[Detection Rules] Add 7.10 rules#79061
Conversation
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]distributable file count
History
To update your PR or re-run it, just comment with: |
| "language": "eql", | ||
| "license": "Elastic License", | ||
| "name": "Bypass UAC via Sdclt", | ||
| "query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sdclt.exe\" and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.args == \"/kickoffelev\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name == \"sdclt.exe\" and\n process.executable not in (\"C:\\\\Windows\\\\System32\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\System32\\\\control.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n ] by process.parent.entity_id\n", |
There was a problem hiding this comment.
Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */ in a follow-up PR.
| "language": "eql", | ||
| "license": "Elastic License", | ||
| "name": "Windows Suspicious Script Object Execution", | ||
| "query": "sequence by process.entity_id with maxspan=2m\n [process where event.type in (\"start\", \"process_started\") and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.name not in (\"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and file.name == \"scrobj.dll\"]\n", |
There was a problem hiding this comment.
Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */ in a follow-up PR.
| "Elastic", | ||
| "Linux", | ||
| "Windows", | ||
| "macOS" |
There was a problem hiding this comment.
Looks like this should be capitalized? Seeing four other rules using the capitalized variant but only this rule using macOS.
| "macOS" | |
| "MacOS" |
There was a problem hiding this comment.
Good catch - I will add a unit test to verify this casing and make the change in the follow-on PR
|
Tangential, but discovered an issue with tags (#79566) where if you delete all the rules for a tag that is being filtered the tag will be locked as a selection until the user refreshes/re-visits the page (and so no rules will be displayed). |
spong
left a comment
There was a problem hiding this comment.
Checked out and tested locally, LGTM! Hellooooooo EQL rules!! 😀
* [Detection Rules] Add 7.10 rules * fixes cypress tests Co-authored-by: Gloria Hornero <snootchie.boochies@gmail.com>
Summary
Add security detection rules from detection-rules
Checklist
Delete any items that are not applicable to this PR.
For maintainers
[ ] This was checked for breaking API changes and was labeled appropriately