Alerting.ndjson

{"id":"358040e7-96c5-4627-8203-ac1f5dff6e98","updated_at":"2025-11-02T05:43:15.414Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.414Z","created_by":"elastic","name":"Processes with Trailing Spaces","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Defense Evasion","Rule Type: BBR","Data Source: Elastic Defend","Data Source: Elastic Endgame","Data Source: Auditd Manager"],"interval":"60m","enabled":true,"revision":0,"description":"Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.","risk_score":21,"severity":"low","building_block_type":"default","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-119m","rule_id":"0c093569-dff9-42b6-87b1-0242d9f7d9b4","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1036","name":"Masquerading","reference":"https://attack.mitre.org/techniques/T1036/","subtechnique":[{"id":"T1036.006","name":"Space after Filename","reference":"https://attack.mitre.org/techniques/T1036/006/"}]}]}],"to":"now","references":[],"version":4,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-endpoint.events.*","endgame-*","auditbeat-*","logs-auditd_manager.auditd-*"],"query":"process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name : \"* \"\n","actions":[]}
{"id":"0d7aa92b-9026-4798-83bb-df5f3e21400b","updated_at":"2025-12-06T05:34:16.532Z","updated_by":"elastic","created_at":"2025-12-06T05:34:10.881Z","created_by":"elastic","name":"Potential CVE-2025-32463 Sudo Chroot Execution Attempt","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Privilege Escalation","Data Source: Elastic Defend","Data Source: SentinelOne","Data Source: Crowdstrike","Data Source: Elastic Endgame","Data Source: Auditd Manager","Use Case: Vulnerability","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects suspicious use of sudo's --chroot / -R option consistent with attempts to exploit CVE-2025-32463 (the \"sudo chroot\" privilege escalation), where an attacker tricks sudo into using attacker-controlled NSS files or libraries to gain root.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential CVE-2025-32463 Sudo Chroot Execution Attempt\n\nThis rule highlights sudo invoked with the chroot (-R/--chroot) option outside normal administration, a behavior tied to CVE-2025-32463 where attackers force sudo to load attacker-controlled NSS configs or libraries and escalate to root. An attacker pattern: running sudo -R /tmp/fakechroot /bin/sh after seeding that directory with malicious nsswitch.conf and libnss to obtain a root shell. Treat unexpected chrooted sudo on Linux hosts as high-risk privilege escalation activity.\n\n### Possible investigation steps\n\n- Extract the chroot target path from the event and enumerate its etc and lib directories for attacker-seeded NSS artifacts (nsswitch.conf, libnss_*, ld.so.preload) and fake passwd/group files, noting recent mtime, ownership, and world-writable files.\n- Pivot to file-creation and modification telemetry to identify processes and users that populated that path shortly before execution (e.g., curl, wget, tar, git, gcc), linking them to the invoking user to establish intent.\n- Review session and process details to see if a shell or interpreter was launched inside the chroot and whether an euid transition to 0 occurred, indicating a successful privilege escalation.\n- Confirm sudo's package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.\n- Collect and preserve the chroot directory contents and relevant audit/log artifacts, and scope by searching for similar chroot invocations or NSS file seeds across the host and fleet.\n\n### False positive analysis\n\n- A legitimate offline maintenance session where an administrator chroots into a mounted system under /mnt or /srv using sudo --chroot to run package or initramfs commands, which will trigger when the invoked program is not in the whitelist.\n- An image-building or OS bootstrap workflow that stages a root filesystem and uses sudo -R to execute a shell or build/configuration scripts inside the chroot, producing the same pattern from a known user or host context.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network, revoke the invoking user’s sudo privileges, and terminate any chrooted shells or child processes spawned via “sudo -R <path> /bin/sh” or similar executions.\n- Preserve evidence and then remove attacker-seeded NSS and loader artifacts within the chroot path—delete or replace nsswitch.conf, libnss_*.so, ld.so.preload, passwd, and group files, and clean up world-writable staging directories like /tmp/fakechroot.\n- Upgrade sudo to a fixed build that addresses CVE-2025-32463, and recover by restoring any modified system NSS and loader files from known-good backups while validating ownership, permissions, and hashes.\n- Escalate to full incident response if a root shell or process with euid 0 is observed, if /etc/ld.so.preload or /lib/libnss_*.so outside the chroot show unauthorized changes, or if similar “sudo -R” executions appear across multiple hosts.\n- Harden by updating sudoers to remove NOPASSWD for chrooted commands, enforce Defaults env_reset and secure_path with noexec, disable “--chroot” usage for non-admin workflows, and monitor for creation of libnss_*.so or nsswitch.conf in non-standard directories.\n- Add platform controls by enabling SELinux/AppArmor policies on sudo and the dynamic loader, applying nodev,nosuid,noexec mounts to /tmp and build paths, and setting immutability (chattr +i) on /etc/nsswitch.conf where operationally feasible.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"1d485649-c486-4f1d-a99c-8d64795795ad","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"}]}],"to":"now","references":["https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot","https://github.com/kh4sh3i/CVE-2025-32463"],"version":2,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n","type":"eql","language":"eql","index":["logs-endpoint.events.process*","logs-sentinel_one_cloud_funnel.*","endgame-*","auditbeat-*","logs-auditd_manager.auditd-*","logs-crowdstrike.fdr*"],"query":"process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"executed\", \"process_started\", \"ProcessRollup2\") and\nprocess.name == \"sudo\" and process.args like (\"-R\", \"--chroot*\") and\n// To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths\nprocess.command_line like (\"*sudo -R*\", \"*sudo --chroot*\") \n","actions":[]}
{"id":"8992ea9e-29c1-4ba0-b41d-3cbc012ce638","updated_at":"2025-12-06T05:39:30.069Z","updated_by":"elastic","created_at":"2025-12-06T05:39:22.821Z","created_by":"elastic","name":"SSH Authorized Keys File Modification","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Lateral Movement","Tactic: Persistence","Data Source: Elastic Defend","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).","risk_score":47,"severity":"medium","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SSH Authorized Keys File Modification\n\nSSH authorized_keys files are crucial for secure, password-less authentication, allowing users to log into servers using public keys. Adversaries exploit this by adding their keys, ensuring persistent access. The detection rule identifies unauthorized changes to these files, excluding benign processes, to flag potential threats, focusing on persistence and lateral movement tactics.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific file that was modified, focusing on \"authorized_keys\", \"authorized_keys2\", \"/etc/ssh/sshd_config\", or \"/root/.ssh\".\n- Examine the process that triggered the alert by checking the process executable path to ensure it is not one of the benign processes listed in the exclusion criteria.\n- Investigate the user account associated with the modification to determine if it is a legitimate user or potentially compromised.\n- Check the timestamp of the file modification to correlate with any known user activity or scheduled tasks that might explain the change.\n- Analyze recent login attempts and SSH connections to the server to identify any suspicious activity or unauthorized access.\n- Review the contents of the modified authorized_keys file to identify any unfamiliar or unauthorized public keys that have been added.\n- If unauthorized keys are found, remove them and consider resetting credentials or keys for affected accounts to prevent further unauthorized access.\n\n### False positive analysis\n\n- Development tools like git and maven may modify SSH authorized_keys files during legitimate operations. To prevent these from triggering alerts, add their paths to the exclusion list in the detection rule.\n- System utilities such as vim and touch are often used by administrators to manually update authorized_keys files. Consider excluding these processes if they are part of regular maintenance activities.\n- Automation tools like puppet and chef-client might update SSH configurations as part of their deployment scripts. Verify these changes are expected and exclude these processes if they are part of routine operations.\n- Docker-related processes may alter SSH configurations when containers are being managed. If these changes are part of standard container operations, include the relevant paths in the exclusion list.\n- Google Guest Agent and JumpCloud Agent might modify SSH settings as part of their management tasks. Confirm these actions are legitimate and exclude these processes if they align with normal system management activities.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.\n- Review the SSH authorized_keys file and remove any unauthorized or suspicious public keys that have been added.\n- Change the passwords for all user accounts on the affected host to prevent adversaries from regaining access using compromised credentials.\n- Conduct a thorough review of user accounts and permissions on the affected host to identify and disable any unauthorized accounts or privilege escalations.\n- Restore the affected system from a known good backup if unauthorized changes are extensive or if the integrity of the system is in question.\n- Implement additional monitoring on the affected host and network to detect any further unauthorized access attempts or suspicious activities.\n- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1098","name":"Account Manipulation","reference":"https://attack.mitre.org/techniques/T1098/","subtechnique":[{"id":"T1098.004","name":"SSH Authorized Keys","reference":"https://attack.mitre.org/techniques/T1098/004/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008/"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021/","subtechnique":[{"id":"T1021.004","name":"SSH","reference":"https://attack.mitre.org/techniques/T1021/004/"}]},{"id":"T1563","name":"Remote Service Session Hijacking","reference":"https://attack.mitre.org/techniques/T1563/","subtechnique":[{"id":"T1563.001","name":"SSH Hijacking","reference":"https://attack.mitre.org/techniques/T1563/001/"}]}]}],"to":"now","references":[],"version":209,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true}],"setup":"","type":"new_terms","query":"event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or\n              /usr/local/Cellar/maven/*/libexec/bin/mvn or\n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n              /usr/bin/vim or\n              /usr/local/Cellar/coreutils/*/bin/gcat or\n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or\n              /usr/bin/scp or\n              /usr/bin/touch or\n              /var/lib/docker/* or\n              /usr/bin/google_guest_agent or\n              /opt/jc/bin/jumpcloud-agent or\n              /opt/puppetlabs/puppet/bin/puppet or\n              /usr/bin/chef-client\n)\n","new_terms_fields":["host.id","process.executable"],"history_window_start":"now-10d","index":["auditbeat-*","logs-endpoint.events.*"],"language":"kuery","actions":[]}
{"id":"75317c0e-8d47-4038-b70c-bf3706b44134","updated_at":"2025-12-06T05:34:58.179Z","updated_by":"elastic","created_at":"2025-12-06T05:34:49.961Z","created_by":"elastic","name":"Potential Git CVE-2025-48384 Exploitation","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Execution","Data Source: Elastic Defend","Data Source: Auditd Manager","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"This rule detects potential exploitation of CVE-2025-48384 via Git. This vulnerability allows attackers to execute arbitrary code by leveraging Git's recursive clone feature to fetch and execute malicious scripts from a remote repository.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Git CVE-2025-48384 Exploitation\n\nThis rule flags a Git recursive clone from an HTTP(S) remote followed moments later by a shell spawned by Git—clear evidence of CVE-2025-48384 abuse enabling arbitrary code execution on Linux or macOS. An attacker ships a repository whose submodules or hooks pull and run a bash script during --recursive clone, causing Git to invoke a shell and execute their payload on a developer endpoint.\n\n### Possible investigation steps\n\n- Extract the remote URL and parameters from the git invocation and review .gitmodules to enumerate submodules, then assess the domain/account reputation and recent commits for signs of a malicious repo or takeover.\n- Inspect the cloned repository for hook execution vectors by reviewing .git/hooks and any core.hooksPath overrides for newly created or modified executables (post-checkout/post-merge/post-update), noting contents and timestamps.\n- Analyze the spawned shell’s lineage, command line, working directory, and any script or binary launched to identify the payload, compute hashes, and correlate with concurrent outbound connections or file writes.\n- Pivot on the repo URL, hooks filenames, and payload hash across hosts to identify other impacted endpoints, and verify whether this activity aligns with expected developer workflows or CI jobs to rule out benign use.\n- Examine the endpoint for follow-on changes suggesting execution or persistence (new cron/LaunchAgents entries, modified shell profiles, new SSH keys or credentials files, unusual PATH or gitconfig changes), and collect artifacts for forensic review.\n\n### False positive analysis\n\n- Legitimate organization-wide or user-level Git hooks installed via core.hooksPath or templates run a post-checkout bootstrap shell script after a recursive HTTP or HTTPS clone, causing git to spawn a shell as a child process.\n- During a recursive HTTP or HTTPS clone, Git invokes a credential or askpass helper implemented as a shell script for authentication, resulting in a benign sh/bash child of the git process.\n\n### Response and remediation\n\n- Immediately isolate any host where git clone --recursive from an HTTP(S) URL spawned a shell, terminate the git process tree (bash/sh and curl/wget/python children) launched from the cloned path, and block the repository domain on your proxy and Git hosting.\n- Quarantine the cloned directory and its .git folder, preserve .gitmodules, .git/hooks, and any core.hooksPath target for forensics, then remove executable hooks (post-checkout/post-merge/post-update) and delete the repository and downloaded payload scripts.\n- Rotate credentials available to the user (replace ~/.ssh keys and clear ~/.git-credentials/osxkeychain/libsecret), and eradicate persistence by removing new cron entries, LaunchAgents/LaunchDaemons, modified shell profiles (~/.bashrc, ~/.zshrc), and unexpected PATH or gitconfig changes.\n- Scope and recover by hunting for the same remote URL, hook names, and payload hashes across endpoints and CI runners, reimaging or restoring clean baselines before returning systems to service.\n- Escalate to incident command if multiple hosts show a git->shell chain from the same repository, if the payload invoked sudo or wrote to /etc/cron* or /Library/LaunchDaemons, or if outbound transfers occur to the repo’s domain or newly contacted IPs.\n- Upgrade Git to a patched release for CVE-2025-48384, enforce core.hooksPath to a read-only allowlisted directory, disable recursive submodule cloning by default (submodule.recurse=false), restrict protocols (protocol.file.allow=never; allow only https/ssh), and block clones from untrusted domains in developer and CI environments.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"640f0535-f784-4010-b999-39db99d2daeb","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1203","name":"Exploitation for Client Execution","reference":"https://attack.mitre.org/techniques/T1203/"}]}],"to":"now","references":["https://www.kucoin.com/zh-hant/blog/en-breaking-lazarus-group-apt38-targets-crypto-sector-with-sophisticated-phishing-campaign","https://securitylabs.datadoghq.com/articles/git-arbitrary-file-write/","https://github.com/acheong08/CVE-2025-48384"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.id","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.entity_id","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["auditbeat-*","logs-crowdstrike.fdr*","logs-auditd_manager.auditd-*","logs-endpoint.events.process*","logs-sentinel_one_cloud_funnel.*"],"query":"sequence by host.id with maxspan=1m\n  [process where host.os.type in (\"linux\", \"macos\") and event.type == \"start\" and event.action in (\"exec\", \"executed\", \"process_started\", \"start\", \"ProcessRollup2\") and\n   process.name == \"git\" and process.args == \"clone\" and process.args == \"--recursive\" and process.args like~ \"http*\"] by process.entity_id\n  [process where host.os.type in (\"linux\", \"macos\") and event.type == \"start\" and event.action in (\"exec\", \"executed\", \"process_started\", \"start\", \"ProcessRollup2\") and\n   process.name in (\n    \"dash\", \"sh\", \"static-sh\", \"bash\", \"bash-static\", \"zsh\", \"ash\", \"csh\", \"ksh\", \"tcsh\", \"busybox\", \"fish\", \"ksh93\", \"rksh\",\n    \"rksh93\", \"lksh\", \"mksh\", \"mksh-static\", \"csharp\", \"posh\", \"rc\", \"sash\", \"yash\", \"zsh5\", \"zsh5-static\"\n   )] by process.parent.entity_id\n","actions":[]}
{"id":"e56f8765-181a-4eba-9323-d17608953246","updated_at":"2025-12-06T05:29:54.463Z","updated_by":"elastic","created_at":"2025-12-06T05:29:45.910Z","created_by":"elastic","name":"Potential Successful SSH Brute Force Attack","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Credential Access","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"8cb84371-d053-4f4f-bce0-c74990e28f28","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1110","name":"Brute Force","reference":"https://attack.mitre.org/techniques/T1110/","subtechnique":[{"id":"T1110.001","name":"Password Guessing","reference":"https://attack.mitre.org/techniques/T1110/001/"},{"id":"T1110.003","name":"Password Spraying","reference":"https://attack.mitre.org/techniques/T1110/003/"}]}]}],"to":"now","references":[],"version":14,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.outcome","type":"keyword","ecs":true},{"name":"host.id","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true},{"name":"user.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the “Filebeat System Module” to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n","type":"eql","language":"eql","index":["auditbeat-*","filebeat-*","logs-system.auth-*"],"query":"sequence by host.id, source.ip, user.name with maxspan=15s\n  [authentication where host.os.type == \"linux\" and event.action  in (\"ssh_login\", \"user_login\") and\n   event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n  [authentication where host.os.type == \"linux\" and event.action  in (\"ssh_login\", \"user_login\") and\n   event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n","actions":[]}
{"id":"e0781bee-7f2e-4ad9-bfbe-7649d5a0eb92","updated_at":"2025-12-06T05:30:40.485Z","updated_by":"elastic","created_at":"2025-12-06T05:30:31.418Z","created_by":"elastic","name":"Virtual Machine Fingerprinting","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Discovery","Data Source: Elastic Endgame","Data Source: Elastic Defend","Resources: Investigation Guide","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Virtual Machine Fingerprinting\n\nVirtual Machine Fingerprinting involves identifying characteristics of a virtual environment, often to tailor attacks or evade detection. Adversaries exploit this by querying system files for hardware details, a tactic seen in malware like Pupy RAT. The detection rule flags non-root users accessing specific Linux paths indicative of VM queries, signaling potential reconnaissance activities.\n\n### Possible investigation steps\n\n- Review the process execution details to identify the non-root user involved in accessing the specified paths, focusing on the user.name field.\n- Examine the process.args field to determine which specific file paths were accessed, as this can indicate the type of virtual machine information being targeted.\n- Investigate the parent process and command line arguments to understand the context of the process initiation and whether it aligns with legitimate user activity.\n- Check for any related alerts or logs around the same timeframe to identify potential patterns or repeated attempts at virtual machine fingerprinting.\n- Assess the system for any signs of compromise or unauthorized access, particularly focusing on the presence of known malware like Pupy RAT or similar threats.\n- Correlate the findings with MITRE ATT&CK framework references (TA0007, T1082) to understand the broader tactics and techniques potentially in use by the adversary.\n\n### False positive analysis\n\n- Non-root users running legitimate scripts or applications that query system files for hardware information may trigger the rule. Review the context of the process and user activity to determine if it aligns with expected behavior.\n- System administrators or developers using automated tools for inventory or monitoring purposes might access these paths. Consider creating exceptions for known tools or scripts that are verified as safe.\n- Security or compliance audits conducted by non-root users could inadvertently match the rule's criteria. Document and whitelist these activities if they are part of regular operations.\n- Development environments where virtual machine detection is part of testing processes may cause false positives. Identify and exclude these environments from the rule's scope if they are consistently flagged.\n- Regularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained, minimizing the risk of overlooking genuine threats.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further reconnaissance or potential lateral movement by the adversary.\n- Terminate any suspicious processes identified in the alert that are attempting to access the specified system files, especially those not initiated by the root user.\n- Conduct a thorough review of recent user activity and process logs to identify any unauthorized access or anomalies that may indicate further compromise.\n- Reset credentials for any non-root users involved in the alert to prevent unauthorized access, and review user permissions to ensure least privilege principles are enforced.\n- Deploy endpoint detection and response (EDR) tools to monitor for similar suspicious activities and enhance visibility into system processes and user actions.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring and alerting for the specific file paths and processes identified in the query to detect and respond to future attempts at virtual machine fingerprinting.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."],"from":"now-9m","rule_id":"5b03c9fb-9945-4d2f-9568-fd690fee3fba","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","name":"Discovery","reference":"https://attack.mitre.org/tactics/TA0007/"},"technique":[{"id":"T1082","name":"System Information Discovery","reference":"https://attack.mitre.org/techniques/T1082/"}]}],"to":"now","references":[],"version":112,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"user.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n","type":"query","language":"kuery","index":["auditbeat-*","logs-endpoint.events.*","endgame-*","logs-crowdstrike.fdr*"],"query":"event.category:process and host.os.type:linux and event.type:(start or process_started) and\n  process.args:(\"/sys/class/dmi/id/bios_version\" or\n                \"/sys/class/dmi/id/product_name\" or\n                \"/sys/class/dmi/id/chassis_vendor\" or\n                \"/proc/scsi/scsi\" or\n                \"/proc/ide/hd0/model\") and\n  not user.name:root\n","actions":[]}
