[Detection Rules] Add 7.15 rules

brokensound77 · brokensound77 · commit 8f71fa975e18 · 2021-09-07T12:58:16.000-08:00
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json
@@ -14,7 +14,7 @@
   "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
   "references": [
     "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
-    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh",
+    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
     "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
   ],
   "risk_score": 47,
@@ -53,5 +53,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json
@@ -20,7 +20,7 @@
   "license": "Elastic License v2",
   "max_signals": 10000,
   "name": "Endpoint Security",
-  "query": "event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior\n",
+  "query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
   "risk_score": 47,
   "risk_score_mapping": [
     {
@@ -64,5 +64,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 3
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_behavior_protection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_behavior_protection.json
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
@@ -580,8 +580,7 @@ import rule567 from './defense_evasion_parent_process_pid_spoofing.json';
 import rule568 from './defense_evasion_defender_exclusion_via_powershell.json';
 import rule569 from './defense_evasion_whitespace_padding_in_command_line.json';
 import rule570 from './persistence_webshell_detection.json';
-import rule571 from './elastic_endpoint_security_behavior_protection.json';
-import rule572 from './persistence_via_bits_job_notify_command.json';
+import rule571 from './persistence_via_bits_job_notify_command.json';
 
 export const rawRules = [
   rule1,
@@ -1155,5 +1154,4 @@ export const rawRules = [
   rule569,
   rule570,
   rule571,
-  rule572,
 ];
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json
@@ -13,7 +13,7 @@
   "license": "Elastic License v2",
   "name": "Azure Active Directory High Risk Sign-in",
   "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.risk_level_during_signin:high and\n  event.outcome:(success or Success)\n",
+  "query": "event.dataset:azure.signinlogs and\n  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n  event.outcome:(success or Success)\n",
   "references": [
     "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
     "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
@@ -49,5 +49,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_kernel_module_arguments.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_kernel_module_arguments.json
@@ -12,9 +12,6 @@
   "license": "Elastic License v2",
   "machine_learning_job_id": "linux_rare_kernel_module_arguments",
   "name": "Anomalous Kernel Module Activity",
-  "references": [
-    "references"
-  ],
   "risk_score": 21,
   "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
   "severity": "low",
@@ -50,5 +47,5 @@
     }
   ],
   "type": "machine_learning",
-  "version": 3
+  "version": 4
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json
@@ -13,7 +13,7 @@
   "name": "Persistence via Docker Shortcut Modification",
   "query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
   "references": [
-    "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
   ],
   "risk_score": 47,
   "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
@@ -44,5 +44,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json
@@ -16,7 +16,7 @@
   "name": "Finder Sync Plugin Registered and Enabled",
   "query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
   "references": [
-    "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
   ],
   "risk_score": 47,
   "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
@@ -46,5 +46,5 @@
     }
   ],
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json
@@ -14,7 +14,7 @@
   "name": "Unusual Parent-Child Relationship",
   "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
   "references": [
-    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
+    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png",
     "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
   ],
   "risk_score": 47,
@@ -53,5 +53,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 8
+  "version": 9
 }
