Merge branch 'main' into rule-tuning-windows-process-termination-followed-by-deletion

Author: w0rk3r

detection_rules/etc/integration-manifests.json.gz

@@ -79,7 +79,8 @@ def validator(value):
                         'sentinel_one_cloud_funnel',
                         'ti_rapid7_threat_command',
                         'm365_defender',
-                        'panw']
+                        'panw',
+                        'crowdstrike']
 NON_PUBLIC_FIELDS = {
     "related_integrations": (Version.parse('8.3.0'), None),
     "required_fields": (Version.parse('8.3.0'), None),

detection_rules/etc/integration-schemas.json.gz

@@ -8,7 +8,7 @@
 from .connector import Kibana
 from .resources import RuleResource, Signal
 
-__version__ = '0.2.1'
+__version__ = '0.4.1'
 __all__ = (
     "Kibana",
     "RuleResource",

detection_rules/schemas/definitions.py

@@ -242,7 +242,7 @@ def current(cls) -> 'Kibana':
     def verify_space(self, space):
         """Verify a space is valid."""
         spaces = self.get('/api/spaces/space')
-        space_names = [s['name'] for s in spaces]
+        space_names = [s['id'] for s in spaces]
         if space not in space_names:
             raise ValueError(f'Unknown Kibana space: {space}')
 

lib/kibana/kibana/__init__.py

@@ -1,6 +1,6 @@
 [project]
 name = "detection-rules-kibana"
-version = "0.4.0"
+version = "0.4.1"
 description = "Kibana API utilities for Elastic Detection Rules"
 license = {text = "Elastic License v2"}
 keywords = ["Elastic", "Kibana", "Detection Rules", "Security", "Elasticsearch"]

lib/kibana/kibana/connector.py

@@ -0,0 +1,93 @@
+[metadata]
+creation_date = "2024/10/23"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/10/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. 
+While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. 
+Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
+This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
+"""
+false_positives = [
+    """
+    Role chaining can be used as an access control. Ensure that this behavior is not part of a legitimate operation before taking action.
+    """,
+]
+from = "now-6m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS STS Role Chaining"
+note = """## Setup
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts",
+    "https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials",
+    "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/",
+]
+risk_score = 47
+rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS STS",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Tactic: Lateral Movement",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-* metadata _id, _version, _index
+
+// filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
+| where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"
+
+// keep only the relevant fields
+| keep aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

lib/kibana/pyproject.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/15"
-integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -74,14 +75,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -95,6 +88,7 @@ tags = [
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: System",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/05/10"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -67,6 +68,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
     "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/14"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/17"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T
 enable routing of network packets that would otherwise not reach their intended destination.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
@@ -54,14 +54,6 @@ This rule looks for command lines involving the `3389` port, which RDP uses by d
 references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"]
 risk_score = 73
 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "high"
 tags = [
     "Domain: Endpoint",
@@ -75,6 +67,7 @@ tags = [
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: System",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"