{"id":"2731e382-a520-4025-9f97-2a0b5845eafd","updated_at":"2025-11-02T05:43:15.445Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.445Z","created_by":"elastic","name":"Potential Process Name Stomping with Prctl","tags":["Data Source: Auditd Manager","Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Defense Evasion","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"This rule leverages Auditd data to detect the use of the `prctl` syscall to potentially hide a process by changing its name. The `prctl` syscall is used to control various process attributes. Attackers can use this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The query looks for the `prctl` syscall with the `PR_SET_NAME` argument set to `f` (PR_SET_NAME is used to set the name of a process).","risk_score":47,"severity":"medium","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Process Name Stomping with Prctl\n\nThe `prctl` syscall in Linux allows processes to modify their attributes, including renaming themselves. This capability can be exploited by attackers to disguise malicious processes, making them harder to identify. The detection rule monitors for `prctl` invocations with specific arguments indicative of name changes, especially when linked to suspicious directories, thus flagging potential evasion attempts.\n\n### Possible investigation steps\n\n- Review the process details associated with the alert, focusing on the executable path to determine if it matches any suspicious directories listed in the query, such as \"/tmp/*\" or \"/var/tmp/*\".\n- Examine the process tree to identify the parent process and any child processes spawned by the suspicious process, which may provide context on how the process was initiated and its potential impact.\n- Check the command line arguments and environment variables of the process to gather additional context on its intended function and any anomalies.\n- Investigate the user account under which the process is running to determine if it aligns with expected behavior or if it indicates potential compromise.\n- Correlate the alert with other security events or logs, such as file modifications or network connections, to identify any related malicious activity or patterns.\n- Assess the historical activity of the process executable and its associated files to determine if this behavior is new or part of a recurring pattern.\n\n### False positive analysis\n\n- System maintenance scripts may invoke prctl to rename processes for legitimate reasons. Review scheduled tasks and maintenance scripts in directories like /etc/cron.* and /etc/init.d to identify benign uses.\n- Development environments often use prctl for testing purposes. Exclude known development directories such as /home/developer or /tmp/dev from the rule to reduce noise.\n- Some monitoring or logging tools might use prctl to rename their processes for clarity. Identify these tools and add their executable paths to an exception list.\n- Custom scripts or applications that manage process names for operational reasons should be documented. Exclude these scripts by specifying their paths in the rule configuration.\n- Regularly review and update the exception list to ensure it reflects the current environment and does not inadvertently exclude new threats.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.\n- Terminate any suspicious processes identified by the detection rule, especially those with altered names in critical directories.\n- Conduct a thorough review of the affected system's process tree and file system to identify any additional signs of compromise or persistence mechanisms.\n- Restore any altered or suspicious files from a known good backup to ensure system integrity.\n- Update and patch the affected system to close any vulnerabilities that may have been exploited by the attacker.\n- Monitor the network for any signs of similar activity or attempts to use the `prctl` syscall with the `PR_SET_NAME` argument in other systems.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"fef62ecf-0260-4b71-848b-a8624b304828","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1036","name":"Masquerading","reference":"https://attack.mitre.org/techniques/T1036/","subtechnique":[{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","reference":"https://attack.mitre.org/techniques/T1036/005/"}]}]}],"to":"now","references":["https://haxrob.net/process-name-stomping/","https://haxrob.net/hiding-in-plain-sight-part-2/","https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd"],"version":5,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"auditd_manager","version":"^1.0.0"}],"required_fields":[{"name":"auditd.data.a0","type":"unknown","ecs":false},{"name":"auditd.data.syscall","type":"unknown","ecs":false},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click “Add integrations”.\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\n- Click “Add Auditd Manager”.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click “Save and Continue”.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n  -- \"-a exit,always -F arch=b64 -S prctl -k prctl_detection\"\n","type":"eql","language":"eql","index":["logs-auditd_manager.auditd-*","auditbeat-*"],"query":"process where host.os.type == \"linux\" and auditd.data.syscall == \"prctl\" and auditd.data.a0 == \"f\" and\nprocess.executable like (\n  \"/boot/*\", \"/dev/shm/*\", \"/etc/cron.*/*\", \"/etc/init.d/*\", \"/var/run/*\", \"/etc/update-motd.d/*\",\n  \"/tmp/*\", \"/var/log/*\", \"/var/tmp/*\", \"/home/*\", \"/run/shm/*\", \"/run/*\", \"./*\"\n)\n","actions":[]}
{"id":"4dbe3ef1-d42f-4c9b-8a36-41a76fd42de0","updated_at":"2025-12-06T05:31:18.089Z","updated_by":"elastic","created_at":"2025-12-06T05:31:08.746Z","created_by":"elastic","name":"Potential Reverse Shell Activity via Terminal","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Execution","Resources: Investigation Guide","Data Source: Elastic Defend"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n  - Check if the domain is newly registered or unexpected.\n  - Check the reputation of the domain or IP address.\n  - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"a1a0375f-22c2-48c0-81a4-7c2d11cc6856","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/"}]}],"to":"now","references":["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","https://github.com/WangYihang/Reverse-Shell-Manager","https://www.netsparker.com/blog/web-security/understanding-reverse-shells/","https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"],"version":111,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.command_line","type":"wildcard","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n","type":"eql","language":"eql","index":["auditbeat-*","logs-endpoint.events.*"],"query":"process where event.type in (\"start\", \"process_started\") and\n  process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n  process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n  /* noisy FPs */\n  not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n  not process.command_line : (\n    \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n    \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n  not process.parent.command_line : \"runc init\"\n","actions":[]}
{"id":"0828ba9f-8edf-4735-9b62-238e075fb006","updated_at":"2025-12-06T05:27:21.913Z","updated_by":"elastic","created_at":"2025-12-06T05:27:12.932Z","created_by":"elastic","name":"Interactive Terminal Spawned via Perl","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Execution","Data Source: Elastic Endgame","Data Source: Elastic Defend","Resources: Investigation Guide","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Interactive Terminal Spawned via Perl\n\nPerl, a versatile scripting language, can execute system commands, making it a target for adversaries seeking to escalate privileges or maintain persistence. Attackers may exploit Perl to spawn interactive terminals, transforming basic shells into robust command interfaces. The detection rule identifies such activity by monitoring process events on Linux systems, specifically when Perl executes shell commands, signaling potential misuse.\n\n### Possible investigation steps\n\n- Review the process event logs to confirm the presence of a Perl process with arguments indicating the execution of a shell, such as \"exec \\\"/bin/sh\\\";\", \"exec \\\"/bin/dash\\\";\", or \"exec \\\"/bin/bash\\\";\".\n- Identify the user account associated with the Perl process to determine if it aligns with expected activity or if it suggests unauthorized access.\n- Examine the parent process of the Perl execution to understand how the Perl script was initiated and assess if it correlates with legitimate user activity or a potential compromise.\n- Check for any network connections or data transfers initiated by the Perl process to identify possible exfiltration or communication with external command and control servers.\n- Investigate any recent changes to user accounts, permissions, or scheduled tasks that might indicate privilege escalation or persistence mechanisms associated with the Perl activity.\n- Correlate the event with other security alerts or logs from the same host to identify patterns or additional indicators of compromise that could suggest a broader attack campaign.\n\n### False positive analysis\n\n- System maintenance scripts that use Perl to execute shell commands may trigger this rule. Review and whitelist known maintenance scripts by adding exceptions for specific script paths or process arguments.\n- Automated deployment tools that utilize Perl for executing shell commands can cause false positives. Identify these tools and exclude their specific process arguments or execution paths from the detection rule.\n- Development environments where Perl is used for testing or debugging purposes might inadvertently spawn interactive terminals. Consider excluding processes initiated by known development user accounts or within specific development directories.\n- Backup or monitoring scripts that rely on Perl to perform system checks or data collection could be flagged. Analyze these scripts and create exceptions based on their unique process arguments or execution context.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious Perl processes identified by the detection rule to halt any ongoing malicious activity.\n- Conduct a thorough review of the affected system's logs and process history to identify any additional indicators of compromise or related malicious activity.\n- Reset credentials and review access permissions for any accounts that may have been compromised or used in the attack.\n- Restore the affected system from a known good backup to ensure any malicious changes are removed.\n- Implement additional monitoring on the affected host and network to detect any further attempts to exploit Perl for spawning interactive terminals.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"05e5a668-7b51-4a67-93ab-e9af405c9ef3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/"}]}],"to":"now","references":[],"version":112,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n","type":"query","language":"kuery","index":["auditbeat-*","logs-endpoint.events.*","endgame-*","logs-crowdstrike.fdr*"],"query":"event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n  process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n","actions":[]}
{"id":"4602bf9c-bfe0-4382-9098-8c75a3a13acc","updated_at":"2025-11-02T05:43:15.424Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.424Z","created_by":"elastic","name":"Potential Process Hiding","tags":["OS: Linux"],"interval":"5m","enabled":true,"revision":0,"description":"The \"/etc/ld.so.preload\" file was modified which may indicate libprocesshider.so was added as a preload module. This can be used to hide processes and is commonly used to hide rootkits.","risk_score":73,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-6m","rule_id":"3df4f89e-ba52-42cb-a87e-bb3a64748bbe","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1014","name":"Rootkit","reference":"https://attack.mitre.org/techniques/T1014/","subtechnique":[]},{"id":"T1564","name":"Hide Artifacts","reference":"https://attack.mitre.org/techniques/T1564/","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.module:\"file_integrity\" and event.type:\"change\" and file.path:\"/etc/ld.so.preload\"","filters":[],"actions":[]}
{"id":"24912b25-10eb-4429-870d-dee381aa14a7","updated_at":"2025-12-06T05:31:34.600Z","updated_by":"elastic","created_at":"2025-12-06T05:31:24.269Z","created_by":"elastic","name":"Potential JAVA/JNDI Exploitation Attempt","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Execution","Use Case: Vulnerability","Data Source: Elastic Defend","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential JAVA/JNDI Exploitation Attempt\n\nJava Naming and Directory Interface (JNDI) is a Java API that provides naming and directory functionality, allowing Java applications to discover and look up data and resources via a directory service. Adversaries exploit JNDI by injecting malicious payloads that trigger outbound connections to LDAP, RMI, or DNS services, potentially leading to remote code execution. The detection rule identifies such exploitation attempts by monitoring Java processes making suspicious outbound connections followed by the execution of potentially harmful child processes, such as shell scripts or scripting languages, indicating a possible compromise.\n\n### Possible investigation steps\n\n- Review the network logs to confirm the outbound connection attempt by the Java process to the specified ports (1389, 389, 1099, 53, 5353) and identify the destination IP addresses to determine if they are known malicious or suspicious entities.\n- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).\n- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.\n- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.\n- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on directories commonly used by Java applications.\n\n### False positive analysis\n\n- Development and testing environments may trigger false positives when developers use Java applications to test connections to LDAP, RMI, or DNS services. To mitigate this, exclude known development servers or IP ranges from the detection rule.\n- Automated scripts or maintenance tasks that involve Java applications making legitimate outbound connections to the specified ports can be mistaken for exploitation attempts. Identify and whitelist these scripts or tasks by their process names or hashes.\n- Legitimate Java-based applications that require frequent updates or data retrieval from external services might generate similar network patterns. Monitor and document these applications, then create exceptions for their specific network behaviors.\n- Security tools or monitoring solutions that use Java for network scanning or analysis might inadvertently match the rule's criteria. Ensure these tools are recognized and excluded by their process identifiers or network activity profiles.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.\n- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.\n- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.\n- Restore the affected system from a known good backup if unauthorized changes or malware are detected.\n- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.\n- Implement network-level controls to block outbound connections to suspicious or unauthorized LDAP, RMI, or DNS services from Java processes.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.","license":"Elastic License v2","output_index":"","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"c3f5e1d8-910e-43b4-8d44-d748e498ca86","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.007","name":"JavaScript","reference":"https://attack.mitre.org/techniques/T1059/007/"}]},{"id":"T1203","name":"Exploitation for Client Execution","reference":"https://attack.mitre.org/techniques/T1203/"}]}],"to":"now","references":["https://www.lunasec.io/docs/blog/log4j-zero-day/","https://github.com/christophetd/log4shell-vulnerable-app","https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf","https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security","https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"],"version":107,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"}],"required_fields":[{"name":"destination.port","type":"long","ecs":true},{"name":"event.action","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.id","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true},{"name":"process.parent.pid","type":"long","ecs":true},{"name":"process.pid","type":"long","ecs":true}],"setup":"","type":"eql","language":"eql","index":["auditbeat-*","logs-endpoint.events.*"],"query":"sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n  process.name : \"java\" and\n  /*\n     outbound connection attempt to\n     LDAP, RMI or DNS standard ports\n     by JAVA process\n   */\n  destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n  /* Suspicious JAVA child process */\n  process.parent.name : \"java\" and\n   process.name : (\"sh\",\n                   \"bash\",\n                   \"dash\",\n                   \"ksh\",\n                   \"tcsh\",\n                   \"zsh\",\n                   \"curl\",\n                   \"perl*\",\n                   \"python*\",\n                   \"ruby*\",\n                   \"php*\",\n                   \"wget\") and\n    not process.command_line like~ (\n      \"bash -c ulimit -u\",\n      \"bash /opt/flutter/bin/flutter*\",\n      \"bash -c echo $$\",\n      \"/bin/bash /opt/python3/bin/jira*\",\n      \"/bin/sh -c env LC_ALL=C /usr/sbin/lpc status*\"\n    )] by process.parent.pid\n","actions":[]}
{"id":"5911e260-734a-43b5-9fa0-a063178634c8","updated_at":"2025-12-06T05:07:25.030Z","updated_by":"elastic","created_at":"2025-11-02T05:50:19.325Z","created_by":"elastic","name":"Bypass UAC via Event Viewer","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Tactic: Defense Evasion","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Microsoft Defender for Endpoint","Data Source: Windows Security Event Logs","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n  - Analyze the process executable using a private sandboxed analysis system.\n  - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n    - Attempts to contact external domains and addresses.\n      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n      - Examine the DNS cache for suspicious or anomalous entries.\n        - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n    - Examine the host services for suspicious or anomalous entries.\n      - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1548","name":"Abuse Elevation Control Mechanism","reference":"https://attack.mitre.org/techniques/T1548/","subtechnique":[{"id":"T1548.002","name":"Bypass User Account Control","reference":"https://attack.mitre.org/techniques/T1548/002/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1548","name":"Abuse Elevation Control Mechanism","reference":"https://attack.mitre.org/techniques/T1548/","subtechnique":[{"id":"T1548.002","name":"Bypass User Account Control","reference":"https://attack.mitre.org/techniques/T1548/002/"}]}]}],"to":"now","references":[],"version":321,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : (\n        \"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n        \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n        \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n        \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n\n        /* Crowdstrike specific exclusion as it uses NT Object paths */\n        \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\Sys?????\\\\mmc.exe\",\n        \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\Sys?????\\\\WerFault.exe\"\n  )\n","actions":[]}
{"id":"b4fe6cf9-9134-4b46-bb5b-15beadb53e01","updated_at":"2025-12-06T05:07:25.056Z","updated_by":"elastic","created_at":"2025-11-02T05:49:48.224Z","created_by":"elastic","name":"Creation of a Hidden Local User Account","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"2edc8076-291e-41e9-81e4-e3fcbc97ae5e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1136","name":"Create Account","reference":"https://attack.mitre.org/techniques/T1136/","subtechnique":[{"id":"T1136.001","name":"Local Account","reference":"https://attack.mitre.org/techniques/T1136/001/"}]}]}],"to":"now","references":["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html","https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"],"version":314,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"registry.path","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.registry-*","logs-windows.sysmon_operational-*","endgame-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*"],"query":"registry where host.os.type == \"windows\" and event.type == \"change\" and\n  registry.path : (\n    \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n    \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n    \"MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n","actions":[]}
