diff --git a/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json b/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json new file mode 100644 index 0000000..0da3e97 --- /dev/null +++ b/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Execution via Windows Scripts", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\") and\n process.parent.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\") and\n (\n process.args_count == 1 or\n process.command_line :\n (\"*^*^*^*^*^*^*^*^*^*\",\n \"*''*''*''*\",\n \"*`*`*`*`*\",\n \"*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*\",\n \"*+*+*+*+*+*\",\n \"*$*$*$*$*\",\n \"*[char[]](*)*-join\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Text.Encoding*\",\n \"*.Compression.*\",\n \"*.replace(*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -en* *\",\n \"* -ec *\",\n \"* -e *\",\n \"* -ep *\",\n \"* /e *\",\n \"* /en* *\",\n \"* /ec *\",\n \"* /ep *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"*BitsTransfer*\",\n \"*Invoke-Exp*\",\n \"*invoke-web*\",\n \"*iex*\",\n \"*iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*.Sockets.*\",\n \"*Add-MpPreference*ExclusionPath*\",\n \"*raw.githubusercontent*\")\n ) and\n\n /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */\n not (process.args : (\"-EncodedCommand\", \"Import-Module*\", \"-NonInteractive\") and\n process.args : \"-ExecutionPolicy\" and not process.args : \"Sync-AppvPublishingServer\") and\n\n /* third party installation related FPs */\n not ?process.parent.args : \"?:\\\\Windows\\\\system32\\\\gatherNetworkInfo.vbs\" and\n not (?process.parent.args : \"Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs\" and process.args : \"Get-SCOMAgent\") and\n not (process.command_line : \"*WEBLOGIC_ARGS_CURRENT_1.DATA*\" and ?process.parent.command_line : \"*Impact360*\") and\n not process.args : \"$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*\" and\n not process.command_line : (\"*.Access.IdentityReference*win32_SID.SID*\", \"*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*\") and\n not (?process.parent.args : \"?:\\\\Users\\\\Prestige\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\\\\KMS_VL_ALL_AIO.cmd -elevated\" and process.command_line : \"*KMS_VL_ALL_AIO.cmd*\") and\n not process.args : \"iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression\" and\n not (process.parent.name : \"wscript.exe\" and\n ?process.parent.args : \"C:\\\\Program Files (x86)\\\\Telivy\\\\Telivy Agent\\\\telivy.js\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2d62889e-e758-4c5e-b57e-c735914ee32a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: System", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "2d62889e-e758-4c5e-b57e-c735914ee32a_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json b/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json new file mode 100644 index 0000000..85d0b7a --- /dev/null +++ b/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Process Injection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n file.directory: (\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n )\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json b/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json new file mode 100644 index 0000000..7edc7c4 --- /dev/null +++ b/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 1, + "name": "Potential Suspicious File Edit", + "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and\nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "3728c08d-9b70-456b-b6b8-007c7d246128_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json b/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json new file mode 100644 index 0000000..4e93e40 --- /dev/null +++ b/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Windows Powershell Arguments", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"powershell.exe\" and \n (\n process.command_line :\n (\n \"*^*^*^*^*^*^*^*^*^*\",\n \"*`*`*`*`*\",\n \"*+*+*+*+*+*+*\",\n \"*[char[]](*)*-join*\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Compression.*\",\n \"*-join($*\",\n \"*.replace*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -enc *\",\n \"* -ec *\",\n \"* /e *\",\n \"* /enc *\",\n \"* /ec *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"* iex*\",\n \"* iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*$env:temp\\\\*start*\",\n \"*powercat*\",\n \"*nslookup -q=txt*\",\n \"*$host.UI.PromptForCredential*\",\n \"*Net.Sockets.TCPClient*\",\n \"*curl *;Start*\",\n \"powershell.exe \\\"<#*\",\n \"*ssh -p *\",\n \"*http*|iex*\",\n \"*@SSL\\\\DavWWWRoot\\\\*.ps1*\",\n \"*.lnk*.Seek(0x*\",\n \"*[string]::join(*\",\n \"*[Array]::Reverse($*\",\n \"* hidden $(gc *\",\n \"*=wscri& set*\",\n \"*http'+'s://*\",\n \"*.content|i''Ex*\",\n \"*//:sptth*\",\n \"*//:ptth*\",\n \"*$*=Get-Content*AppData*.SubString(*$*\",\n \"*=cat *AppData*.substring(*);*$*\"\n ) or\n\n (process.args : \"-c\" and process.args : \"&{'*\") or\n\n (process.args : \"-Outfile\" and process.args : \"Start*\") or\n\n (process.args : \"-bxor\" and process.args : \"0x*\") or\n\n process.args : \"$*$*;set-alias\" or\n\n (process.parent.name : (\"explorer.exe\", \"cmd.exe\") and \n process.command_line : (\"*-encodedCommand*\", \"*Invoke-webrequest*\", \"*WebClient*\", \"*Reflection.Assembly*\"))\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "83bf249e-4348-47ba-9741-1202a09556ad", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: System", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "83bf249e-4348-47ba-9741-1202a09556ad_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json b/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json new file mode 100644 index 0000000..947af9c --- /dev/null +++ b/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via PKEXEC", + "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", + "references": [ + "https://seclists.org/oss-sec/2022/q1/80", + "https://haxx.in/files/blasty-vs-pkexec.c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json b/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json new file mode 100644 index 0000000..dd2e3a6 --- /dev/null +++ b/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell Pass-the-Hash/Relay Script", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n ) and\n not file.directory : \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n", + "references": [ + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", + "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", + "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "951779c2-82ad-4a6c-82b8-296c1f691449_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json b/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json new file mode 100644 index 0000000..9150ebb --- /dev/null +++ b/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Invoke-Mimikatz PowerShell Script", + "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", + "references": [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json b/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json new file mode 100644 index 0000000..4f812c3 --- /dev/null +++ b/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or \n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/linux/clean/credential_access_dumping_keychain_security.json b/linux/clean/kibana/credential_access_dumping_keychain_security.json similarity index 100% rename from linux/clean/credential_access_dumping_keychain_security.json rename to linux/clean/kibana/credential_access_dumping_keychain_security.json diff --git a/linux/clean/defense_evasion_defender_exclusion_via_powershell.json b/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json similarity index 100% rename from linux/clean/defense_evasion_defender_exclusion_via_powershell.json rename to linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json diff --git a/linux/clean/securitySolution.chunk.9.js b/linux/clean/kibana/securitySolution.chunk.9.js similarity index 100% rename from linux/clean/securitySolution.chunk.9.js rename to linux/clean/kibana/securitySolution.chunk.9.js