Merge branch 'main' into new-rule-aws-ssm-command-document-creation

Author: terrancedejesus

detection_rules/etc/non-ecs-schema.json

@@ -150,7 +150,8 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/25"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -80,6 +80,7 @@ tags = [
     "Data Source: AWS IAM",
     "Resources: Investigation Guide",
     "Tactic: Impact",
+    "Tactic: Persistence",
 ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -101,4 +102,19 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
 
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml

@@ -0,0 +1,106 @@
+[metadata]
+creation_date = "2024/10/25"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/10/25"
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). 
+While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.
+"""
+false_positives = [
+    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.",
+]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS AssumeRole with New MFA Device"
+note = """## Setup
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html",
+    "https://github.com/RhinoSecurityLabs/cloudgoat/blob/d5863b80afd082d853f2e8df1955c6393695a4da/scenarios/iam_privesc_by_key_rotation/README.md",
+]
+risk_score = 21
+rule_id = "a22f566b-5b23-4412-880d-c6c957acd321"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS STS",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Privilege Escalation",
+    "Tactic: Persistence",
+    "Tactic: Lateral Movement",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:aws.cloudtrail
+    and event.provider:sts.amazonaws.com
+    and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
+    and event.outcome:success
+    and user.id:* 
+    and aws.cloudtrail.flattened.request_parameters.serialNumber:*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+

rules/windows/execution_windows_powershell_susp_args.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/09/06"
-integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,8 @@ index = [
     "logs-system.security*",
     "logs-windows.sysmon_operational-*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-m365_defender.event-*"
+    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -35,7 +36,8 @@ tags = [
     "Data Source: System",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
-    "Data Source: Microsoft Defender for Endpoint"
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/07/19"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -103,6 +104,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/initial_access_execution_from_inetcache.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/02/14"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -44,15 +45,21 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and  
- process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
-  (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
-   process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*")
+  process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
+  (
+    process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
+    process.executable : (
+      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
+      "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
+    )
+  )
 '''
 
 

rules/windows/initial_access_suspicious_ms_exchange_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/03/04"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -28,6 +28,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -52,23 +53,34 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
-    not process.executable :
-              ("?:\\Windows\\System32\\werfault.exe",
-               "?:\\Windows\\System32\\wermgr.exe",
-               "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
-               "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
-               "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-               "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe")
+    not process.executable : (
+          "?:\\Windows\\System32\\werfault.exe",
+          "?:\\Windows\\System32\\wermgr.exe",
+          "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+          "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
+          "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe",
+          "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe",
+          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
+    )
 '''
 
 

rules/windows/initial_access_suspicious_ms_office_child_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -23,6 +23,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -92,6 +93,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe
 phishing activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious MS Outlook Child Process"
@@ -66,16 +66,8 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the
 """
 risk_score = 21
 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"]
 timestamp_override = "event.ingested"
 type = "eql"