{"id":"3ad7f9f7-4314-4f3d-86a3-fa6b520f7ac7","updated_at":"2025-12-06T05:07:25.043Z","updated_by":"elastic","created_at":"2025-11-02T05:50:37.057Z","created_by":"elastic","name":"Script Execution via Microsoft HTML Application","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Data Source: Windows Security Event Logs","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Data Source: Elastic Defend","Data Source: Crowdstrike","Resources: Investigation Guide","Data Source: Elastic Endgame"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Script Execution via Microsoft HTML Application\n\nMicrosoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse.\n\n### Possible investigation steps\n\n- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like \"eval\", \"GetObject\", or \"WScript.Shell\".\n- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller.\n- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive.\n- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is \"mshta.exe\" and the command line does not include typical HTA or HTM file references.\n- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern.\n\n### False positive analysis\n\n- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule.\n- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes.\n- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes.\n- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access.\n- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.\n- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems.\n- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated.\n- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"181f6b23-3799-445e-9589-0018328a9e46","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1218","name":"System Binary Proxy Execution","reference":"https://attack.mitre.org/techniques/T1218/","subtechnique":[{"id":"T1218.005","name":"Mshta","reference":"https://attack.mitre.org/techniques/T1218/005/"},{"id":"T1218.011","name":"Rundll32","reference":"https://attack.mitre.org/techniques/T1218/011/"}]}]}],"to":"now","references":[],"version":207,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.executable","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*","logs-endpoint.events.process-*","logs-crowdstrike.fdr*","endgame-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\") and\n  (\n     (process.command_line :\n        (\n        \"*script*eval(*\",\n         \"*script*GetObject*\",\n         \"*.regread(*\",\n         \"*WScript.Shell*\",\n         \"*.run(*\",\n         \"*).Exec()*\",\n         \"*mshta*http*\",\n         \"*mshtml*RunHTMLApplication*\",\n         \"*mshtml*,#135*\",\n         \"*StrReverse*\",\n         \"*.RegWrite*\",\n         /* Issue #379 */\n         \"*window.close(*\",\n         \"* Chr(*\"\n         )\n     and not ?process.parent.executable :\n                  (\"?:\\\\Program Files (x86)\\\\Citrix\\\\System32\\\\wfshell.exe\",\n                   \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office*\\\\MSACCESS.EXE\",\n                   \"?:\\\\Program Files\\\\Quokka.Works GTInstaller\\\\GTInstaller.exe\")\n     ) or\n\n    (process.name : \"mshta.exe\" and\n     not process.command_line : (\"*.hta*\", \"*.htm*\", \"-Embedding\") and ?process.args_count >=2) or\n\n     /* Execution of HTA file downloaded from the internet */\n     (process.name : \"mshta.exe\" and process.command_line : \"*\\\\Users\\\\*\\\\Downloads\\\\*.hta*\") or\n\n     /* Execution of HTA file from archive */\n     (process.name : \"mshta.exe\" and\n      process.args : (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\", \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\", \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\", \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\"))\n   )\n","actions":[]}
{"id":"a6b91462-c479-48cd-b0b3-7df18394ef86","updated_at":"2025-12-06T05:07:33.306Z","updated_by":"elastic","created_at":"2025-11-02T05:54:10.059Z","created_by":"elastic","name":"Suspicious DLL Loaded for Persistence or Privilege Escalation","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Tactic: Privilege Escalation","Tactic: Defense Evasion","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n  - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n  - Use a private sandboxed malware analysis system to perform analysis.\n    - Observe and collect information about the following activities:\n      - Attempts to contact external domains and addresses.\n      - File and registry access, modification, and creation activities.\n      - Service creation and launch activities.\n      - Scheduled task creation.\n  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"bfeaf89b-a2a7-48a3-817f-e41829dc61ee","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1574","name":"Hijack Execution Flow","reference":"https://attack.mitre.org/techniques/T1574/","subtechnique":[{"id":"T1574.001","name":"DLL","reference":"https://attack.mitre.org/techniques/T1574/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1036","name":"Masquerading","reference":"https://attack.mitre.org/techniques/T1036/","subtechnique":[{"id":"T1036.001","name":"Invalid Code Signature","reference":"https://attack.mitre.org/techniques/T1036/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1574","name":"Hijack Execution Flow","reference":"https://attack.mitre.org/techniques/T1574/","subtechnique":[{"id":"T1574.001","name":"DLL","reference":"https://attack.mitre.org/techniques/T1574/001/"}]}]}],"to":"now","references":["https://itm4n.github.io/windows-dll-hijacking-clarified/","http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html","https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html","https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html","https://windows-internals.com/faxing-your-way-to-system/","http://waleedassar.blogspot.com/2013/01/wow64logdll.html"],"version":218,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"dll.code_signature.exists","type":"boolean","ecs":true},{"name":"dll.code_signature.subject_name","type":"keyword","ecs":true},{"name":"dll.code_signature.trusted","type":"boolean","ecs":true},{"name":"dll.name","type":"keyword","ecs":true},{"name":"dll.path","type":"keyword","ecs":true},{"name":"event.action","type":"keyword","ecs":true},{"name":"event.category","type":"keyword","ecs":true},{"name":"file.code_signature.status","type":"keyword","ecs":true},{"name":"file.hash.sha256","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"file.path","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true}],"setup":"## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.library-*","logs-windows.sysmon_operational-*","endgame-*"],"query":"any where host.os.type == \"windows\" and\n(event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n(\n  /* compatible with Elastic Endpoint Library Events */\n  (\n    ?dll.name : (\n        \"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n        \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n        \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"TPPCOIPW32.dll\", \n        \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\"\n    )\n    and (\n      ?dll.code_signature.trusted != true or\n      ?dll.code_signature.exists != true or\n      (\n        ?dll.code_signature.trusted == true and\n          not ?dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\", \"Microsoft Windows Publisher\")\n      )\n  ) or\n   /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\n  (\n   (?dll.path : \"?:\\\\Windows\\\\*\\\\oci.dll\" and process.executable : \"?:\\\\Windows\\\\*.exe\" and \n    (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \n    \n   (file.path : \"?:\\\\Windows\\\\*\\\\oci.dll\" and not file.code_signature.status == \"Valid\" and process.executable : \"?:\\\\Windows\\\\*.exe\")\n   ) or \n\n  /* compatible with Sysmon EventID 7 - Image Load */\n  (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n               \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n               \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"TPPCOIPW32.dll\", \n               \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n   not file.hash.sha256 : \n            (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n             \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n             \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n   not file.code_signature.status == \"Valid\")\n  ) and\n  not\n  (\n    ?dll.path : (\n      \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n      \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n      \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\wbemcomn.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\SysWOW64\\\\wlanhlp.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\wlanhlp.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\SysWOW64\\\\windowsperformancerecordercontrol.dll\", \n      \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\", \n      \"C:\\\\ProgramData\\\\docker\\\\windowsfilter\\\\*\\\\Files\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\", \n      \"C:\\\\ProgramData\\\\docker\\\\windowsfilter\\\\*\\\\Files\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\", \n      \"\\\\Device\\\\vmsmb\\\\VSMB-{*}\\\\os\\\\windows\\\\system32\\\\*.dll\"\n    ) or\n    file.path : (\n      \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n      \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n      \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\", \n      \"C:\\\\ProgramData\\\\docker\\\\windowsfilter\\\\*\\\\Files\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\", \n      \"C:\\\\ProgramData\\\\docker\\\\windowsfilter\\\\*\\\\Files\\\\Windows\\\\System32\\\\wbemcomn.dll\", \n      \"\\\\Device\\\\vmsmb\\\\VSMB-{*}\\\\os\\\\windows\\\\system32\\\\*.dll\"\n    )\n  )\n)\n","actions":[]}
{"id":"0760e48f-eb12-4088-aaab-b5e5610790cc","updated_at":"2025-12-06T05:07:32.188Z","updated_by":"elastic","created_at":"2025-11-02T05:52:16.981Z","created_by":"elastic","name":"Potential Remote Desktop Tunneling Detected","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Command and Control","Tactic: Lateral Movement","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Data Source: Windows Security Event Logs","Data Source: Crowdstrike","Data Source: Sysmon"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011/"},"technique":[{"id":"T1572","name":"Protocol Tunneling","reference":"https://attack.mitre.org/techniques/T1572/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008/"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021/","subtechnique":[{"id":"T1021.004","name":"SSH","reference":"https://attack.mitre.org/techniques/T1021/004/"}]}]}],"to":"now","references":["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"],"version":419,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n","actions":[]}
{"id":"df7f6897-e579-4762-8bb5-dea44c786ff7","updated_at":"2025-12-06T05:07:33.314Z","updated_by":"elastic","created_at":"2025-11-02T05:52:55.467Z","created_by":"elastic","name":"Potential Process Injection via PowerShell","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Tactic: Execution","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Legitimate PowerShell scripts that make use of these functions."],"from":"now-9m","rule_id":"2e29e96a-b67c-455a-afe4-de6183431d0d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1055","name":"Process Injection","reference":"https://attack.mitre.org/techniques/T1055/","subtechnique":[{"id":"T1055.001","name":"Dynamic-link Library Injection","reference":"https://attack.mitre.org/techniques/T1055/001/"},{"id":"T1055.002","name":"Portable Executable Injection","reference":"https://attack.mitre.org/techniques/T1055/002/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]},{"id":"T1106","name":"Native API","reference":"https://attack.mitre.org/techniques/T1106/"}]}],"to":"now","references":["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1","https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1","https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1","https://www.elastic.co/security-labs/detect-credential-access"],"version":216,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"file.directory","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n   (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n      LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n   (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n      SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n  ) and not \n  file.directory: (\n    \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n    \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n  )\n","filters":[{"meta":{"negate":true},"query":{"wildcard":{"file.path":{"case_insensitive":true,"value":"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}],"actions":[]}
{"id":"0eb0fe5c-3d55-423d-a289-a33f7a7f3de0","updated_at":"2025-12-06T05:07:36.594Z","updated_by":"elastic","created_at":"2025-11-02T06:00:50.883Z","created_by":"elastic","name":"Wireless Credential Dumping using Netsh Command","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Tactic: Discovery","Data Source: Elastic Endgame","Resources: Investigation Guide","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n  - Observe and collect information about the following activities in the alert subject host:\n    - Attempts to contact external domains and addresses.\n      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n      - Examine the DNS cache for suspicious or anomalous entries.\n        - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n    - Examine the host services for suspicious or anomalous entries.\n      - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"2de87d72-ee0c-43e2-b975-5f0b029ac600","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/"},{"id":"T1555","name":"Credentials from Password Stores","reference":"https://attack.mitre.org/techniques/T1555/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","name":"Discovery","reference":"https://attack.mitre.org/tactics/TA0007/"},"technique":[{"id":"T1082","name":"System Information Discovery","reference":"https://attack.mitre.org/techniques/T1082/"}]}],"to":"now","references":["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts","https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"],"version":214,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n  process.args : \"wlan\" and process.args : \"key*clear\"\n","actions":[]}
{"id":"ba9371c9-cac8-40fa-8d74-65ff4758154f","updated_at":"2025-12-06T05:07:38.692Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.191Z","created_by":"elastic","name":"Unusual Executable File Creation by a System Critical Process","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Tactic: Execution","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n  - Analyze the process executable using a private sandboxed analysis system.\n  - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n    - Attempts to contact external domains and addresses.\n      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n      - Examine the DNS cache for suspicious or anomalous entries.\n        - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n    - Examine the host services for suspicious or anomalous entries.\n      - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"e94262f2-c1e9-4d3f-a907-aeab16712e1a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1211","name":"Exploitation for Defense Evasion","reference":"https://attack.mitre.org/techniques/T1211/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1203","name":"Exploitation for Client Execution","reference":"https://attack.mitre.org/techniques/T1203/"}]}],"to":"now","references":[],"version":315,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"file.extension","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.file-*","logs-windows.sysmon_operational-*","endgame-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*"],"query":"file where host.os.type == \"windows\" and event.type != \"deletion\" and\n  file.extension : (\"exe\", \"dll\") and\n  process.name : (\"smss.exe\",\n                  \"autochk.exe\",\n                  \"csrss.exe\",\n                  \"wininit.exe\",\n                  \"services.exe\",\n                  \"lsass.exe\",\n                  \"winlogon.exe\",\n                  \"userinit.exe\",\n                  \"LogonUI.exe\")\n","actions":[]}
{"id":"b0dd8a0f-2cc0-454a-99d5-96c632b21496","updated_at":"2025-12-06T05:07:38.700Z","updated_by":"elastic","created_at":"2025-11-02T06:15:36.719Z","created_by":"elastic","name":"Network Activity to a Suspicious Top Level Domain","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Command and Control","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: SentinelOne","Data Source: Crowdstrike","Data Source: Sysmon"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies DNS queries to commonly abused Top Level Domains by common LOLBINs or executable running from world writable directories or unsigned binaries. This behavior matches on common malware C2 abusing less formal domain names.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Network Activity to a Suspicious Top Level Domain\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes or malicious scripts.\n- Review if the domain reputation and the frequency of network activities as well as any download/upload activity.\n- Verify if the executed process is persistent on the host like common mechanisms Startup folder, task or Run key.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- Trusted domain from an expected process running in the environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"e516bf56-d51b-43e8-91ec-9e276331f433","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011/"},"technique":[{"id":"T1071","name":"Application Layer Protocol","reference":"https://attack.mitre.org/techniques/T1071/","subtechnique":[{"id":"T1071.004","name":"DNS","reference":"https://attack.mitre.org/techniques/T1071/004/"}]}]}],"to":"now","references":["https://www.cybercrimeinfocenter.org/top-20-tlds-by-malicious-phishing-domains"],"version":3,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"dns.question.name","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.code_signature.exists","type":"boolean","ecs":true},{"name":"process.code_signature.subject_name","type":"keyword","ecs":true},{"name":"process.code_signature.trusted","type":"boolean","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-endpoint.events.network-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"network where host.os.type == \"windows\" and dns.question.name != null and\n (\n  process.name : (\"MSBuild.exe\", \"mshta.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"msiexec.exe\", \"rundll32.exe\",\n                  \"bitsadmin.exe\", \"InstallUtil.exe\", \"python.exe\", \"regsvr32.exe\", \"dllhost.exe\", \"node.exe\",\n                  \"java.exe\", \"javaw.exe\", \"*.pif\", \"*.com\", \"*.scr\") or\n  (?process.code_signature.trusted == false or ?process.code_signature.exists == false) or\n  ?process.code_signature.subject_name : (\"AutoIt Consulting Ltd\", \"OpenJS Foundation\", \"Python Software Foundation\") or\n  ?process.executable : (\"?:\\\\Users\\\\*.exe\", \"?:\\\\ProgramData\\\\*.exe\")\n ) and\ndns.question.name regex \"\"\".*\\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)\"\"\"\n","actions":[]}
{"id":"754d6731-2e51-4e82-8162-c45379d005dc","updated_at":"2025-12-06T05:07:38.668Z","updated_by":"elastic","created_at":"2025-11-02T06:01:59.186Z","created_by":"elastic","name":"Disabling Lsa Protection via Registry Modification","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"LSA protecton is provided to prevent nonprotected processes from reading memory and injecting code. This feature provides added security for the credentials that LSA stores and manages. Adversaries may modify the RunAsPPL registry and wait or initiate a system restart to enable Lsass credentials access.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Disabling Lsa Protection via Registry Modification\n\nFor more information about the Lsa Protection and how it works, check the [official Microsoft docs page](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection).\n\nAttackers may disable Lsa protection to access Lsass memory for credentals. This rule identifies RunAsPPL registry value modifications.\n\n#### Possible investigation steps\n\n- Verify the context of the change and if it's related to a planned system administration activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Approved changes to relax the Lsa protection for compatibility with third party solutions such as authentication plugins or alike.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"37cb6756-8892-4af3-a6bd-ddc56db0069d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1112","name":"Modify Registry","reference":"https://attack.mitre.org/techniques/T1112/"},{"id":"T1562","name":"Impair Defenses","reference":"https://attack.mitre.org/techniques/T1562/","subtechnique":[{"id":"T1562.001","name":"Disable or Modify Tools","reference":"https://attack.mitre.org/techniques/T1562/001/"}]}]}],"to":"now","references":["https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection"],"version":3,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"registry.data.strings","type":"wildcard","ecs":true},{"name":"registry.path","type":"keyword","ecs":true},{"name":"registry.value","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.registry-*","logs-windows.sysmon_operational-*","endgame-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*"],"query":"registry where host.os.type == \"windows\" and event.type == \"change\" and\n  registry.data.strings != null and registry.value : \"RunAsPPL\" and\n  registry.path : \"*\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RunAsPPL\" and\n  not registry.data.strings : (\"1\", \"0x00000001\", \"2\", \"0x00000002\")\n","actions":[]}
{"id":"096a5e6b-d541-4967-81e5-b17f8acf87f5","updated_at":"2025-12-06T05:37:27.798Z","updated_by":"elastic","created_at":"2025-12-06T05:37:19.681Z","created_by":"elastic","name":"Potential Linux Hack Tool Launched","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Execution","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Auditd Manager","Data Source: Crowdstrike","Data Source: SentinelOne","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.","risk_score":47,"severity":"medium","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Linux Hack Tool Launched\n\nLinux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts.\n\n### Possible investigation steps\n\n- Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as \"crackmapexec\" or \"sqlmap\".\n- Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised.\n- Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity.\n- Examine the command line arguments used during the process execution to understand the intent and scope of the activity.\n- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities.\n- Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives.\n\n### False positive analysis\n\n- System administrators and security teams often use tools like \"john\", \"hashcat\", and \"hydra\" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments.\n- Blue team exercises may involve the use of exploitation frameworks such as \"msfconsole\" and \"msfvenom\". Implement a process to whitelist these activities when they are part of a sanctioned security drill.\n- Network scanning tools like \"zenmap\" and \"nuclei\" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior.\n- Web enumeration tools such as \"gobuster\" and \"dirbuster\" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts.\n- Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency.\n\n### Response and remediation\n\n- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities.\n- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts.\n- Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed.\n- Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools.\n- Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"1df1152b-610a-4f48-9d7a-504f6ee5d9da","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[]}],"to":"now","references":[],"version":108,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n","type":"eql","language":"eql","index":["auditbeat-*","endgame-*","logs-auditd_manager.auditd-*","logs-crowdstrike.fdr*","logs-endpoint.events.process*","logs-sentinel_one_cloud_funnel.*"],"query":"process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name in~ (\n  // exploitation frameworks\n  \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n  // network scanners (nmap left out to reduce noise)\n  \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n  // web enumeration\n  \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n  // web vulnerability scanning\n  \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\",\n  // exploitation tools\n  \"sqlmap\", \"commix\", \"yersinia\",\n  // cracking and brute forcing\n  \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n  // host and network\n  \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\",\n  \"linux-exploit-suggester-2.pl\", \"linux-exploit-suggester.sh\", \"panix.sh\"\n)\n","actions":[]}
