Merge remote-tracking branch 'upstream/main' into cli/export-rule

README.md

@@ -12,8 +12,10 @@ This repository was first announced on Elastic's blog post, [Elastic Security op
 ## Table of Contents
 - [Overview of this repository](#overview-of-this-repository)
 - [Getting started](#getting-started)
+- [Red Team Automation](rta)
 - [How to contribute](#how-to-contribute)
 - [Licensing](#licensing)
+- [Questions? Problems? Suggestions?](#questions-problems-suggestions)
 
 
 ## Overview of this repository

rta/README.md

@@ -0,0 +1,25 @@
+## Red Team Automation
+
+[![Supported Python versions](https://img.shields.io/badge/python-3.7+-yellow.svg)](https://www.python.org/downloads/)
+[![Chat](https://img.shields.io/badge/chat-%23security--detection--rules-blueviolet)](https://ela.st/slack)
+
+The repo comes with some red team automation ([RTA](./)) python scripts that run on Windows, Mac OS, and \*nix. 
+RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.
+
+```console
+$   python -m rta -h
+usage: rta [-h] ttp_name
+
+positional arguments:
+  ttp_name
+
+optional arguments:
+  -h, --help  show this help message and exit
+```
+`ttp_name` can be found in the [rta](.) directory. For example to execute `./rta/wevtutil_log_clear.py` script, run command:
+
+```console
+$ python -m rta wevtutil_log_clear
+```
+
+Most of the RTA scripts contain a comment with the rule name, in `signal.rule.name`, that maps to the Kibana Detection Signals.

rta/certutil_file_obfuscation.py

@@ -5,6 +5,7 @@
 # Name: Certutil Encode / Decode
 # RTA: certutil_file_obfuscation.py
 # ATT&CK: T1140
+# signal.rule.name: Encoding or Decoding Files via CertUtil
 # Description: Uses certutil to create an encoded copy of cmd.exe. Then uses certutil to decode that copy.
 
 import os

rta/delete_bootconf.py

@@ -5,6 +5,7 @@
 # Name: Boot Config Deletion With bcdedit
 # RTA: delete_bootconf.py
 # ATT&CK: T1107
+# signal.rule.name: Modification of Boot Configuration
 # Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot
 #  configuration, finally restoring the original.
 

rta/delete_usnjrnl.py

@@ -5,6 +5,7 @@
 # Name: USN Journal Deletion with fsutil.exe
 # RTA: delete_usnjrnl.py
 # ATT&CK: T1107
+# signal.rule.name: Delete Volume USN Journal with Fsutil
 # Description: Uses fsutil to delete the USN journal.
 
 import time

rta/delete_volume_shadows.py

@@ -4,6 +4,8 @@
 
 # Name: Volume Shadow Copy Deletion with vssadmin and wmic
 # RTA: delete_volume_shadow.py
+# signal.rule.name: Volume Shadow Copy Deletion via VssAdmin
+# ELastic Detection: Volume Shadow Copy Deletion via WMIC
 # ATT&CK: T1107
 # Description: Uses both vssadmin.exe and wmic.exe to delete volumne shadow copies.
 

rta/disable_windows_fw.py

@@ -5,6 +5,7 @@
 # Name: Disable Windows Firewall
 # RTA: disable_windows_fw.py
 # ATT&CK: T1089
+# signal.rule.name: Disable Windows Firewall Rules via Netsh
 # Description: Uses netsh.exe to backup, disable and restore firewall rules.
 
 import os

rta/installutil_network.py

@@ -5,6 +5,8 @@
 # Name: Network Traffic from InstallUtil
 # RTA: installutil_network.py
 # ATT&CK: T1118
+# Elastic detection: InstallUtil Process Making Network Connections
+# Elastic detection: Unusual Network Activity from a Windows System Binary
 # Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil.
 
