[Detection Rules] Add 7.10 rules - v3 (elastic#82214)

brokensound77 · Nov 3, 2020 · 7868a16 · 7868a16
1 parent 5e8bc17
commit 7868a16
Show file tree

Hide file tree

Showing 33 changed files with 365 additions and 638 deletions.
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json b/...ction_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json
@@ -8,10 +8,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "Network Connection via Certutil",
-  "query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
   "risk_score": 21,
   "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
   "severity": "low",
@@ -39,6 +39,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 4
 }
diff --git a/...rver/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json b/...rver/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json
@@ -11,7 +11,7 @@
   "language": "eql",
   "license": "Elastic License",
   "name": "InstallUtil Process Making Network Connections",
-  "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where event.type == \"connection\" and process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+  "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
   "risk_score": 21,
   "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
   "severity": "medium",

diff --git a/...ngine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json b/...ngine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json
@@ -8,10 +8,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "Network Connection via Signed Binary",
-  "query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
   "risk_score": 21,
   "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
   "severity": "low",
@@ -54,6 +54,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 5
 }
diff --git a/...lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json b/...lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_beacon_sequence.json
diff --git a/...ion/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json b/...ion/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_beacon.json
diff --git a/...ngine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json b/...ngine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json
@@ -11,7 +11,7 @@
   "language": "eql",
   "license": "Elastic License",
   "name": "Unusual Network Activity from a Windows System Binary",
-  "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where event.type == \"connection\" and\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+  "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
   "risk_score": 21,
   "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
   "severity": "medium",

diff --git a/...ution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json b/...ution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_reg_beacon.json
diff --git a/...r/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json b/...r/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json
@@ -11,7 +11,7 @@
   "language": "eql",
   "license": "Elastic License",
   "name": "Unusual Child Processes of RunDLL32",
-  "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ )\n  ] by process.parent.entity_id\n",
+  "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
   "risk_score": 21,
   "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
   "severity": "high",

diff --git a/...erver/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json b/...erver/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_sequence.json
diff --git a/...n_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json b/...n_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json
@@ -11,10 +11,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "Command Prompt Network Connection",
-  "query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
   "risk_score": 21,
   "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
   "severity": "low",
@@ -57,6 +57,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 5
 }
diff --git a/.../prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json b/.../prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json
@@ -8,10 +8,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "Network Connection via Compiled HTML File",
-  "query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
   "risk_score": 21,
   "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
   "severity": "low",
@@ -54,6 +54,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 5
 }
diff --git a/...etection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json b/...etection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json
@@ -8,10 +8,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "MsBuild Making Network Connections",
-  "query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
   "risk_score": 47,
   "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
   "severity": "medium",
@@ -39,6 +39,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 5
 }
diff --git a/.../detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json b/.../detection_engine/rules/prepackaged_rules/execution_mshta_making_network_connections.json
diff --git a/...solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json b/...solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json
@@ -8,10 +8,10 @@
     "winlogbeat-*",
     "logs-endpoint.events.*"
   ],
-  "language": "kuery",
+  "language": "eql",
   "license": "Elastic License",
   "name": "Network Connection via MsXsl",
-  "query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
   "risk_score": 21,
   "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
   "severity": "low",
@@ -39,6 +39,6 @@
       ]
     }
   ],
-  "type": "query",
+  "type": "eql",
   "version": 4
 }