{"id":"c9e55543-e771-4713-959b-ef148fb05662","updated_at":"2025-12-06T05:07:35.413Z","updated_by":"elastic","created_at":"2025-11-02T06:00:50.854Z","created_by":"elastic","name":"Conhost Spawned By Suspicious Parent Process","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Execution","Tactic: Defense Evasion","Tactic: Privilege Escalation","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne"],"interval":"5m","enabled":true,"revision":0,"description":"Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n  - Use a private sandboxed malware analysis system to perform analysis.\n    - Observe and collect information about the following activities:\n      - Attempts to contact external domains and addresses.\n      - File and registry access, modification, and creation activities.\n      - Service creation and launch activities.\n      - Scheduled task creation.\n  - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"05b358de-aa6d-4f6c-89e6-78f74018b43b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1036","name":"Masquerading","reference":"https://attack.mitre.org/techniques/T1036/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1055","name":"Process Injection","reference":"https://attack.mitre.org/techniques/T1055/"}]}],"to":"now","references":["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"],"version":312,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.args","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.process-*","logs-windows.sysmon_operational-*","endgame-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n                         \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n  not (process.parent.name : \"rundll32.exe\" and\n       process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n                              \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n                              \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n","actions":[]}
{"id":"d1fe3eb0-2e2a-4deb-a039-d78200ca19bd","updated_at":"2025-12-06T05:07:23.856Z","updated_by":"elastic","created_at":"2025-11-02T05:48:34.094Z","created_by":"elastic","name":"Suspicious Process Access via Direct System Call","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Tactic: Execution","Resources: Investigation Guide","Data Source: Sysmon"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n  - Analyze the process executable using a private sandboxed analysis system.\n  - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n    - Attempts to contact external domains and addresses.\n      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n      - Examine the DNS cache for suspicious or anomalous entries.\n        - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n    - Examine the host services for suspicious or anomalous entries.\n      - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"2dd480be-1263-4d9c-8672-172928f6789a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1055","name":"Process Injection","reference":"https://attack.mitre.org/techniques/T1055/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1106","name":"Native API","reference":"https://attack.mitre.org/techniques/T1106/"}]}],"to":"now","references":["https://twitter.com/SBousseaden/status/1278013896440324096","https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"],"version":314,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"winlog.event_data.CallTrace","type":"keyword","ecs":false},{"name":"winlog.event_data.TargetImage","type":"keyword","ecs":false}],"setup":"## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n","type":"eql","language":"eql","index":["winlogbeat-*","logs-windows.sysmon_operational-*"],"query":"process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n            (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n             \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n             \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n             \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n             \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n            (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n             \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n             \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n             \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n                            \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n      not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n","actions":[]}
{"id":"b9d9b6d6-2ba8-4bc5-a230-a36b013c5001","updated_at":"2025-12-06T05:07:38.711Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.415Z","created_by":"elastic","name":"Persistence via Hidden Run Key Detected","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Tactic: Defense Evasion","Tactic: Execution","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Crowdstrike","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Persistence via Hidden Run Key Detected\n\nThe Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics.\n\n### Possible investigation steps\n\n- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\" or \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\".\n- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time.\n- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process.\n- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable.\n- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques.\n- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms.\n\n### False positive analysis\n\n- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts.\n- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats.\n- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms.\n- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives.\n- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat.\n- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.\n- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution.\n- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"a9b05c3b-b304-4bf9-970d-acdfaef2944c","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1547","name":"Boot or Logon Autostart Execution","reference":"https://attack.mitre.org/techniques/T1547/","subtechnique":[{"id":"T1547.001","name":"Registry Run Keys / Startup Folder","reference":"https://attack.mitre.org/techniques/T1547/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1106","name":"Native API","reference":"https://attack.mitre.org/techniques/T1106/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1112","name":"Modify Registry","reference":"https://attack.mitre.org/techniques/T1112/"}]}],"to":"now","references":["https://github.com/outflanknl/SharpHide","https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"],"version":213,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"crowdstrike","version":"^2.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"registry.data.strings","type":"wildcard","ecs":true},{"name":"registry.path","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-endpoint.events.registry-*","winlogbeat-*","logs-windows.sysmon_operational-*","endgame-*","logs-crowdstrike.fdr*","logs-sentinel_one_cloud_funnel.*","logs-m365_defender.event-*"],"query":"/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and event.type == \"change\" and length(registry.data.strings) > 0 and\n  registry.path : \"*\\\\Run\\\\\" and\n  registry.path : (\n    \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n    \"*\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n    \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\"\n  )\n","actions":[]}
{"id":"8c6dfb84-7118-4209-838a-1a10194e5c7b","updated_at":"2025-12-06T05:07:44.028Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.402Z","created_by":"elastic","name":"Privilege Escalation via Rogue Named Pipe Impersonation","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Data Source: Sysmon","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Privilege Escalation via Rogue Named Pipe Impersonation\n\nNamed pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities.\n\n### Possible investigation steps\n\n- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy.\n- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action.\n- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges.\n- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts.\n- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack.\n\n### False positive analysis\n\n- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise.\n- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts.\n- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity.\n- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule.\n- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities.\n- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems.\n- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access.\n- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.\n- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"76ddb638-abf7-42d5-be22-4a70b0bf7241","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1134","name":"Access Token Manipulation","reference":"https://attack.mitre.org/techniques/T1134/"}]}],"to":"now","references":["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/","https://github.com/zcgonvh/EfsPotato","https://twitter.com/SBousseaden/status/1429530155291193354"],"version":210,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"event.provider","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true}],"setup":"## Setup\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n","type":"eql","language":"eql","index":["winlogbeat-*","logs-windows.sysmon_operational-*"],"query":"file where host.os.type == \"windows\" and\n  event.provider == \"Microsoft-Windows-Sysmon\" and\n  \n  /* Named Pipe Creation */\n  event.code == \"17\" and\n  \n  /* Sysmon truncates the \"Pipe\" keyword in normal named pipe creation events */\n  file.name : \"\\\\*\\\\Pipe\\\\*\"\n","actions":[]}
{"id":"19aff7a3-eac5-421d-83b6-2f578f37a395","updated_at":"2025-12-06T05:07:45.112Z","updated_by":"elastic","created_at":"2025-11-02T06:15:39.939Z","created_by":"elastic","name":"Potential privilege escalation via CVE-2022-38028","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential privilege escalation via CVE-2022-38028\n\nCVE-2022-38028 targets the Windows Print Spooler service, a core component managing print jobs. Adversaries exploit this by manipulating specific JavaScript files within system directories to gain elevated privileges. The detection rule identifies unauthorized file presence in critical paths, signaling potential exploitation attempts, leveraging multiple data sources for comprehensive threat detection.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the file \"MPDW-constraints.js\" in the specified critical paths: \"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\" or \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\".\n- Check the file creation and modification timestamps to determine when the file was placed or altered in the system directories.\n- Investigate the source of the file by examining recent user activity and process execution logs around the time the file appeared, focusing on any suspicious or unauthorized actions.\n- Correlate the event with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts.\n- Assess the risk and impact by determining if the affected system has any sensitive roles or access that could be leveraged by an attacker through privilege escalation.\n- If malicious activity is confirmed, initiate containment measures such as isolating the affected system and conducting a full malware scan to prevent further exploitation.\n\n### False positive analysis\n\n- Legitimate software updates or installations may place JavaScript files in the monitored directories. Verify the source and integrity of the software to ensure it is from a trusted vendor.\n- System administrators or automated scripts might deploy or modify JavaScript files in these paths for legitimate configuration purposes. Review change management logs to confirm authorized activities.\n- Security tools or system maintenance processes could temporarily create or modify files in these directories. Cross-reference with scheduled tasks or security tool logs to validate these actions.\n- Exclude known benign applications or processes that frequently interact with the specified file paths by creating exceptions in the detection rule to reduce noise.\n- Regularly update the detection rule to incorporate new intelligence on false positives, ensuring it remains effective and relevant.\n\n### Response and remediation\n\n- Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the adversary.\n- Terminate any suspicious processes related to the Windows Print Spooler service to halt ongoing exploitation attempts.\n- Remove unauthorized JavaScript files, specifically \"MPDW-constraints.js\", from the identified critical paths to eliminate the immediate threat.\n- Apply the latest security patches and updates from Microsoft to address CVE-2022-38028 and ensure the system is protected against known vulnerabilities.\n- Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.\n- Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules.\n- Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"dffbd37c-d4c5-46f8-9181-5afdd9172b4c","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1036","name":"Masquerading","reference":"https://attack.mitre.org/techniques/T1036/"}]}],"to":"now","references":["https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"],"version":208,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"file.path","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-endpoint.events.file-*","logs-windows.sysmon_operational-*","endgame-*","winlogbeat-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*"],"query":"file where host.os.type == \"windows\" and event.type != \"deletion\" and\n    file.name : \"MPDW-constraints.js\" and\n    file.path : (\n        \"?:\\\\*\\\\Windows\\\\system32\\\\DriverStore\\\\FileRepository\\\\*\\\\MPDW-constraints.js\",\n        \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\", \n        \"\\\\Device\\\\HarddiskVolume*\\\\*\\\\Windows\\\\system32\\\\DriverStore\\\\FileRepository\\\\*\\\\MPDW-constraints.js\",\n        \"\\\\Device\\\\HarddiskVolume*\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\"\n    ) and\n    not process.executable : (\n          \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe\",\n          \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\"\n    ) and\n    not file.path : (\n        \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\\\\MPDW-constraints.js\",\n        \"\\\\Device\\\\HarddiskVolume*\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\\\\MPDW-constraints.js\"\n    )\n","actions":[]}
{"id":"e3901092-4622-4d8d-8d4f-ccd245da7bed","updated_at":"2025-12-06T05:07:38.682Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.931Z","created_by":"elastic","name":"Suspicious Windows Command Shell Arguments","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Execution","Resources: Investigation Guide","Data Source: Windows Security Event Logs","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Data Source: Elastic Endgame","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Windows Command Shell Arguments\n\nThe Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions.\n\n### Possible investigation steps\n\n- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as \"curl\", \"regsvr32\", \"wscript\", or \"Invoke-WebRequest\" that may indicate malicious activity.\n- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables.\n- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous.\n- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution.\n- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings.\n- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary.\n\n### False positive analysis\n\n- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing \"%TEMP%\\\\Spiceworks\\\\*\" when the parent process is wmiprvse.exe.\n- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list.\n- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing \"?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe\" with the parent process name as userinit.exe.\n- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list.\n- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like \"\\\"cmd\\\" /c %NETBEANS_MAVEN_COMMAND_LINE%\" in the exception list.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.\n- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.\n- Review and restore any altered system settings or configurations to their original state to ensure system integrity.\n- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.\n- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"d9ffc3d6-9de9-4b29-9395-5757d0695ecf","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.003","name":"Windows Command Shell","reference":"https://attack.mitre.org/techniques/T1059/003/"}]}]}],"to":"now","references":[],"version":206,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.dataset","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.executable","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-crowdstrike.fdr*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*","endgame-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.name : \"cmd.exe\" and\n  (\n    process.command_line : (\n        \"*).Run(*\", \"*GetObject*\", \"* curl*regsvr32*\", \"*echo*wscript*\", \"*echo*ZONE.identifier*\",\n        \"*ActiveXObject*\", \"*dir /s /b *echo*\", \"*unescape(*\",  \"*findstr*TVNDRgAAAA*\", \"*findstr*passw*\", \"*start*\\\\\\\\*\\\\DavWWWRoot\\\\*\",\n        \"* explorer*%CD%*\", \"*%cd%\\\\*.js*\", \"*attrib*%CD%*\", \"*/?cMD<*\", \"*/AutoIt3ExecuteScript*..*\", \"*&cls&cls&cls&cls&cls&*\",\n        \"*&#*;&#*;&#*;&#*;*\", \"* &&s^eT*\", \"*& ChrW(*\", \"*&explorer /root*\", \"*start __ & __\\\\*\", \"*findstr /V /L *forfiles*\",\n        \"*=wscri& set *\", \"*http*!COmpUternaME!*\", \"*start *.pdf * start /min cmd.exe /c *\\\\\\\\*\", \"*pip install*System.Net.WebClient*\",\n        \"*Invoke-WebReques*Start-Process*\", \"*-command (Invoke-webrequest*\", \"*copy /b *\\\\\\\\* ping *-n*\", \"*echo*.ToCharArray*\"\n    ) or\n\n    (process.args : \"echo\" and process.parent.name : (\"wscript.exe\", \"mshta.exe\")) or\n    \n    process.args : (\"1>?:\\\\*.vbs\", \"1>?:\\\\*.js\") or\n\n    (process.args : \"explorer.exe\" and process.args : \"type\" and process.args : \">\" and process.args : \"start\") or\n\n    (\n      process.parent.name : \"explorer.exe\" and\n      process.command_line : (\n        \"*&&S^eT *\",\n        \"*&& set *&& set *&& set *&& set *&& set *&& call*\",\n        \"**\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??*\"\n      )\n    ) or\n\n    (process.parent.name : \"explorer.exe\" and process.args : \"copy\" and process.args : \"&&\" and process.args : \"\\\\\\\\*@*\\\\*\")\n  ) and\n\n  /* false positives */\n  not (process.args : \"%TEMP%\\\\Spiceworks\\\\*\" and process.parent.name : \"wmiprvse.exe\") and\n  not ?process.parent.executable : (\n        \"?:\\\\Perl64\\\\bin\\\\perl.exe\",\n        \"?:\\\\Program Files\\\\nodejs\\\\node.exe\",\n        \"?:\\\\Program Files\\\\HP\\\\RS\\\\pgsql\\\\bin\\\\pg_dumpall.exe\",\n        \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\64 bit\\\\PRTG Server.exe\",\n        \"?:\\\\Program Files (x86)\\\\Spiceworks\\\\bin\\\\spiceworks-finder.exe\",\n        \"?:\\\\Program Files (x86)\\\\Zuercher Suite\\\\production\\\\leds\\\\leds.exe\",\n        \"?:\\\\Program Files\\\\Tripwire\\\\Agent\\\\Plugins\\\\twexec\\\\twexec.exe\",\n        \"D:\\\\Agents\\\\?\\\\_work\\\\_tasks\\\\*\\\\SonarScanner.MSBuild.exe\",\n        \"?:\\\\Program Files\\\\Microsoft VS Code\\\\Code.exe\",\n        \"?:\\\\programmiweb\\\\NetBeans-*\\\\netbeans\\\\bin\\\\netbeans64.exe\",\n        \"?:\\\\Program Files (x86)\\\\Public Safety Suite Professional\\\\production\\\\leds\\\\leds.exe\",\n        \"?:\\\\Program Files (x86)\\\\Tier2Tickets\\\\button_gui.exe\",\n        \"?:\\\\Program Files\\\\NetBeans-*\\\\netbeans\\\\bin\\\\netbeans*.exe\",\n        \"?:\\\\Program Files (x86)\\\\Public Safety Suite Professional\\\\production\\\\leds\\\\leds.exe\",\n        \"?:\\\\Program Files (x86)\\\\Tier2Tickets\\\\button_gui.exe\",\n        \"?:\\\\Program Files (x86)\\\\Helpdesk Button\\\\button_gui.exe\",\n        \"?:\\\\VTSPortable\\\\VTS\\\\jre\\\\bin\\\\javaw.exe\",\n        \"?:\\\\Program Files\\\\Bot Framework Composer\\\\Bot Framework Composer.exe\",\n        \"?:\\\\Program Files\\\\KMSYS Worldwide\\\\eQuate\\\\*\\\\SessionMgr.exe\",\n        \"?:\\\\Program Files (x86)\\\\Craneware\\\\Pricing Analyzer\\\\Craneware.Pricing.Shell.exe\",\n        \"?:\\\\Program Files (x86)\\\\jumpcloud-agent-app\\\\jumpcloud-agent-app.exe\",\n        \"?:\\\\Program Files\\\\PostgreSQL\\\\*\\\\bin\\\\pg_dumpall.exe\",\n        \"?:\\\\Program Files (x86)\\\\Vim\\\\vim*\\\\vimrun.exe\") and\n  not (\n        /* Crowdstrike doesn't populate process.parent.executable */\n        event.dataset == \"crowdstrike.fdr\" and\n        process.parent.name : (\n          \"perl.exe\", \"node.exe\", \"pg_dumpall.exe\", \"PRTG Server.exe\", \"spiceworks-finder.exe\", \"leds.exe\", \"twexec.exe\",\n          \"SonarScanner.MSBuild.exe\", \"Code.exe\", \"netbeans64.exe\", \"javaw.exe\", \"Bot Framework Composer.exe\", \"SessionMgr.exe\",\n          \"Craneware.Pricing.Shell.exe\", \"jumpcloud-agent-app.exe\", \"vimrun.exe\"\n        )\n      ) and\n  not (process.args :  \"?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe\" and process.parent.name : \"userinit.exe\") and\n  not process.args : (\n        \"?:\\\\Program Files (x86)\\\\PCMatic\\\\PCPitstopScheduleService.exe\",\n        \"?:\\\\Program Files (x86)\\\\AllesTechnologyAgent\\\\*\",\n        \"https://auth.axis.com/oauth2/oauth-authorize*\"\n  ) and\n  not process.command_line : (\n    \"\\\"cmd\\\" /c %NETBEANS_MAVEN_COMMAND_LINE%\",\n    \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /d /s /c \\\"npm.cmd ^\\\"install^\\\" ^\\\"--no-bin-links^\\\" ^\\\"--production^\\\"\\\"\"\n  ) and\n  not (process.name : \"cmd.exe\" and process.args : \"%TEMP%\\\\Spiceworks\\\\*\" and process.args : \"http*/dataloader/persist_netstat_data\") and\n  not (process.args == \"echo\" and process.args == \"GEQ\" and process.args == \"1073741824\")\n","actions":[]}