 import os

rta/lateral_commands.py

@@ -4,6 +4,9 @@
 
 # Name: Lateral Movement Commands
 # RTA: lateral_commands.py
+# Elatic Detection: Local Service Commands
+# signal.rule.name: Local Scheduled Task Commands
+# signal.rule.name: Whoami Process Activity
 # ATT&CK: T1021, T1047, T1077, T1124, T1126
 # Description: Runs various Windows commands typically used by attackers to move laterally from the local machine.
 

rta/msbuild_network.py

@@ -5,6 +5,8 @@
 # Name: MsBuild with Network Activity
 # RTA: msbuild_network.py
 # ATT&CK: T1127
+# signal.rule.name: Microsoft Build Engine Started an Unusual Process
+# signal.rule.name: Trusted Developer Application Usage
 # Description: Generates network traffic from msbuild.exe
 
 from . import common

rta/net_user_add.py

@@ -5,6 +5,7 @@
 # Name: Create User with net.exe
 # RTA: net_user_add.py
 # ATT&CK: T1136
+# signal.rule.name: User Account Creation
 # Description: Adds an account to the local host using the net.exe command
 
 from . import common

rta/powershell_from_script.py

@@ -4,6 +4,7 @@
 
 # Name: PowerShell Launched from Script
 # RTA: powershell_from_script.py
+# signal.rule.name: Windows Script Executing PowerShell
 # ATT&CK: T1064, T1192, T1193
 # Description: Creates a javascript file that will launch powershell.
 

rta/process_name_masquerade.py

@@ -4,6 +4,7 @@
 
 # Name: Windows Core Process Masquerade
 # RTA: process_name_masquerade.py
+# signal.rule.name: Unusual Parent-Child Relationship
 # ATT&CK: T1036
 # Description: Creates several processes which mimic core Windows process names but that are not those executables.
 

rta/registry_persistence_create.py

@@ -4,6 +4,8 @@
 
 # Name: Registry persistence creation
 # RTA: registry_persistence_create.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1015, T1103
 # Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services, NetSH and debuggers.
 

rta/registry_rdp_enable.py

@@ -4,6 +4,7 @@
 
 # Name: Enable RDP Through Registry
 # RTA: registry_rdp_enable.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1076
 # Description: Identifies registry write modification to enable RDP access.
 

rta/rundll32_inf_callback.py

@@ -4,6 +4,8 @@
 
 # Name: RunDll32 with .inf Callback
 # RTA: rundll32_inf_callback.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1105
 # Description: Loads RunDll32 with a suspicious .inf file that makes a local http GET
 

rta/rundll32_javascript_callback.py

@@ -4,6 +4,8 @@
 
 # Name: RunDLL32 Javascript Callback
 # RTA: rundll32_javascript_callback.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1085
 # Description: Executes javascript code with an AJAX call via RunDll32.exe
 

rta/schtask_escalation.py

@@ -4,6 +4,10 @@
 
 # Name: Scheduled Task Privilege Escalation
 # RTA: schtask_escalation.py
+# signal.rule.name: Local Scheduled Task Commands
+# signal.rule.name: Whoami Process Activity
+# signal.rule.name: Svchost spawning Cmd
+# signal.rule.name: Net command via SYSTEM account
 # ATT&CK: T1053
 
 import os

rta/settingcontentms_files.py

@@ -4,6 +4,8 @@
 
 # Name: Abusing SettingContent-ms Files
 # RTA: settingcontentms_files.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
+# signal.rule.name: Local Service Commands
 # ATT&CK: T1193, T1204, T1064
 # Description: SettingContent-ms file written to specific path or by risky process
 

rta/sticky_keys_write_execute.py

@@ -4,6 +4,9 @@
 
 # Name: Overwrite Accessibiity Binaries
 # RTA: sticky_keys_write_execute.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Persistence via TelemetryController Scheduled Task Hijack
 # ATT&CK: T1015
 # Description: Writes different binaries into various accessibility locations.
 

