## Config

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

### Important Information Regarding Google Workspace Event Lag Times

- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information.
  - https://support.google.com/a/answer/7061566
  - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html

==== Rule query

event.dataset:(gsuite.admin or google_workspace.admin) and
event.provider:admin and event.category:iam and
event.action:(ADD_PRIVILEGE or UPDATE_ROLE)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Halfbaked Command and Control Beacon

Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.

==== Investigation guide

This activity has been observed in FIN7 campaigns.

==== Rule query

event.category:(network OR network_traffic) AND network.protocol:http
AND network.transport:tcp AND
url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/
AND destination.port:(53 OR 80 OR 8080 OR 443)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Hex Encoding/Decoding Activity

Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(hexdump or od or xxd)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== High Number of Okta User Password Reset or Unlock Attempts

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or user.account.unlock_token)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== High Number of Process and/or Service Terminations

This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. This may indicate a defense evasion attempt.

Rule type: threshold

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:start and process.name:(net.exe
or sc.exe or taskkill.exe) and process.args:(stop or pause or delete
or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Hosts File Modified

The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

For Windows systems using Auditbeat, this rule requires adding C:/Windows/System32/drivers/etc as an additional path in the file_integrity module of auditbeat.yml.

==== Rule query

event.category:file and event.type:(change or creation) and
file.path:("/private/etc/hosts" or "/etc/hosts" or
"C:\Windows\System32\drivers\etc\hosts")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Hping Process Activity

Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(hping or hping2 or hping3)

==== Rule version history

=== IIS HTTP Logging Disabled

Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 33

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
(process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe)
and process.args:/dontLog\:\"True\" and not
process.parent.name:iissetup.exe

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== IPSEC NAT Traversal Port Activity

Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.

==== Rule query

event.category:(network or network_traffic) and network.transport:udp
and destination.port:4500

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== IRC (Internet Relay Chat) Protocol Activity to the Internet

Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.

==== Rule query

event.category:(network or network_traffic) and network.transport:tcp
and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and
source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not
destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or
172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or "::1" or "FE80::/10"
or "FF00::/8" )

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Image File Execution Options Injection

The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 41

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where length(registry.data.strings) > 0 and registry.path :
("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*.exe\\Debugger",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /*
add FPs here */ not registry.data.strings : ("C:\\Program
Files*\\ThinKiosk\\thinkiosk.exe", "*\\PSAppDeployToolkit\\*")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== ImageLoad via Windows Update Auto Update Client

Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
(process.pe.original_file_name == "wuauclt.exe" or process.name :
"wuauclt.exe") and /* necessary windows update client args to load
a dll */ process.args : "/RunHandlerComServer" and process.args :
"/UpdateDeploymentProvider" and /* common paths writeable by a
standard user where the target DLL can be placed */ process.args :
("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll",
"C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Inbound Connection to an Unsecure Elasticsearch Node

Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy.

==== Investigation guide

This rule requires the addition of port 9200 and send_all_headers to the HTTP protocol configuration in packetbeat.yml. See the References section for additional configuration documentation.

==== Rule query

event.category:network_traffic AND network.protocol:http AND status:OK
AND destination.port:9200 AND network.direction:inbound AND NOT
http.response.headers.content-type:"image/x-icon" AND NOT
_exists_:http.request.headers.authorization

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Incoming DCOM Lateral Movement via MSHTA

Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.

Rule type: eql

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence with maxspan=1m [process where event.type in ("start",
"process_started") and process.name : "mshta.exe" and
process.args : "-Embedding" ] by host.id, process.entity_id
[network where event.type == "start" and process.name : "mshta.exe"
and network.direction == "incoming" and network.transport ==
"tcp" and source.port > 49151 and destination.port > 49151 and
not source.address in ("127.0.0.1", "::1") ] by host.id,
process.entity_id

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Incoming DCOM Lateral Movement with MMC

Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.

Rule type: eql

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence by host.id with maxspan=1m [network where event.type ==
"start" and process.name : "mmc.exe" and source.port >= 49152 and
destination.port >= 49152 and source.address not in ("127.0.0.1",
"::1") and network.direction == "incoming" and network.transport ==
"tcp" ] by process.entity_id [process where event.type in ("start",
"process_started") and process.parent.name : "mmc.exe" ] by
process.parent.entity_id

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence by host.id with maxspan=5s [network where event.type ==
"start" and process.name : "explorer.exe" and network.direction ==
"incoming" and network.transport == "tcp" and source.port > 49151
and destination.port > 49151 and not source.address in ("127.0.0.1",
"::1") ] by process.entity_id [process where event.type in ("start",
"process_started") and process.parent.name : "explorer.exe" ] by
process.parent.entity_id

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Incoming Execution via PowerShell Remoting

Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It’s important to baseline your environment to determine the amount of noise to expect from this tool.