{"id":"d8f5cc22-c3cc-4fb5-9238-8dd9c58102a6","updated_at":"2025-12-06T05:07:46.298Z","updated_by":"elastic","created_at":"2025-11-02T06:15:39.946Z","created_by":"elastic","name":"Potential PowerShell Pass-the-Hash/Relay Script","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Pass-the-Hash/Relay Script\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell to perform pass-the-hash attacks, where they use stolen hashed credentials to authenticate without knowing the actual password. The detection rule identifies scripts attempting to execute such attacks by monitoring for specific NTLM negotiation patterns and hex sequences indicative of credential relay activities, while excluding legitimate system processes.\n\n### Possible investigation steps\n\n- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or hex sequences, such as \"NTLMSSPNegotiate\" or specific hex values like \"4E544C4D53535000\".\n- Check the process execution details, including the parent process and command line arguments, to determine if the script was executed by a legitimate user or process.\n- Investigate the source and destination IP addresses involved in the NTLM negotiation to identify any unusual or unauthorized network activity.\n- Examine the user account associated with the process to verify if it has been compromised or if there are any signs of unauthorized access.\n- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify potential lateral movement or further compromise.\n- Assess the file directory from which the script was executed, ensuring it is not a known safe location like \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\", which is excluded in the query.\n\n### False positive analysis\n\n- Legitimate system processes may occasionally trigger the rule if they perform operations that mimic NTLM negotiation patterns. To manage this, users can create exceptions for specific processes known to be safe by excluding their file paths or hashes.\n- Security tools or network monitoring solutions that perform NTLM authentication checks might generate false positives. Users should identify these tools and exclude their associated scripts or directories from the detection rule.\n- Automated scripts for system administration that involve NTLM authentication could be flagged. Review these scripts and, if verified as safe, add them to an exclusion list based on their directory or script block text.\n- PowerShell scripts used for legitimate penetration testing or security assessments may trigger alerts. Ensure these activities are documented and exclude the relevant scripts or directories during the testing period.\n- Regular updates or patches from Microsoft might include scripts that temporarily match the detection criteria. Monitor updates and adjust exclusions as necessary to prevent false positives from these legitimate updates.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further credential relay or unauthorized access.\n- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities.\n- Conduct a thorough review of recent authentication logs and network traffic from the isolated system to identify any lateral movement or additional compromised accounts.\n- Reset passwords for any accounts suspected to be compromised, ensuring that new credentials are not reused or easily guessable.\n- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known exploits used in pass-the-hash attacks.\n- Implement network segmentation to limit the spread of similar attacks in the future, focusing on restricting access to critical systems and sensitive data.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"951779c2-82ad-4a6c-82b8-296c1f691449","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1557","name":"Adversary-in-the-Middle","reference":"https://attack.mitre.org/techniques/T1557/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008/"},"technique":[{"id":"T1550","name":"Use Alternate Authentication Material","reference":"https://attack.mitre.org/techniques/T1550/","subtechnique":[{"id":"T1550.002","name":"Pass the Hash","reference":"https://attack.mitre.org/techniques/T1550/002/"}]}]}],"to":"now","references":["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1","https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1","https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1","https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1","https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"],"version":107,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"file.directory","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n    (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n    \"4E544C4D53535000\" or\n    \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n    \"0x4e,0x54,0x20,0x4c,0x4d\" or\n    \"0x53,0x4d,0x42,0x20,0x32\" or\n    \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n  ) and\n  not file.directory : \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n","actions":[]}
{"id":"ddd98b6e-f2b7-4922-a78e-c617b5e1c7a2","updated_at":"2025-12-06T05:07:34.390Z","updated_by":"elastic","created_at":"2025-11-02T06:00:50.867Z","created_by":"elastic","name":"Suspicious ImagePath Service Creation","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: Microsoft Defender for Endpoint","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious ImagePath Service Creation\n\nWindows services are crucial for running background processes. Adversaries exploit this by creating or modifying services with malicious ImagePath values to gain persistence or escalate privileges. The detection rule monitors registry changes to ImagePath entries, flagging unusual patterns like command shells or named pipes, which are often used in stealthy attacks. This helps identify and mitigate potential threats early.\n\n### Possible investigation steps\n\n- Review the registry event logs to identify the specific ImagePath value that triggered the alert, focusing on entries with command shells or named pipes, such as those containing \"%COMSPEC%*\" or \"*\\\\.\\\\pipe\\\\*\".\n- Investigate the associated service name and description in the registry path \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" to determine if it is a legitimate service or potentially malicious.\n- Check the creation or modification timestamp of the suspicious ImagePath entry to correlate with other system events or user activities around the same time.\n- Analyze the parent process and user account responsible for the registry change to assess if it aligns with expected behavior or if it indicates unauthorized access.\n- Search for related network activity or connections, especially those involving named pipes, to identify any lateral movement or data exfiltration attempts.\n- Cross-reference the alert with threat intelligence sources to determine if the ImagePath value or associated service is linked to known malware or adversary techniques.\n\n### False positive analysis\n\n- Legitimate software updates or installations may modify ImagePath values, triggering alerts. Users can create exceptions for known software update processes to reduce noise.\n- System administrators might intentionally change service configurations for maintenance or optimization. Document and exclude these planned changes to prevent false positives.\n- Some enterprise applications use named pipes for inter-process communication, which could be flagged. Identify and whitelist these applications to avoid unnecessary alerts.\n- Security tools or scripts that automate service management might alter ImagePath values. Ensure these tools are recognized and excluded from monitoring to minimize false alerts.\n- Regularly review and update the list of exceptions to ensure they align with current organizational practices and software environments.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.\n- Terminate any suspicious processes associated with the identified ImagePath values, such as those involving command shells or named pipes.\n- Remove or disable the malicious service by reverting the ImagePath registry entry to its legitimate state or deleting the service if it is not required.\n- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or malware.\n- Review and restore any modified system files or configurations to their original state to ensure system integrity.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"36a8e048-d888-4f61-a8b9-0f9e2e40f317","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1543","name":"Create or Modify System Process","reference":"https://attack.mitre.org/techniques/T1543/","subtechnique":[{"id":"T1543.003","name":"Windows Service","reference":"https://attack.mitre.org/techniques/T1543/003/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1112","name":"Modify Registry","reference":"https://attack.mitre.org/techniques/T1112/"}]}],"to":"now","references":[],"version":313,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"registry.data.strings","type":"wildcard","ecs":true},{"name":"registry.path","type":"keyword","ecs":true},{"name":"registry.value","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-endpoint.events.registry-*","endgame-*","logs-windows.sysmon_operational-*","winlogbeat-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-crowdstrike.fdr*"],"query":"registry where host.os.type == \"windows\" and event.type == \"change\" and\n  registry.value : \"ImagePath\" and\n  registry.path : \"*\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n  /* add suspicious registry ImagePath values here */\n  registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n","actions":[]}
{"id":"d754bbbc-f17e-48eb-8a7a-78cae3b3de2f","updated_at":"2025-12-06T05:07:34.350Z","updated_by":"elastic","created_at":"2025-11-02T05:53:40.735Z","created_by":"elastic","name":"PowerShell Keylogging Script","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Collection","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"bd2c86a0-8b61-4457-ab38-96943984e889","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009/"},"technique":[{"id":"T1056","name":"Input Capture","reference":"https://attack.mitre.org/techniques/T1056/","subtechnique":[{"id":"T1056.001","name":"Keylogging","reference":"https://attack.mitre.org/techniques/T1056/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]},{"id":"T1106","name":"Native API","reference":"https://attack.mitre.org/techniques/T1106/"}]}],"to":"now","references":["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1","https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"],"version":217,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false},{"name":"user.id","type":"keyword","ecs":true}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  (\n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n   powershell.file.script_block_text : (\n        (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n        (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n   )\n   ) and not user.id : \"S-1-5-18\"\n  and not powershell.file.script_block_text : (\n    \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n  )\n","actions":[]}
{"id":"131083f4-1b51-4b7f-8bac-e6f7a794c55e","updated_at":"2025-12-06T05:07:49.351Z","updated_by":"elastic","created_at":"2025-11-02T06:15:31.537Z","created_by":"elastic","name":"Potential Invoke-Mimikatz PowerShell Script","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Invoke-Mimikatz PowerShell Script\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n  - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n  - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"ac96ceb8-4399-4191-af1d-4feeac1f1f46","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/","subtechnique":[{"id":"T1003.001","name":"LSASS Memory","reference":"https://attack.mitre.org/techniques/T1003/001/"}]}]}],"to":"now","references":["https://attack.mitre.org/software/S0002/","https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1","https://www.elastic.co/security-labs/detect-credential-access"],"version":213,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n  (DumpCreds and\n  DumpCerts) or\n  \"sekurlsa::logonpasswords\" or\n  (\"crypto::certificates\" and\n  \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n","actions":[]}
{"id":"fe711532-cbdb-4415-9aa1-3ff9fbd685f9","updated_at":"2025-12-06T05:07:49.342Z","updated_by":"elastic","created_at":"2025-11-02T06:15:31.544Z","created_by":"elastic","name":"PowerShell Invoke-NinjaCopy script","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: PowerShell Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"b8386923-b02c-4b94-986a-d223d9b01f88","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/","subtechnique":[{"id":"T1003.002","name":"Security Account Manager","reference":"https://attack.mitre.org/techniques/T1003/002/"},{"id":"T1003.003","name":"NTDS","reference":"https://attack.mitre.org/techniques/T1003/003/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1006","name":"Direct Volume Access","reference":"https://attack.mitre.org/techniques/T1006/"}]}],"to":"now","references":["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"],"version":110,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false},{"name":"user.id","type":"keyword","ecs":true}],"setup":"","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n    \"StealthReadFile\" or\n    \"StealthReadFileAddr\" or\n    \"StealthCloseFileDelegate\" or\n    \"StealthOpenFile\" or\n    \"StealthCloseFile\" or\n    \"StealthReadFile\" or\n    \"Invoke-NinjaCopy\"\n   )\n  and not user.id : \"S-1-5-18\"\n  and not powershell.file.script_block_text : (\n    \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n  )\n","actions":[]}
{"id":"42373085-c993-412b-8f08-763ae4b2acc3","updated_at":"2025-12-06T05:07:48.312Z","updated_by":"elastic","created_at":"2025-11-02T06:15:31.498Z","created_by":"elastic","name":"Group Policy Abuse for Privilege Addition","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Data Source: Active Directory","Resources: Investigation Guide","Use Case: Active Directory Monitoring","Data Source: Windows Security Event Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-6m","rule_id":"b9554892-5e0e-424b-83a0-5aef95aa43bf","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1484","name":"Domain or Tenant Policy Modification","reference":"https://attack.mitre.org/techniques/T1484/","subtechnique":[{"id":"T1484.001","name":"Group Policy Modification","reference":"https://attack.mitre.org/techniques/T1484/001/"}]}]}],"to":"now","references":["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md","https://labs.f-secure.com/tools/sharpgpoabuse"],"version":214,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"winlog.event_data.AttributeLDAPDisplayName","type":"unknown","ecs":false},{"name":"winlog.event_data.AttributeValue","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"any where host.os.type == \"windows\" and event.code: \"5136\" and\n  winlog.event_data.AttributeLDAPDisplayName: \"gPCMachineExtensionNames\" and\n  winlog.event_data.AttributeValue: \"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\" and\n  winlog.event_data.AttributeValue: \"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\"\n","actions":[]}
{"id":"640ab6f9-3b1d-4ee5-aecb-a6d81aaa0efb","updated_at":"2025-12-06T05:08:05.666Z","updated_by":"elastic","created_at":"2025-11-02T06:15:40.050Z","created_by":"elastic","name":"PowerShell Suspicious Payload Encoded and Compressed","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n  - Analyze the script using a private sandboxed analysis system.\n  - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n    - Attempts to contact external domains and addresses.\n      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n      - Examine the DNS cache for suspicious or anomalous entries.\n        - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n    - Examine the host services for suspicious or anomalous entries.\n      - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n      - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Legitimate PowerShell Scripts which makes use of compression and encoding."],"from":"now-9m","rule_id":"81fe9dc6-a2d7-4192-a2d8-eed98afc766a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1027","name":"Obfuscated Files or Information","reference":"https://attack.mitre.org/techniques/T1027/"},{"id":"T1140","name":"Deobfuscate/Decode Files or Information","reference":"https://attack.mitre.org/techniques/T1140/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]}]}],"to":"now","references":[],"version":317,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false},{"name":"user.id","type":"keyword","ecs":true}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n    (\n      \"System.IO.Compression.DeflateStream\" or\n      \"System.IO.Compression.GzipStream\" or\n      \"IO.Compression.DeflateStream\" or\n      \"IO.Compression.GzipStream\"\n    ) and\n    FromBase64String\n  ) and\n  not user.id : \"S-1-5-18\"\n","filters":[{"meta":{"negate":true},"query":{"wildcard":{"file.path":{"case_insensitive":true,"value":"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}],"actions":[]}
{"id":"adfed774-c43f-42ff-a718-9f45c6e42107","updated_at":"2025-12-06T05:08:01.511Z","updated_by":"elastic","created_at":"2025-11-02T06:15:47.985Z","created_by":"elastic","name":"PowerShell Kerberos Ticket Request","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Resources: Investigation Guide","Data Source: PowerShell Logs"],"interval":"5m","enabled":true,"revision":0,"description":"Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"eb610e70-f9e6-4949-82b9-f1c5bcd37c39","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","reference":"https://attack.mitre.org/techniques/T1558/","subtechnique":[{"id":"T1558.003","name":"Kerberoasting","reference":"https://attack.mitre.org/techniques/T1558/003/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]}]}],"to":"now","references":["https://cobalt.io/blog/kerberoast-attack-techniques","https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"],"version":216,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false},{"name":"user.id","type":"keyword","ecs":true}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n    KerberosRequestorSecurityToken\n  ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n  not powershell.file.script_block_text : (\n    (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n    (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n  )\n","actions":[]}
{"id":"4a7265c6-8a0f-4cdf-bfc0-3b85992b02ac","updated_at":"2025-12-06T05:07:51.421Z","updated_by":"elastic","created_at":"2025-11-02T06:15:41.601Z","created_by":"elastic","name":"Mimikatz Memssp Log File Detected","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Resources: Investigation Guide","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the password log file from the default Mimikatz memssp module.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n    - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n  - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n  - Activate your incident response plan for total Active Directory compromise.\n  - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/"}]}],"to":"now","references":["https://www.elastic.co/security-labs/detect-credential-access"],"version":415,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"file.name","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.file-*","logs-windows.sysmon_operational-*","endgame-*","logs-sentinel_one_cloud_funnel.*","logs-m365_defender.event-*","logs-crowdstrike.fdr*"],"query":"file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n","actions":[]}
{"id":"73d0b6d6-eaca-426b-ab39-520ed72c48ec","updated_at":"2025-12-06T05:07:50.398Z","updated_by":"elastic","created_at":"2025-11-02T06:15:31.467Z","created_by":"elastic","name":"Kirbi File Creation","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Data Source: Elastic Endgame","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kirbi File Creation\n\nKirbi files are associated with Kerberos, a network authentication protocol used in Windows environments to verify user identities. Adversaries exploit this by using tools like Mimikatz to extract Kerberos tickets, enabling unauthorized access through techniques like Pass-The-Ticket. The detection rule identifies the creation of these files, signaling potential credential dumping activities, by monitoring file creation events with a specific extension on Windows systems.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host where the .kirbi file was created, focusing on the host.os.type field to confirm it is a Windows system.\n- Examine the file creation event logs to determine the exact timestamp of the .kirbi file creation and correlate it with other security events around the same time.\n- Investigate the user account associated with the file creation event to determine if it is a legitimate user or potentially compromised, using the event data to identify the user.\n- Check for any recent logins or authentication attempts on the affected host that may indicate unauthorized access, focusing on unusual or unexpected activity.\n- Analyze the process tree and parent processes related to the file creation event to identify any suspicious or unauthorized processes that may have led to the creation of the .kirbi file.\n- Look for additional indicators of compromise on the host, such as other suspicious file creations, modifications, or network connections, to assess the scope of the potential breach.\n- Consult threat intelligence sources or internal threat databases to determine if the detected activity matches known attack patterns or threat actor behaviors associated with Kerberos ticket dumping.\n\n### False positive analysis\n\n- Legitimate administrative tools or scripts that manage Kerberos tickets may create .kirbi files as part of their normal operations. Review the context of the file creation event to determine if it aligns with expected administrative activities.\n- Scheduled tasks or automated processes that involve Kerberos ticket management might trigger this rule. Identify and document these processes, and consider creating exceptions for known, benign activities.\n- Security software or monitoring tools that interact with Kerberos tickets for auditing or compliance purposes could generate .kirbi files. Verify the source of the file creation and whitelist trusted applications or processes.\n- Development or testing environments where Kerberos authentication is being simulated or tested may produce .kirbi files. Ensure these environments are well-documented and apply exclusions where necessary to avoid false alerts.\n\n### Response and remediation\n\n- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the attacker.\n- Terminate any suspicious processes associated with Mimikatz or other credential dumping tools to halt ongoing malicious activities.\n- Conduct a thorough review of recent authentication logs and Kerberos ticket activity to identify any unauthorized access or ticket usage.\n- Reset passwords for all potentially compromised accounts, prioritizing those with elevated privileges, to mitigate the risk of further exploitation.\n- Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.\n- Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","reference":"https://attack.mitre.org/techniques/T1558/"}]}],"to":"now","references":[],"version":314,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"file.extension","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["logs-endpoint.events.file-*","logs-windows.sysmon_operational-*","logs-sentinel_one_cloud_funnel.*","logs-m365_defender.event-*","winlogbeat-*","endgame-*","logs-crowdstrike.fdr*"],"query":"file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n","actions":[]}
{"id":"5a66a212-b06b-4d64-a364-055e09071356","updated_at":"2025-12-06T05:28:00.055Z","updated_by":"elastic","created_at":"2025-12-06T05:27:54.634Z","created_by":"elastic","name":"Process Started from Process ID (PID) File","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Execution","Threat: BPFDoor","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Auditd Manager","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."],"from":"now-9m","rule_id":"3688577a-d196-11ec-90b0-f661ea17fbce","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/"}]}],"to":"now","references":["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/","https://twitter.com/GossiTheDog/status/1522964028284411907","https://exatrack.com/public/Tricephalic_Hellkeeper.pdf","https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"],"version":114,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"user.id","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n","type":"eql","language":"eql","index":["auditbeat-*","endgame-*","logs-auditd_manager.auditd-*","logs-crowdstrike.fdr*","logs-endpoint.events.process*"],"query":"process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n  process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n","actions":[]}