rta/suspicious_office_children.py

@@ -4,6 +4,7 @@
 
 # Name: Emulate Suspect MS Office Child Processes
 # RTA: suspect_office_children.py
+# signal.rule.name: Suspicious MS Office Child Process
 # ATT&CK: T1064
 # Description: Generates network traffic various children processes from emulated Office processes.
 

rta/suspicious_powershell_download.py

@@ -4,6 +4,7 @@
 
 # Name: Suspicious PowerShell Download
 # RTA: suspicious_powershell_download.py
+# signal.rule.name: Suspicious MS Office Child Process
 # ATT&CK: T1086
 # Description: PowerShell using DownloadString or DownloadFile in suspicious context
 

rta/suspicious_wscript_parent.py

@@ -4,6 +4,7 @@
 
 # Name: Suspicious WScript parent
 # RTA: suspicious_wscript_parent.py
+# signal.rule.name: Suspicious MS Outlook Child Process
 # ATT&CK: T1064, T1192, T1193
 # Description: WScript run with suspicious parent processes
 

rta/unusual_parent_child.py

@@ -4,6 +4,7 @@
 
 # Name: Invalid Process Trees in Windows
 # RTA: unusual_parent_child.py
+# signal.rule.name: Unusual Parent-Child Relationship
 # ATT&CK: T1093
 # Description: Runs several Windows core processes directly, instead of from the proper parent in Windows.
 

rta/werfault_persistence.py

@@ -4,6 +4,7 @@
 
 # Name: WerFault.exe Persistence
 # RTA: werfault_persistence.py
+# signal.rule.name: Process Potentially Masquerading as WerFault
 # ATT&CK: T1112
 # Description: Sets an executable to run when WerFault is run with -rp flags and runs it
 

rta/wevtutil_log_clear.py

@@ -4,6 +4,7 @@
 
 # Name: Clearing Windows Event Logs
 # RTA: wevutil_log_clear.py
+# signal.rule.name: Clearing Windows Event Logs
 # ATT&CK: T1070
 # Description: Uses the native Windows Event utility to clear the Security, Application and System event logs.
 

rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml → rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

@@ -1,32 +1,32 @@
 [metadata]
 creation_date = "2020/04/23"
 maturity = "production"
-updated_date = "2020/12/17"
+updated_date = "2021/01/19"
 
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
-user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
-with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
-on their own malware to make sure they're able to execute in elevated contexts in the future.
+An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
+owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
+an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
+adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
+future.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
 max_signals = 33
-name = "Setuid Bit Set via chmod"
+name = "Setuid / Setgid Bit Set via chmod"
 risk_score = 21
 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
 severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
 type = "query"
 
 query = '''
-event.category:process AND event.type:(start or process_started) AND process.name:chmod AND
-  process.args:(u+s OR /4[0-9]{3}/) AND
-  NOT user.name:root
+event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND
+  process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)
 '''
 
 

rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/04"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -23,11 +23,11 @@ type = "eql"
 query = '''
 process where event.type in ("start", "process_started") and
  (
-  (process.name in ("rm", "echo") and wildcard(process.args, ".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
-  (process.name == "history" and process.args == "-c") or
-  (process.name == "export" and process.args in ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
-  (process.name == "unset" and process.args == "HISTFILE") or
-  (process.name == "set" and process.args == "history" and process.args == "+o")
+  (process.name : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
+  (process.name : "history" and process.args : "-c") or
+  (process.name : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
+  (process.name : "unset" and process.args : "HISTFILE") or
+  (process.name : "set" and process.args : "history" and process.args : "+o")
  )
 '''
 

rules/linux/defense_evasion_timestomp_touch.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2021/01/21"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ type = "eql"
 
 query = '''
 process where event.type in ("start", "process_started") and
- process.name == "touch" and wildcard(process.args, "-r", "-t", "-a*","-m*")
+ process.name : "touch" and process.args : ("-r", "-t", "-a*","-m*")
 '''
 
 
@@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1070/006/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-