Document the incident, including the timeline, scope of compromise, and remediation actions taken.
+- Conduct a post-incident review to identify gaps in security controls and implement improvements to prevent similar incidents.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk",
+    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
+    "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection",
+]
+risk_score = 99
+rule_id = "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890"
+setup = """#### Required Microsoft Entra ID Protection Logs
+To use this rule, ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration.
+"""
+severity = "critical"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Entra ID",
+    "Data Source: Entra ID Protection Logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: azure.identity_protection and
+    azure.identityprotection.properties.risk_detail: (
+        "adminConfirmedSigninCompromised" or
+        "adminConfirmedUserCompromised"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "event.action",
+    "azure.identityprotection.properties.risk_detail",
+    "azure.identityprotection.properties.risk_level",
+    "azure.identityprotection.properties.risk_state",
+    "azure.identityprotection.properties.risk_event_type",
+    "azure.identityprotection.properties.risk_type",
+    "azure.identityprotection.properties.user_principal_name",
+    "azure.identityprotection.properties.user_display_name",
+    "azure.identityprotection.properties.user_id",
+    "azure.identityprotection.properties.ip_address",
+    "azure.identityprotection.properties.activity",
+    "azure.identityprotection.properties.additional_info",
+    "azure.identityprotection.properties.correlation_id",
+    "azure.correlation_id",
+    "source.ip",
+]
+
+

rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/10/01"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/10/15"
 
 [rule]
 author = ["Elastic"]
@@ -38,7 +38,7 @@ This rule highlights sudo invoked with the chroot (-R/--chroot) option outside n
 - Extract the chroot target path from the event and enumerate its etc and lib directories for attacker-seeded NSS artifacts (nsswitch.conf, libnss_*, ld.so.preload) and fake passwd/group files, noting recent mtime, ownership, and world-writable files.
 - Pivot to file-creation and modification telemetry to identify processes and users that populated that path shortly before execution (e.g., curl, wget, tar, git, gcc), linking them to the invoking user to establish intent.
 - Review session and process details to see if a shell or interpreter was launched inside the chroot and whether an euid transition to 0 occurred, indicating a successful privilege escalation.
-- Confirm sudo’s package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
+- Confirm sudo's package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
 - Collect and preserve the chroot directory contents and relevant audit/log artifacts, and scope by searching for similar chroot invocations or NSS file seeds across the host and fleet.
 
 ### False positive analysis
@@ -105,7 +105,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
-process.name == "sudo" and process.args in ("-R", "--chroot") and
+process.name == "sudo" and process.args like ("-R", "--chroot*") and
 // To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
 process.command_line like ("*sudo -R*", "*sudo --chroot*") 
 '''