{"id":"95ae0bd8-b5d4-4a53-b7cd-583ee4fd74bc","updated_at":"2025-12-06T05:08:14.210Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.237Z","created_by":"elastic","name":"Proxy Execution via Windows OpenSSH","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies attempts to execute commands via proxy using the Windows OpenSSH client. This may indicate an attempt to bypass application control via trusted windows binaries.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Proxy Execution via Windows OpenSSH\n\n### Possible investigation steps\n\n- Review the ssh child processes and the parent process to identify the initial vector.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"8cd49fbc-a35a-4418-8688-133cc3a1e548","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1202","name":"Indirect Command Execution","reference":"https://attack.mitre.org/techniques/T1202/"}]}],"to":"now","references":["https://lolbas-project.github.io/lolbas/Binaries/Ssh/"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and process.name : (\"ssh.exe\", \"sftp.exe\") and\n process.command_line : (\"*Command=*powershell*\", \"*schtasks*\", \"*Command=*@echo off*\", \"*Command=*http*\", \"*Command=*mshta*\",  \"*Command=*msiexec*\",\n                          \"*Command=*cmd /c*\", \"*Command=*cmd.exe*\", \"*Command=\\\"cmd /c*\", \"*LocalCommand=scp*&&*\", \"*LocalCommand=?scp*&&*\", \"*Command=*script*\")\n","actions":[]}
{"id":"be9d149c-7789-44c7-8810-7049ef828990","updated_at":"2025-12-06T05:08:15.373Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.245Z","created_by":"elastic","name":"Potential NTLM Relay Attack against a Computer Account","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: Elastic Defend","Data Source: Active Directory","Use Case: Active Directory Monitoring","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential NTLM Relay Attack against a Computer Account\n\n### Possible investigation steps\n\n- Compare the source.ip to the target server host.ip addresses to make sure it's indeed a remote use of the machine account.\n- Examine the source.ip activities as this is the attacker IP address used to relay.\n- Review all relevant activities such as services creation, file and process events on the target server within the same period.\n- Verify the machine account names that end with a dollar sign ($) to ensure they match the expected hostnames, and investigate any discrepancies.\n- Check the network logon types to confirm if they align with typical usage patterns for the identified machine accounts.\n- Investigate the context of the source IP addresses that do not match the host IP, looking for any signs of unauthorized access or unusual network activity.\n- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.\n\n### False positive analysis\n\n- Machine accounts performing legitimate network logons from different IP addresses can trigger false positives. To manage this, identify and whitelist known IP addresses associated with legitimate administrative tasks or automated processes.\n- Scheduled tasks or automated scripts that use machine accounts for network operations may be flagged. Review and document these tasks, then create exceptions for their associated IP addresses and hostnames.\n- Load balancers or proxy servers that alter the source IP address of legitimate authentication requests can cause false alerts. Ensure these devices are accounted for in the network architecture and exclude their IP addresses from the rule.\n- Temporary network reconfigurations or migrations might result in machine accounts appearing to log in from unexpected hosts. During such events, temporarily adjust the rule parameters or disable the rule to prevent unnecessary alerts.\n- Regularly review and update the list of exceptions to ensure they reflect current network configurations and operational practices, minimizing the risk of overlooking genuine threats.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n    - If the involved server is a Domain Controller, coordinate the isolation of the server with infrastructure and identity teams to contain the threat while preserving service availability and forensic evidence. Prioritize this step if active compromise or attacker persistence is confirmed.- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable.\n- Analyze recent authentication logs, event logs, and network traffic, focusing on suspicious activity and the source IPs referenced in the alert. Correlate findings to identify any lateral movement or additional compromised systems.\n- Strengthen network segmentation, especially between domain controllers, administrative workstations, and critical infrastructure. This limits the attack surface and impedes credential relay or reuse across systems.\n- Escalate the incident to the SOC or incident response team to coordinate a full investigation, containment, and recovery plan. Ensure stakeholders are kept informed throughout the response.\n- Enhance detection mechanisms by tuning alerts and deploying additional telemetry focused on credential relay patterns, anomalous authentication, and NTLM-related activity.\n- Conduct a structured post-incident review, documenting findings, identifying control gaps, and updating playbooks, configurations, or security policies to reduce the likelihood of similar incidents in the future.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"23e5407a-b696-4433-9297-087645f2726c","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187/"},{"id":"T1557","name":"Adversary-in-the-Middle","reference":"https://attack.mitre.org/techniques/T1557/","subtechnique":[{"id":"T1557.001","name":"LLMNR/NBT-NS Poisoning and SMB Relay","reference":"https://attack.mitre.org/techniques/T1557/001/"}]}]}],"to":"now","references":["https://github.com/p0dalirius/windows-coerced-authentication-methods","https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications","https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025","https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/","https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html","https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md","https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"host.ip","type":"ip","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true},{"name":"user.name","type":"keyword","ecs":true},{"name":"winlog.computer_name","type":"keyword","ecs":false},{"name":"winlog.event_data.AuthenticationPackageName","type":"keyword","ecs":false},{"name":"winlog.logon.type","type":"unknown","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"sequence by winlog.computer_name, source.ip with maxspan=5s\n\n/* Filter for an event that indicates coercion against known abused named pipes using an account that is not the host */\n[file where host.os.type == \"windows\" and event.code : \"5145\" and \n    not startswith~(winlog.computer_name, substring(user.name, 0, -1)) and\n    file.name : (\n        \"Spoolss\", \"netdfs\", \"lsarpc\", \"lsass\", \"netlogon\", \"samr\", \"efsrpc\", \"FssagentRpc\",\n        \"eventlog\", \"winreg\", \"srvsvc\", \"dnsserver\", \"dhcpserver\", \"WinsPipe\"\n    )]\n\n/* Detects a logon attempt using the NTLM protocol resulting from the coercion coming from the same IP address */\n[authentication where host.os.type == \"windows\" and event.code in (\"4624\", \"4625\") and\n    endswith~(user.name, \"$\") and winlog.logon.type : \"network\" and\n    winlog.event_data.AuthenticationPackageName : \"NTLM\" and\n\n    /* Filter for a machine account that matches the hostname */\n    startswith~(winlog.computer_name, substring(user.name, 0, -1)) and\n\n    /* Verify if the Source IP belongs to the host */\n    not endswith(string(source.ip), string(host.ip)) and\n    source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"]\n","actions":[]}
{"id":"83a1763d-73e7-442f-ab86-a15dfafda3a0","updated_at":"2025-12-06T05:08:19.466Z","updated_by":"elastic","created_at":"2025-11-02T06:31:56.055Z","created_by":"elastic","name":"Persistence via Scheduled Job Creation","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Microsoft Defender for Endpoint","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.","risk_score":47,"severity":"medium","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Persistence via Scheduled Job Creation\n\nScheduled jobs in Windows environments allow tasks to be automated by executing scripts or programs at specified times. Adversaries exploit this feature to maintain persistence by scheduling malicious code execution. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes, to flag potential abuse while minimizing false positives.\n\n### Possible investigation steps\n\n- Review the file path and extension to confirm the presence of a scheduled job in the \"?:\\Windows\\Tasks\\\" directory with a \".job\" extension, which is indicative of a scheduled task.\n- Examine the process executable path to determine if the job creation is associated with any known legitimate processes, such as CCleaner or ManageEngine, which are excluded in the detection rule.\n- Investigate the origin of the process that created the scheduled job by checking the process execution history and command line arguments to identify any potentially malicious behavior.\n- Analyze the scheduled job's content and associated scripts or programs to identify any suspicious or unauthorized code that may indicate malicious intent.\n- Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activity.\n- Assess the risk and impact of the scheduled job by determining if it aligns with known adversary tactics, techniques, and procedures (TTPs) related to persistence, as outlined in the MITRE ATT&CK framework.\n\n### False positive analysis\n\n- Scheduled jobs created by CCleaner for crash reporting can trigger false positives. Exclude the path \"?:\\Windows\\Tasks\\CCleanerCrashReporting.job\" when the process executable is \"?:\\Program Files\\CCleaner\\CCleaner64.exe\".\n- ManageEngine UEMS Agent and DesktopCentral Agent may create scheduled jobs for updates, leading to false positives. Exclude the path \"?:\\Windows\\Tasks\\DCAgentUpdater.job\" when the process executable is \"?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe\" or \"?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe\".\n- Regularly review and update exclusion lists to ensure they reflect the current environment and legitimate software behavior.\n- Consider implementing a whitelist of known legitimate processes and paths to further reduce false positives while maintaining effective threat detection.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scheduled jobs and limit lateral movement.\n- Terminate any suspicious processes associated with the identified scheduled job, using tools like Task Manager or PowerShell, to halt any ongoing malicious activity.\n- Delete the suspicious scheduled job file from the system to prevent future execution. This can be done using the Task Scheduler or command-line tools.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) solutions to identify and remove any additional malicious files or remnants.\n- Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.\n- Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Legitimate scheduled jobs may be created during installation of new software."],"from":"now-9m","rule_id":"1327384f-00f3-44d5-9a8c-2373ba071e92","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1053","name":"Scheduled Task/Job","reference":"https://attack.mitre.org/techniques/T1053/","subtechnique":[{"id":"T1053.005","name":"Scheduled Task","reference":"https://attack.mitre.org/techniques/T1053/005/"}]}]}],"to":"now","references":[],"version":414,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"m365_defender","version":"^3.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"file.extension","type":"keyword","ecs":true},{"name":"file.path","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.file-*","logs-windows.sysmon_operational-*","endgame-*","logs-sentinel_one_cloud_funnel.*","logs-m365_defender.event-*"],"query":"file where host.os.type == \"windows\" and event.type != \"deletion\" and\n  file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n  not (\n    (\n      process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n      file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n    ) or\n    (\n      process.executable : (\n        \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n        \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n      ) and\n      file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n    )\n  )\n","actions":[]}
{"id":"5151e53b-faa6-4eb8-9fa3-a2459798be42","updated_at":"2025-12-06T05:08:19.473Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.040Z","created_by":"elastic","name":"Potential Machine Account Relay Attack via SMB","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: Elastic Defend","Data Source: Active Directory","Use Case: Active Directory Monitoring","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":1,"description":"Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Machine Account Relay Attack via SMB\n\n### Possible investigation steps\n- Compare the source.ip to the target server host.ip addresses to make sure it's indeed a remote use of the machine account.\n- Examine the source.ip activities as this is the attacker IP address used to relay.\n- Review all relevant activities such as services creation, file and process events on the target server within the same period.\n- Verify the machine account names that end with a dollar sign ($) to ensure they match the expected hostnames, and investigate any discrepancies.\n- Check the network logon types to confirm if they align with typical usage patterns for the identified machine accounts.\n- Investigate the context of the source IP addresses that do not match the host IP, looking for any signs of unauthorized access or unusual network activity.\n- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.\n\n### False positive analysis\n\n- Machine accounts performing legitimate network logons from different IP addresses can trigger false positives. To manage this, identify and whitelist known IP addresses associated with legitimate administrative tasks or automated processes.\n- Scheduled tasks or automated scripts that use machine accounts for network operations may be flagged. Review and document these tasks, then create exceptions for their associated IP addresses and hostnames.\n- Load balancers or proxy servers that alter the source IP address of legitimate authentication requests can cause false alerts. Ensure these devices are accounted for in the network architecture and exclude their IP addresses from the rule.\n- Temporary network reconfigurations or migrations might result in machine accounts appearing to log in from unexpected hosts. During such events, temporarily adjust the rule parameters or disable the rule to prevent unnecessary alerts.\n- Regularly review and update the list of exceptions to ensure they reflect current network configurations and operational practices, minimizing the risk of overlooking genuine threats.\n\n### Response and remediation\n\n- Coordinate isolation of the affected domain controller with infrastructure and identity teams to contain the threat while preserving service availability and forensic evidence. Prioritize this step if active compromise or attacker persistence is confirmed.\n- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable.\n- Analyze recent authentication logs, event logs, and network traffic, focusing on suspicious activity and the source IPs referenced in the alert. Correlate findings to identify any lateral movement or additional compromised systems.\n- Strengthen network segmentation, especially between domain controllers, administrative workstations, and critical infrastructure. This limits the attack surface and impedes credential relay or reuse across systems.\n- Escalate the incident to the SOC or incident response team to coordinate a full investigation, containment, and recovery plan. Ensure stakeholders are kept informed throughout the response.\n- Enhance detection mechanisms by tuning alerts and deploying additional telemetry focused on credential relay patterns, anomalous authentication, and NTLM-related activity.\n- Conduct a structured post-incident review, documenting findings, identifying control gaps, and updating playbooks, configurations, or security policies to reduce the likelihood of similar incidents in the future.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"d84a11c0-eb12-4e7d-8a0a-718e38351e29","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187/"},{"id":"T1557","name":"Adversary-in-the-Middle","reference":"https://attack.mitre.org/techniques/T1557/","subtechnique":[{"id":"T1557.001","name":"LLMNR/NBT-NS Poisoning and SMB Relay","reference":"https://attack.mitre.org/techniques/T1557/001/"}]}]}],"to":"now","references":["https://github.com/p0dalirius/windows-coerced-authentication-methods","https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications","https://attack.mitre.org/techniques/T1187/"],"version":2,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"host.ip","type":"ip","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true},{"name":"user.name","type":"keyword","ecs":true},{"name":"winlog.computer_name","type":"keyword","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"file where host.os.type == \"windows\" and event.code == \"5145\" and endswith(user.name, \"$\") and\n\n /* compare computername with user.name and make sure they match */\n startswith~(winlog.computer_name, substring(user.name, 0, -1)) and\n\n /* exclude local access */\n not endswith(string(source.ip), string(host.ip)) and\n source.ip != \"::\" and source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"\n","actions":[]}
{"id":"a7a1efec-1eeb-4614-bbf3-1591778659b4","updated_at":"2025-12-06T05:08:16.424Z","updated_by":"elastic","created_at":"2025-11-02T06:31:56.049Z","created_by":"elastic","name":"Incoming Execution via WinRM Remote Shell","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Lateral Movement","Data Source: Elastic Defend","Data Source: Sysmon","Resources: Investigation Guide","Data Source: SentinelOne"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.","risk_score":47,"severity":"medium","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Incoming Execution via WinRM Remote Shell\n\nWindows Remote Management (WinRM) is a protocol that allows for remote management and execution of commands on Windows machines. While beneficial for legitimate administrative tasks, adversaries can exploit WinRM for lateral movement by executing commands remotely. The detection rule identifies suspicious activity by monitoring network traffic on specific ports and processes initiated by WinRM, flagging potential unauthorized remote executions.\n\n### Possible investigation steps\n\n- Review the network traffic logs to confirm the presence of incoming connections on ports 5985 or 5986, which are used by WinRM, and verify if these connections are expected or authorized.\n- Identify the source IP address of the incoming connection and determine if it belongs to a known and trusted network or device. Investigate any unfamiliar or suspicious IP addresses.\n- Examine the process tree for the process initiated by winrshost.exe to identify any unusual or unauthorized processes that were started as a result of the remote execution.\n- Check the user account associated with the WinRM session to ensure it is legitimate and has not been compromised. Look for any signs of unauthorized access or privilege escalation.\n- Correlate the event with other security logs, such as authentication logs, to identify any related suspicious activities or patterns that might indicate lateral movement or a broader attack campaign.\n- Investigate the timeline of events to determine if there are any other related alerts or activities occurring around the same time that could provide additional context or evidence of malicious intent.\n\n### False positive analysis\n\n- Legitimate administrative tasks using WinRM can trigger alerts. Regularly review and whitelist known administrative IP addresses or users to reduce false positives.\n- Automated scripts or management tools that use WinRM for routine tasks may be flagged. Identify these scripts and create exceptions for their specific process names or execution paths.\n- Monitoring tools that check system health via WinRM might be misidentified as threats. Exclude these tools by specifying their source IPs or process names in the detection rule.\n- Scheduled tasks that utilize WinRM for updates or maintenance can cause alerts. Document these tasks and adjust the rule to ignore their specific execution patterns.\n- Internal security scans or compliance checks using WinRM should be accounted for. Coordinate with security teams to recognize these activities and exclude them from triggering alerts.\n\n### Response and remediation\n\n- Isolate the affected host immediately from the network to prevent further lateral movement and potential data exfiltration.\n- Terminate any suspicious processes associated with WinRM, particularly those not originating from legitimate administrative tools or known good sources.\n- Review and revoke any unauthorized access credentials or accounts that may have been used to initiate the WinRM session.\n- Conduct a thorough examination of the affected host for any additional signs of compromise, such as unauthorized software installations or changes to system configurations.\n- Restore the affected system from a known good backup if any malicious activity or unauthorized changes are confirmed.\n- Implement network segmentation to limit the ability of threats to move laterally across the network, focusing on restricting access to critical systems.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.","license":"Elastic License v2","output_index":"","author":["Elastic"],"false_positives":["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."],"from":"now-9m","rule_id":"1cd01db9-be24-4bef-8e7c-e923f0ff78ab","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008/"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021/","subtechnique":[{"id":"T1021.006","name":"Windows Remote Management","reference":"https://attack.mitre.org/techniques/T1021/006/"}]}]}],"to":"now","references":[],"version":213,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"}],"required_fields":[{"name":"destination.port","type":"long","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"host.id","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"network.direction","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true},{"name":"process.pid","type":"long","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"","type":"eql","language":"eql","index":["winlogbeat-*","logs-endpoint.events.process-*","logs-endpoint.events.network-*","logs-windows.sysmon_operational-*","logs-sentinel_one_cloud_funnel.*"],"query":"sequence by host.id with maxspan=30s\n   [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n   [process where host.os.type == \"windows\" and\n    event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n","actions":[]}