==== Rule query

sequence by host.id with maxspan = 30s [network where
network.direction == "incoming" and destination.port in (5985, 5986)
and network.protocol == "http" and source.address != "127.0.0.1"
and source.address != "::1" ] [process where event.type ==
"start" and process.parent.name : "wsmprovhost.exe" and not
process.name : "conhost.exe"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Incoming Execution via WinRM Remote Shell

Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

WinRM is a dual-use protocol that can be used for benign or malicious activity. It’s important to baseline your environment to determine the amount of noise to expect from this tool.

==== Rule query

sequence by host.id with maxspan=30s [network where process.pid ==
4 and network.direction == "incoming" and destination.port in
(5985, 5986) and network.protocol == "http" and not source.address in
("::1", "127.0.0.1") ] [process where event.type == "start" and
process.parent.name : "winrshost.exe" and not process.name :
"conhost.exe"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== InstallUtil Process Making Network Connections

Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

/* the benefit of doing this as an eql sequence vs kql is this will
limit to alerting only on the first network connection */ sequence by
process.entity_id [process where event.type in ("start",
"process_started") and process.name : "installutil.exe"] [network
where process.name : "installutil.exe" and network.direction ==
"outgoing"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Installation of Custom Shim Databases

Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence by process.entity_id with maxspan = 5m [process where
event.type in ("start", "process_started") and not (process.name :
"sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry
where event.type in ("creation", "change") and registry.path :
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Installation of Security Support Provider

Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where registry.path :
("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages*",
"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security
Packages*") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Interactive Terminal Spawned via Perl

Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 6 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:perl and process.args:("exec \"/bin/sh\";" or "exec
\"/bin/dash\";" or "exec \"/bin/bash\";")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Interactive Terminal Spawned via Python

Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 6 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:python and process.args:("import pty;
pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or
"import pty; pty.spawn(\"/bin/bash\")")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Kerberos Cached Credentials Dumping

Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:kcc and process.args:copy_cred_cache

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Kerberos Traffic from Unusual Process

Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.

==== Rule query

network where event.type == "start" and network.direction ==
"outgoing" and destination.port == 88 and source.port >= 49152 and
process.executable != "C:\\Windows\\System32\\lsass.exe" and
destination.address !="127.0.0.1" and destination.address !="::1" and
/* insert False Positives here */ not process.name in ("swi_fc.exe",
"fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe",
"opera.exe", "firefox.exe")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Kernel Module Removal

Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.args:((rmmod and sudo) or (modprobe and sudo and ("--remove"
or "-r")))

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Keychain Password Retrieval via Command Line

Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted parent processes accessing their respective application passwords.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:security and process.args:("find-generic-password" or
"find-internet-password")

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== LSASS Memory Dump Creation

Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:file and file.name:(lsass.DMP or lsass*.dmp or
dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Lateral Movement via Startup Folder

Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.

Rule type: eql

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

file where event.type in ("creation", "change") and /* via RDP
TSClient mounted share or SMB */ (process.name : "mstsc.exe" or
process.pid == 4) and file.path : "C:\\*\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\\*"

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Lateral Tool Transfer

Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence by host.id with maxspan=30s [network where event.type ==
"start" and process.pid == 4 and destination.port == 445 and
network.direction == "incoming" and network.transport == "tcp" and
source.address != "127.0.0.1" and source.address != "::1" ] by
process.entity_id /* add more executable extensions here if they are
not noisy in your environment */ [file where event.type in
("creation", "change") and process.pid == 4 and file.extension :
("exe", "dll", "bat", "cmd")] by process.entity_id

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Launch Agent Creation or Modification and Immediate Loading

An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted applications persisting via LaunchAgent

==== Rule query

sequence by host.id with maxspan=1m [file where event.type !=
"deletion" and file.path : ("/System/Library/LaunchAgents/*",
"/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ]
[process where event.type in ("start", "process_started") and
process.name == "launchctl" and process.args == "load"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== LaunchDaemon Creation or Modification and Immediate Loading

Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted applications persisting via LaunchDaemons

==== Rule query

sequence by host.id with maxspan=1m [file where event.type !=
"deletion" and file.path in ("/System/Library/LaunchDaemons/*", "
/Library/LaunchDaemons/*")] [process where event.type in ("start",
"process_started") and process.name == "launchctl" and process.args ==
"load"]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Local Scheduled Task Commands

A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Legitimate scheduled tasks may be created during installation of new software.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:schtasks.exe and process.args:(-change or -create or -run
or -s or /S or /change or /create or /run)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Local Service Commands

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:sc.exe and process.args:(config or create or failure or
start)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== MFA Disabled for Google Workspace Organization

Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

==== Investigation guide