fixed references; linted

terrancedejesus · terrancedejesus · commit f536d6e5c3cd · 2025-07-23T19:10:43.000-04:00
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -43,7 +43,7 @@
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword",
-      	"SchemaFriendlyName": "keyword",
+        "SchemaFriendlyName": "keyword",
         "Resource": "keyword",
         "RpcCallClientLocality": "keyword",
         "PrivilegeList": "keyword",
@@ -207,5 +207,17 @@
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
     "okta.debug_context.debug_data.flattened.grantType": "keyword"
+  },
+  "logs-network_traffic.http*": {
+    "data_stream.dataset": "keyword",
+    "url.path": "keyword",
+    "http.request.referrer": "keyword",
+    "http.request.headers.content-type": "keyword",
+    "network.direction": "keyword",
+    "http.request.method": "keyword",
+    "request": "keyword",
+    "http.request.body.bytes": "long",
+    "http.request.body.content": "keyword",
+    "http.response.headers.server": "keyword"
   }
 }
diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml
@@ -7,24 +7,28 @@ updated_date = "2025/07/23"
 [rule]
 author = ["Elastic"]
 description = """
-Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities (CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution.
+Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious
+VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to
+execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of
+exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities
+(CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys,
+sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution.
 """
 from = "now-9m"
 index = ["logs-network_traffic.http*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10
 name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS"
-reference = [
+references = [
     "https://research.eye.security/sharepoint-under-siege/",
     "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
     "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
-    "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/"
+    "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
 ]
 risk_score = 73
 rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd"
-setup = """
-### Network Traffic Setup
+setup = """### Network Traffic Setup
 
 This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks.
 """
@@ -38,6 +42,7 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "query"
+
 query = '''
 data_stream.dataset : "network_traffic.http" and
     network.direction: "ingress" and
@@ -49,15 +54,17 @@ data_stream.dataset : "network_traffic.http" and
     http.response.headers.server: Microsoft-IIS*
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1203"
 name = "Exploitation for Client Execution"
 reference = "https://attack.mitre.org/techniques/T1203/"
 
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml
@@ -1,5 +1,3 @@
-
-
 [metadata]
 creation_date = "2025/05/23"
 integration = ["network_traffic"]
@@ -9,26 +7,25 @@ updated_date = "2025/05/23"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites.
-Toolshell is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access
-and execute commands. This rule detects HTTP requests that match specific patterns indicative of the exploit attempt.
+Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell
+is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands.
+This rule detects HTTP requests that match specific patterns indicative of the exploit attempt.
 """
 from = "now-9m"
 index = ["logs-network_traffic.http*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10
 name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)"
-reference = [
+references = [
     "https://research.eye.security/sharepoint-under-siege/",
     "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
     "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
-    "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/"
+    "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
 ]
 risk_score = 47
 rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd"
-setup = """
-### Network Traffic Setup
+setup = """### Network Traffic Setup
 
 This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts.
 """
@@ -42,6 +39,7 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "query"
+
 query = '''
 data_stream.dataset : "network_traffic.http" and
     url.path: /_layouts*ToolPane.aspx and
@@ -53,15 +51,17 @@ data_stream.dataset : "network_traffic.http" and
     http.request.body.bytes >  5000
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1190"
 name = "Exploit Public-Facing Application"
 reference = "https://attack.mitre.org/techniques/T1190/"
 
+
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