{"id":"e09ffbdf-b3d2-46a6-b3ad-2967b5dcf788","updated_at":"2025-12-06T05:08:12.187Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.227Z","created_by":"elastic","name":"Potential Kerberos Relay Attack against a Computer Account","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: Elastic Defend","Data Source: Active Directory","Use Case: Active Directory Monitoring","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Kerberos Relay Attack against a Computer Account\n\n### Possible investigation steps\n\n- Compare the source.ip to the target server host.ip addresses to make sure it's indeed a remote use of the machine account.\n- Examine the source.ip activities as this is the attacker IP address used to relay.\n- Review all relevant activities such as services creation, file and process events on the target server within the same period.\n- Verify the machine account names that end with a dollar sign ($) to ensure they match the expected hostnames, and investigate any discrepancies.\n- Check the network logon types to confirm if they align with typical usage patterns for the identified machine accounts.\n- Investigate the context of the source IP addresses that do not match the host IP, looking for any signs of unauthorized access or unusual network activity.\n- Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.\n\n### False positive analysis\n\n- Machine accounts performing legitimate network logons from different IP addresses can trigger false positives. To manage this, identify and whitelist known IP addresses associated with legitimate administrative tasks or automated processes.\n- Scheduled tasks or automated scripts that use machine accounts for network operations may be flagged. Review and document these tasks, then create exceptions for their associated IP addresses and hostnames.\n- Load balancers or proxy servers that alter the source IP address of legitimate authentication requests can cause false alerts. Ensure these devices are accounted for in the network architecture and exclude their IP addresses from the rule.\n- Temporary network reconfigurations or migrations might result in machine accounts appearing to log in from unexpected hosts. During such events, temporarily adjust the rule parameters or disable the rule to prevent unnecessary alerts.\n- Regularly review and update the list of exceptions to ensure they reflect current network configurations and operational practices, minimizing the risk of overlooking genuine threats.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n    - If the involved server is a Domain Controller, coordinate the isolation of the server with infrastructure and identity teams to contain the threat while preserving service availability and forensic evidence. Prioritize this step if active compromise or attacker persistence is confirmed.- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable.\n- Reset the domain controller's machine account password, along with any accounts suspected to be compromised or exposed. Ensure strong, unique credentials are used and apply tiered credential hygiene where applicable.\n- Analyze recent authentication logs, event logs, and network traffic, focusing on suspicious activity and the source IPs referenced in the alert. Correlate findings to identify any lateral movement or additional compromised systems.\n- Strengthen network segmentation, especially between domain controllers, administrative workstations, and critical infrastructure. This limits the attack surface and impedes credential relay or reuse across systems.\n- Escalate the incident to the SOC or incident response team to coordinate a full investigation, containment, and recovery plan. Ensure stakeholders are kept informed throughout the response.\n- Enhance detection mechanisms by tuning alerts and deploying additional telemetry focused on credential relay patterns, anomalous authentication, and NTLM-related activity.\n- Conduct a structured post-incident review, documenting findings, identifying control gaps, and updating playbooks, configurations, or security policies to reduce the likelihood of similar incidents in the future.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"2d58f67c-156e-480a-a6eb-a698fd8197ff","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187/"},{"id":"T1557","name":"Adversary-in-the-Middle","reference":"https://attack.mitre.org/techniques/T1557/","subtechnique":[{"id":"T1557.001","name":"LLMNR/NBT-NS Poisoning and SMB Relay","reference":"https://attack.mitre.org/techniques/T1557/001/"}]}]}],"to":"now","references":["https://github.com/p0dalirius/windows-coerced-authentication-methods","https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications","https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025","https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/","https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html","https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md","https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"file.name","type":"keyword","ecs":true},{"name":"host.ip","type":"ip","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true},{"name":"user.name","type":"keyword","ecs":true},{"name":"winlog.computer_name","type":"keyword","ecs":false},{"name":"winlog.event_data.AuthenticationPackageName","type":"keyword","ecs":false},{"name":"winlog.logon.type","type":"unknown","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"sequence by winlog.computer_name, source.ip with maxspan=5s\n\n/* Filter for an event that indicates coercion against known abused named pipes using an account that is not the host */\n[file where host.os.type == \"windows\" and event.code : \"5145\" and \n    not startswith~(winlog.computer_name, substring(user.name, 0, -1)) and\n    file.name : (\n        \"Spoolss\", \"netdfs\", \"lsarpc\", \"lsass\", \"netlogon\", \"samr\", \"efsrpc\", \"FssagentRpc\",\n        \"eventlog\", \"winreg\", \"srvsvc\", \"dnsserver\", \"dhcpserver\", \"WinsPipe\"\n    )]\n\n/* Detects a logon attempt using the Kerberos protocol resulting from the coercion coming from the same IP address */\n[authentication where host.os.type == \"windows\" and event.code in (\"4624\", \"4625\") and\n    endswith~(user.name, \"$\") and winlog.logon.type : \"network\" and\n    winlog.event_data.AuthenticationPackageName : \"Kerberos\" and\n\n    /* Filter for a machine account that matches the hostname */\n    startswith~(winlog.computer_name, substring(user.name, 0, -1)) and\n\n    /* Verify if the Source IP belongs to the host */\n    not endswith(string(source.ip), string(host.ip)) and\n    source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"]\n","actions":[]}
{"id":"f04e1f58-a168-418b-9f7e-2f819945415a","updated_at":"2025-12-06T05:08:12.180Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.079Z","created_by":"elastic","name":"Potential Remote Install via MsiExec","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Remote Install via MsiExec\n\nMsiExec is a Windows utility for installing, maintaining, and removing software. Adversaries exploit it to execute malicious payloads by disguising them as legitimate installations. The detection rule identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. By focusing on unusual executable paths and network connections, the rule helps uncover potential misuse indicative of malware delivery or initial access attempts.\n\n### Possible investigation steps\n\n- Review the process tree to identify the parent and child processes of the suspicious MsiExec activity, focusing on the process.entity_id and process.parent.name fields to understand the execution flow.\n- Examine the process.executable path to determine if it deviates from typical installation paths, as specified in the query, to assess the likelihood of malicious activity.\n- Analyze the network or DNS activity associated with the process by reviewing the event.category field for network or dns events, and correlate these with the process.name to identify any unusual or unauthorized connections.\n- Check the process.args for any unusual or suspicious command-line arguments that might indicate an attempt to execute malicious payloads or scripts.\n- Investigate the host's recent activity and security logs to identify any other indicators of compromise or related suspicious behavior, leveraging data sources like Elastic Defend, Sysmon, or SentinelOne as mentioned in the rule's tags.\n- Assess the risk and impact of the detected activity by considering the context of the alert, such as the host's role in the network and any potential data exposure or system compromise.\n\n### False positive analysis\n\n- Legitimate software installations or updates may trigger the rule if they involve network activity. Users can create exceptions for known software update processes that are verified as safe.\n- Custom enterprise applications that use MsiExec for deployment and require network access might be flagged. Identify these applications and exclude their specific executable paths from the rule.\n- Automated deployment tools that utilize MsiExec and perform network operations could be misidentified. Review these tools and whitelist their processes to prevent false alerts.\n- Security software or system management tools that leverage MsiExec for legitimate purposes may cause false positives. Confirm these tools' activities and add them to an exclusion list if necessary.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate software that may interact with MsiExec.\n\n### Response and remediation\n\n- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.\n- Terminate the suspicious child process spawned by MsiExec to halt any ongoing malicious operations.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or remnants.\n- Review and analyze the process execution and network activity logs to identify any additional indicators of compromise (IOCs) and assess the scope of the intrusion.\n- Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"c9847fe9-3bed-4e6b-b319-f9956d6dd02a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1218","name":"System Binary Proxy Execution","reference":"https://attack.mitre.org/techniques/T1218/","subtechnique":[{"id":"T1218.007","name":"Msiexec","reference":"https://attack.mitre.org/techniques/T1218/007/"}]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.command_line","type":"wildcard","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.name : \"msiexec.exe\" and process.args : (\"-i\", \"/i\") and process.command_line : \"*http*\" and\n  process.args : (\"/qn\", \"-qn\", \"-q\", \"/q\", \"/quiet\") and\n  process.parent.name : (\"sihost.exe\", \"explorer.exe\", \"cmd.exe\", \"wscript.exe\", \"mshta.exe\", \"powershell.exe\", \"wmiprvse.exe\", \"pcalua.exe\", \"forfiles.exe\", \"conhost.exe\") and\n  not process.command_line : (\"*--set-server=*\", \"*UPGRADEADD=*\" , \"*--url=*\",\n                              \"*USESERVERCONFIG=*\", \"*RCTENTERPRISESERVER=*\", \"*app.ninjarmm.com*\", \"*zoom.us/client*\",\n                              \"*SUPPORTSERVERSTSURI=*\", \"*START_URL=*\", \"*AUTOCONFIG=*\", \"*awscli.amazonaws.com*\")\n","actions":[]}
{"id":"dab5ca3b-15cb-445b-90a0-cca03c83a9ac","updated_at":"2025-12-06T05:08:17.454Z","updated_by":"elastic","created_at":"2025-11-02T06:31:56.033Z","created_by":"elastic","name":"PowerShell Kerberos Ticket Dump","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: PowerShell Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n  - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n  - Implement temporary network rules, procedures, and segmentation to contain the malware.\n  - Stop suspicious processes.\n  - Immediately block the identified indicators of compromise (IoCs).\n  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"fddff193-48a3-484d-8d35-90bb3d323a56","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1003","name":"OS Credential Dumping","reference":"https://attack.mitre.org/techniques/T1003/"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","reference":"https://attack.mitre.org/techniques/T1558/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001/"}]}]}],"to":"now","references":["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"],"version":110,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"powershell.file.script_block_text","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-windows.powershell*"],"query":"event.category:process and host.os.type:windows and\n  powershell.file.script_block_text : (\n    \"LsaCallAuthenticationPackage\" and\n    (\n      \"KerbRetrieveEncodedTicketMessage\" or\n      \"KerbQueryTicketCacheMessage\" or\n      \"KerbQueryTicketCacheExMessage\" or\n      \"KerbQueryTicketCacheEx2Message\" or\n      \"KerbRetrieveTicketMessage\" or\n      \"KerbDecryptDataMessage\"\n    )\n  )\n","actions":[]}
{"id":"89260769-db80-44e9-8176-eb1fbb837951","updated_at":"2025-12-06T06:02:42.883Z","updated_by":"elastic","created_at":"2025-12-06T05:51:15.683Z","created_by":"elastic","name":"Pam Library File Tampering","tags":[],"interval":"1m","enabled":true,"revision":1,"description":"A file has either been created or changed in pam. Check for any suspicious unofficial modules, such as pam_user.so, or for any backdoors in pam_unix.so. The library files are in /lib/x86_64-linux-gnu/security/","risk_score":99,"severity":"critical","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"936d5b53-fb52-4c11-a0df-5910abdeb980","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1556","name":"Modify Authentication Process","reference":"https://attack.mitre.org/techniques/T1556/","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.module:\"file_integrity\" and event.type: (\"change\" or \"create\") and file.path: \"/lib/x86_64-linux-gnu/security/*\"","filters":[],"actions":[]}
{"id":"70d6d70c-3612-4e99-a5f0-cef5deee0550","updated_at":"2025-11-02T05:43:15.431Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.431Z","created_by":"elastic","name":"A Pam File was Modified","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"Someone modified a pam file and potentially placed a backdoor","risk_score":75,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"7d64bc86-68e8-45a9-8ae4-e7b0f78fa2ef","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["auditbeat-*"],"query":"file where event.type == \"change\" and file.path like \"/etc/pam.*\" and event.module == \"file_integrity\"","filters":[],"actions":[]}
{"id":"8e70bfbc-5632-47e2-b772-5c430689fbe5","updated_at":"2025-11-02T05:43:15.426Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.426Z","created_by":"elastic","name":"Potential Rootkit in Use","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"Someone ran \"kill\" with an invalid signal. This is commonly used to elevate privileges to root","risk_score":75,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"7725d03d-0d73-49f6-a424-d98d84217c64","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1014","name":"Rootkit","reference":"https://attack.mitre.org/techniques/T1014/","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["auditbeat-*"],"query":"process where tags == \"signals\" and not auditd.data.a1 in (\"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\", \"a\", \"b\", \"c\", \"d\", \"e\", \"f\", \"10\", \"11\", \"12\", \"13\", \"14\", \"15\", \"16\", \"17\", \"18\", \"19\", \"1a\", \"1b\", \"1c\", \"1d\", \"1e\", \"1f\", \"20\")","filters":[],"actions":[]}
{"id":"cba25811-e462-434d-8df0-76fd315470a7","updated_at":"2025-12-06T05:08:20.492Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.178Z","created_by":"elastic","name":"Service Creation via Local Kerberos Authentication","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Tactic: Credential Access","Use Case: Active Directory Monitoring","Data Source: Active Directory","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":1,"description":"Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Service Creation via Local Kerberos Authentication\n\nKerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event.\n- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system.\n- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious.\n- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity.\n- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise.\n\n### False positive analysis\n\n- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance.\n- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule.\n- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening.\n- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation.\n- Terminate any suspicious services created during the incident to halt potential malicious activities.\n- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise.\n- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets.\n- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks.\n- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.","license":"Elastic License v2","output_index":"","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"e4e31051-ee01-4307-a6ee-b21b186958f4","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1543","name":"Create or Modify System Process","reference":"https://attack.mitre.org/techniques/T1543/","subtechnique":[{"id":"T1543.003","name":"Windows Service","reference":"https://attack.mitre.org/techniques/T1543/003/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1558","name":"Steal or Forge Kerberos Tickets","reference":"https://attack.mitre.org/techniques/T1558/"}]}],"to":"now","references":["https://github.com/Dec0ne/KrbRelayUp","https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html","https://github.com/cube0x0/KrbRelay","https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"],"version":212,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"event.outcome","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.pid","type":"long","ecs":true},{"name":"source.ip","type":"ip","ecs":true},{"name":"winlog.computer_name","type":"keyword","ecs":false},{"name":"winlog.event_data.AuthenticationPackageName","type":"keyword","ecs":false},{"name":"winlog.event_data.ElevatedToken","type":"unknown","ecs":false},{"name":"winlog.event_data.SubjectLogonId","type":"keyword","ecs":false},{"name":"winlog.event_data.TargetLogonId","type":"keyword","ecs":false},{"name":"winlog.logon.type","type":"unknown","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and\n\n  /* event 4624 need to be logged */\n  event.action == \"logged-in\" and event.outcome == \"success\" and winlog.event_data.ElevatedToken == \"%%1843\" and process.pid == 0 and \n\n  /* authenticate locally using relayed kerberos Ticket */\n  winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\")] by winlog.event_data.TargetLogonId\n\n  [any where host.os.type == \"windows\" and\n   /* event 4697 need to be logged */\n   event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n","actions":[]}
{"id":"0ee96211-121f-4245-aefe-685144882163","updated_at":"2025-12-06T06:01:30.269Z","updated_by":"elastic","created_at":"2025-12-06T06:01:30.269Z","created_by":"elastic","name":"SSH Files Modified Root's Home Directory","tags":[],"interval":"1m","enabled":true,"revision":0,"description":"The contents of the directory /root/.ssh have changed. This could mean that ssh keys were dropped in the root directory","risk_score":73,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"62c83835-b068-4c46-b2d9-43b8585ed767","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"tags:\"rootkey\"","filters":[],"actions":[]}
{"id":"d5cf5934-3553-4501-bb81-735b6518df4a","updated_at":"2025-11-02T05:43:15.438Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.438Z","created_by":"elastic","name":"User Account Was Unlocked","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A user account was unlocked and can be used again","risk_score":50,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"bf5d1b38-6545-4019-a7ad-0d8c1bac30e0","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.003","name":"Local Accounts","reference":"https://attack.mitre.org/techniques/T1078/003/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"process.name:\"usermod\" and process.args:(\"--unlock\" or \"-U\")","filters":[],"actions":[]}
{"id":"9d83f053-f827-4a75-8156-e43cbbcbaabe","updated_at":"2025-12-06T05:08:22.637Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.940Z","created_by":"elastic","name":"Potential Shadow Credentials added to AD Object","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Data Source: Active Directory","Resources: Investigation Guide","Use Case: Active Directory Monitoring","Data Source: Windows Security Event Logs"],"interval":"5m","enabled":true,"revision":1,"description":"Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n  - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n    - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n  - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n  - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."],"from":"now-9m","rule_id":"79f97b31-480e-4e63-a7f4-ede42bf2c6de","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1556","name":"Modify Authentication Process","reference":"https://attack.mitre.org/techniques/T1556/"}]}],"to":"now","references":["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab","https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials","https://github.com/OTRF/Set-AuditRule","https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"],"version":217,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"winlog.event_data.AttributeLDAPDisplayName","type":"unknown","ecs":false},{"name":"winlog.event_data.AttributeValue","type":"unknown","ecs":false},{"name":"winlog.event_data.SubjectUserName","type":"keyword","ecs":false}],"setup":"## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n","type":"query","language":"kuery","index":["winlogbeat-*","logs-system.security*","logs-windows.forwarded*"],"query":"event.code:\"5136\" and host.os.type:\"windows\" and winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and\n  winlog.event_data.AttributeValue :B\\:828* and\n  not winlog.event_data.SubjectUserName: MSOL_*\n","actions":[]}
{"id":"f7a389c3-83f1-400d-b4b4-0f4f686ff2ce","updated_at":"2025-12-06T05:08:08.897Z","updated_by":"elastic","created_at":"2025-11-02T06:15:41.134Z","created_by":"elastic","name":"Unusual Child Process of dns.exe","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Lateral Movement","Resources: Investigation Guide","Data Source: Elastic Endgame","Use Case: Vulnerability","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n  - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n  - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n  - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."],"from":"now-9m","rule_id":"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008/"},"technique":[{"id":"T1210","name":"Exploitation of Remote Services","reference":"https://attack.mitre.org/techniques/T1210/"}]}],"to":"now","references":["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/","https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/","https://github.com/maxpl0it/CVE-2020-1350-DoS","https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"],"version":317,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.parent.executable","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.parent.name : \"dns.exe\" and\n  not process.executable : (\n    \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n\n    /* Crowdstrike specific exclusion as it uses NT Object paths */\n    \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\System32\\\\conhost.exe\",\n    \"\\\\Device\\\\HarddiskVolume*\\\\Program Files\\\\ReasonLabs\\\\*\"\n  ) and\n  not ?process.parent.executable : \"?:\\\\Program Files\\\\ReasonLabs\\\\DNS\\\\ui\\\\DNS.exe\"\n","actions":[]}
{"id":"3bb65ce7-03cf-43a7-9fb6-470a1d84b916","updated_at":"2025-12-06T05:08:04.589Z","updated_by":"elastic","created_at":"2025-11-02T06:15:40.071Z","created_by":"elastic","name":"Interactive Logon by an Unusual Process","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Interactive Logon by an Unusual Process\n\nInteractive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths.\n- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity.\n- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated.\n- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity.\n- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance.\n\n### False positive analysis\n\n- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list.\n- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule.\n- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths.\n- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes.\n- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse.\n- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary.\n- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats.\n- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated.\n- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"61766ef9-48a5-4247-ad74-3349de7eb2ad","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1134","name":"Access Token Manipulation","reference":"https://attack.mitre.org/techniques/T1134/","subtechnique":[{"id":"T1134.002","name":"Create Process with Token","reference":"https://attack.mitre.org/techniques/T1134/002/"},{"id":"T1134.003","name":"Make and Impersonate Token","reference":"https://attack.mitre.org/techniques/T1134/003/"}]}]}],"to":"now","references":["https://attack.mitre.org/techniques/T1134/002/"],"version":108,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"winlog.event_data.LogonProcessName","type":"keyword","ecs":false},{"name":"winlog.event_data.SubjectUserSid","type":"keyword","ecs":false},{"name":"winlog.event_data.TargetUserSid","type":"keyword","ecs":false},{"name":"winlog.logon.type","type":"unknown","ecs":false}],"setup":"## Setup\n\nAudit event 4624 is needed to trigger this rule.\n","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"authentication where\n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and\n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and\n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\")  and process.executable : \"C:\\\\*\" and\n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and\n not process.executable :\n            (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\",\n             \"?:\\\\Windows\\\\System32\\\\wininit.exe\",\n             \"?:\\\\Program Files\\\\*.exe\",\n             \"?:\\\\Program Files (x86)\\\\*.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n             \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n","actions":[]}
{"id":"7deb6cba-90ab-4c7f-ae46-df1a0314fabb","updated_at":"2025-12-06T05:08:11.096Z","updated_by":"elastic","created_at":"2025-11-02T06:23:39.031Z","created_by":"elastic","name":"Suspicious Microsoft HTML Application Child Process","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies Mshta.exe spawning a suspicious child process. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Microsoft HTML Application Child Process\n\nMshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Adversaries exploit it to run malicious scripts, leveraging its trusted status to bypass security measures. The detection rule identifies suspicious network activity by Mshta.exe, excluding known benign processes, to flag potential threats. This approach helps in identifying unauthorized network connections indicative of malicious intent.\n\n### Possible investigation steps\n\n- Review the process tree to understand the parent-child relationship of mshta.exe, focusing on any unusual or unexpected parent processes that are not excluded by the rule, such as Microsoft.ConfigurationManagement.exe or known benign executables.\n- Analyze the command-line arguments used by mshta.exe to identify any suspicious or unexpected scripts being executed, especially those not matching the excluded ADSelfService_Enroll.hta.\n- Examine the network connections initiated by mshta.exe, including destination IP addresses, domains, and ports, to identify any connections to known malicious or suspicious endpoints.\n- Check for any related alerts or logs from the same host around the time of the mshta.exe activity to identify potential lateral movement or additional malicious behavior.\n- Investigate the user account associated with the mshta.exe process to determine if it has been compromised or is exhibiting unusual activity patterns.\n\n### False positive analysis\n\n- Mshta.exe may be triggered by legitimate software updates or installations, such as those from Microsoft Configuration Management. To handle this, add exceptions for processes with parent names like Microsoft.ConfigurationManagement.exe.\n- Certain applications like Amazon Assistant and TeamViewer may use Mshta.exe for legitimate purposes. Exclude these by specifying their executable paths, such as C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe and C:\\TeamViewer\\TeamViewer.exe.\n- Custom scripts or internal tools that utilize HTA files for automation might cause false positives. Identify these scripts and exclude them by their specific arguments, such as ADSelfService_Enroll.hta.\n- Regularly review and update the list of exceptions to ensure that only verified benign activities are excluded, minimizing the risk of overlooking genuine threats.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate the mshta.exe process if it is confirmed to be making unauthorized network connections.\n- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or files.\n- Review and analyze the process tree and network connections associated with mshta.exe to identify any additional compromised processes or systems.\n- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated.\n- Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"48e60a73-08e8-42aa-8f51-4ed92c64dbea","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1218","name":"System Binary Proxy Execution","reference":"https://attack.mitre.org/techniques/T1218/","subtechnique":[{"id":"T1218.005","name":"Mshta","reference":"https://attack.mitre.org/techniques/T1218/005/"}]}]}],"to":"now","references":["https://lolbas-project.github.io/lolbas/Binaries/Mshta/"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.executable","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"mshta.exe\" and\n (\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"curl.exe\", \"msiexec.exe\", \"schtasks.exe\", \"reg.exe\", \"wscript.exe\", \"rundll32.exe\") or\n  process.executable : (\"C:\\\\Users\\\\*\\\\*.exe\", \"\\\\Device\\\\HarddiskVolume*\\\\Users\\\\*\\\\*.exe\")\n  )\n","actions":[]}
{"id":"e4b06b08-1011-4ac8-92a0-8b71fb4ee625","updated_at":"2025-12-06T05:08:07.867Z","updated_by":"elastic","created_at":"2025-11-02T06:15:40.960Z","created_by":"elastic","name":"Potential Local NTLM Relay via HTTP","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Credential Access","Tactic: Defense Evasion","Data Source: Elastic Endgame","Data Source: Elastic Defend","Data Source: Windows Security Event Logs","Data Source: Microsoft Defender for Endpoint","Data Source: Sysmon","Data Source: SentinelOne","Data Source: Crowdstrike","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Local NTLM Relay via HTTP\n\nNTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks.\n\n### Possible investigation steps\n\n- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity.\n- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing \"/print/pipe/\", \"/pipe/spoolss\", or \"/pipe/srvsvc\".\n- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity.\n- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited.\n- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.\n- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner.\n\n### False positive analysis\n\n- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities.\n- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule.\n- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts.\n- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening.\n- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.\n- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity.\n- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity.\n- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access.\n- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities.\n- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"4682fd2c-cfae-47ed-a543-9bed37657aa6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1212","name":"Exploitation for Credential Access","reference":"https://attack.mitre.org/techniques/T1212/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1218","name":"System Binary Proxy Execution","reference":"https://attack.mitre.org/techniques/T1218/","subtechnique":[{"id":"T1218.011","name":"Rundll32","reference":"https://attack.mitre.org/techniques/T1218/011/"}]}]}],"to":"now","references":["https://github.com/med0x2e/NTLMRelay2Self","https://github.com/topotam/PetitPotam","https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"],"version":315,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"windows","version":"^3.0.0"},{"package":"system","version":"^2.0.0"},{"package":"m365_defender","version":"^3.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"eql","language":"eql","index":["endgame-*","logs-crowdstrike.fdr*","logs-endpoint.events.process-*","logs-m365_defender.event-*","logs-sentinel_one_cloud_funnel.*","logs-system.security*","logs-windows.forwarded*","logs-windows.sysmon_operational-*","winlogbeat-*"],"query":"process where host.os.type == \"windows\" and event.type == \"start\" and\n  process.name : \"rundll32.exe\" and\n\n  /* Rundll32 WbeDav Client  */\n  process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n  /* Access to named pipe via http */\n  process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n","actions":[]}
{"id":"0d0a6cb5-8a6b-4e47-a29f-a04694a55a85","updated_at":"2025-11-02T05:43:15.410Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.410Z","created_by":"elastic","name":"Process was created","tags":["OS: Windows"],"interval":"1m","enabled":true,"revision":0,"description":"A new process was created","risk_score":25,"severity":"low","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"b1725732-896a-4381-81ac-c06fc80bc6f7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1204","name":"User Execution","reference":"https://attack.mitre.org/techniques/T1204/","subtechnique":[{"id":"T1204.002","name":"Malicious File","reference":"https://attack.mitre.org/techniques/T1204/002/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["winlogbeat-*"],"query":"event.code:\"1\" and winlog.provider_name: \"Microsoft-Windows-Sysmon\"","filters":[],"actions":[]}
{"id":"e8073204-7c6e-4e86-81c0-8e2deef4f84e","updated_at":"2025-11-02T05:43:15.428Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.428Z","created_by":"elastic","name":"New User Added","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A new user was added","risk_score":75,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"investigation_fields":{"field_names":["user.target.name","user.audit.name","user.name"]},"author":[],"false_positives":[],"from":"now-80s","rule_id":"32951f6f-c258-4f80-99d1-6d6871ffee6b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.003","name":"Local Accounts","reference":"https://attack.mitre.org/techniques/T1078/003/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"auditd.message_type:\"add_user\" and event.outcome :\"success\" ","filters":[],"actions":[]}
{"id":"1d0fa984-83ae-4190-a8cb-c1d4c4c3b6ad","updated_at":"2025-11-02T05:43:15.443Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.443Z","created_by":"elastic","name":"A Command Was Run With Sudo","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"Someone ran a command with elevated privileges using sudo","risk_score":50,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"1f186a65-a746-4bec-8eae-b74a8ef6bca3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1548","name":"Abuse Elevation Control Mechanism","reference":"https://attack.mitre.org/techniques/T1548/","subtechnique":[{"id":"T1548.003","name":"Sudo and Sudo Caching","reference":"https://attack.mitre.org/techniques/T1548/003/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.category:\"process\" and process.name:\"sudo\" and event.outcome:\"success\" and tags:\"priv_esc\"","filters":[],"actions":[]}
{"id":"92d70166-b23c-4376-b9f6-50adb0d73eb4","updated_at":"2025-12-06T05:08:23.721Z","updated_by":"elastic","created_at":"2025-11-02T05:55:59.736Z","created_by":"elastic","name":"Potential Privileged Escalation via SamAccountName Spoofing","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Tactic: Privilege Escalation","Use Case: Active Directory Monitoring","Data Source: Active Directory","Use Case: Vulnerability","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":1,"description":"Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Privileged Escalation via SamAccountName Spoofing\n\nIn Active Directory environments, the samAccountName attribute is crucial for identifying user and computer accounts. Adversaries may exploit vulnerabilities like CVE-2021-42278 to spoof this attribute, potentially elevating privileges by renaming computer accounts to mimic domain controllers. The detection rule identifies suspicious renaming events, where a machine account is altered to resemble a user account, signaling possible privilege escalation attempts.\n\n### Possible investigation steps\n\n- Review the event logs to confirm the occurrence of a \"renamed-user-account\" action, focusing on entries where the OldTargetUserName ends with a \"$\" and the NewTargetUserName does not, indicating a potential spoofing attempt.\n- Identify the source of the rename event by examining the event logs for the user or system that initiated the change, and determine if it aligns with expected administrative activity.\n- Check the history of the NewTargetUserName to see if it has been used in any recent authentication attempts or privileged operations, which could indicate malicious intent.\n- Investigate the associated IP address and hostname from which the rename action was performed to determine if it is a known and trusted source within the network.\n- Correlate the event with other security alerts or logs to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.\n- Assess the potential impact by determining if the renamed account has been granted elevated privileges or access to sensitive resources since the rename event occurred.\n\n### False positive analysis\n\n- Routine administrative tasks involving legitimate renaming of computer accounts can trigger false positives. To manage this, create exceptions for known administrative activities by excluding specific administrator accounts or service accounts from the detection rule.\n- Automated processes or scripts that rename computer accounts as part of regular maintenance or deployment procedures may also cause false alerts. Identify these processes and exclude their associated accounts or event patterns from the rule.\n- Temporary renaming of computer accounts for troubleshooting or testing purposes can be mistaken for suspicious activity. Document and exclude these temporary changes by maintaining a list of authorized personnel and their activities.\n- Changes made by trusted third-party software or management tools that interact with Active Directory should be reviewed and, if deemed safe, excluded from triggering alerts by specifying the tool's account or signature in the rule exceptions.\n\n### Response and remediation\n\n- Immediately isolate the affected machine from the network to prevent further unauthorized access or lateral movement within the domain.\n- Revert any unauthorized changes to the samAccountName attribute by renaming the affected computer account back to its original name.\n- Conduct a thorough review of recent changes in Active Directory, focusing on user and computer account modifications, to identify any other potentially compromised accounts.\n- Reset passwords for the affected machine account and any other accounts that may have been accessed or modified during the incident.\n- Apply the latest security patches and updates to all domain controllers and critical systems to mitigate vulnerabilities like CVE-2021-42278.\n- Enhance monitoring and logging for Active Directory events, specifically focusing on account renaming activities, to detect similar threats in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"bdcf646b-08d4-492c-870a-6c04e3700034","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"},{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.002","name":"Domain Accounts","reference":"https://attack.mitre.org/techniques/T1078/002/"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1098","name":"Account Manipulation","reference":"https://attack.mitre.org/techniques/T1098/"}]}],"to":"now","references":["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e","https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/","https://github.com/cube0x0/noPac","https://twitter.com/exploitph/status/1469157138928914432","https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"],"version":214,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"winlog.event_data.NewTargetUserName","type":"unknown","ecs":false},{"name":"winlog.event_data.OldTargetUserName","type":"unknown","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"iam where host.os.type == \"windows\" and event.action == \"renamed-user-account\" and\n  /* machine account name renamed to user like account name */\n  winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n","actions":[]}
{"id":"57ba6d75-b864-4bdf-843c-a9aa8957cbaf","updated_at":"2025-12-06T05:08:25.804Z","updated_by":"elastic","created_at":"2025-11-02T06:15:38.389Z","created_by":"elastic","name":"KRBTGT Delegation Backdoor","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Persistence","Use Case: Active Directory Monitoring","Data Source: Active Directory","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":1,"description":"Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating KRBTGT Delegation Backdoor\n\nIn Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings.\n\n### Possible investigation steps\n\n- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service.\n- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious.\n- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time.\n- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise.\n- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services.\n- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action.\n\n### False positive analysis\n\n- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates.\n- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used.\n- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior.\n- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account.\n- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute.\n- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings.\n- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise.\n- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets.\n- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"e052c845-48d0-4f46-8a13-7d0aba05df82","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1098","name":"Account Manipulation","reference":"https://attack.mitre.org/techniques/T1098/"}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006/"},"technique":[{"id":"T1558","name":"Steal or Forge Kerberos Tickets","reference":"https://attack.mitre.org/techniques/T1558/"}]}],"to":"now","references":["https://skyblue.team/posts/delegate-krbtgt","https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"],"version":213,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.code","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"winlog.event_data.AllowedToDelegateTo","type":"unknown","ecs":false}],"setup":"## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"iam where host.os.type == \"windows\" and event.code == \"4738\" and winlog.event_data.AllowedToDelegateTo : \"*krbtgt*\"\n","actions":[]}
{"id":"b43dca45-4c95-4da7-a88f-6864946148cc","updated_at":"2025-12-06T05:08:26.900Z","updated_by":"elastic","created_at":"2025-11-02T06:15:36.738Z","created_by":"elastic","name":"Remote Computer Account DnsHostName Update","tags":["Domain: Endpoint","OS: Windows","Use Case: Threat Detection","Tactic: Privilege Escalation","Use Case: Active Directory Monitoring","Data Source: Active Directory","Use Case: Vulnerability","Data Source: Windows Security Event Logs","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":1,"description":"Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote Computer Account DnsHostName Update\n\nIn Active Directory environments, the DnsHostName attribute links computer accounts to their DNS names, crucial for network communication. Adversaries may exploit this by altering a non-domain controller's DnsHostName to mimic a domain controller, potentially exploiting vulnerabilities like CVE-2022-26923 for privilege escalation. The detection rule identifies suspicious changes by monitoring for remote updates to this attribute, especially when the new hostname resembles a domain controller's, flagging potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the event logs to confirm the occurrence of the \"changed-computer-account\" action, focusing on the user.id fields (\"S-1-5-21-*\", \"S-1-12-1-*\") to identify the user who initiated the change.\n- Verify the new DnsHostName value against the list of legitimate domain controller DNS hostnames to assess if it matches any known domain controllers.\n- Check the winlog.event_data.TargetUserName to ensure that the DnsHostName does not start with the computer name that was changed, which could indicate a false positive.\n- Investigate the account associated with the user.id to determine if it has a history of suspicious activity or if it has been compromised.\n- Examine recent changes or activities on the affected computer account to identify any unauthorized access or configuration changes.\n- Correlate this event with other security alerts or logs to identify potential patterns or coordinated activities that might indicate a broader attack.\n\n### False positive analysis\n\n- Routine maintenance or updates to computer accounts may trigger the rule if the DnsHostName is temporarily set to a domain controller-like name. To manage this, create exceptions for known maintenance periods or specific administrative accounts performing these updates.\n- Automated scripts or tools that update computer account attributes might inadvertently match the rule's conditions. Identify and exclude these scripts or tools by their user IDs or specific patterns in their operations.\n- Legitimate changes in network architecture, such as the promotion of a server to a domain controller, could be flagged. Ensure that such changes are documented and create exceptions for the involved accounts or systems during the transition period.\n- Temporary testing environments where non-domain controllers are configured with domain controller-like hostnames for testing purposes can cause false positives. Exclude these environments by their specific hostnames or network segments.\n- Regularly review and update the list of known domain controller hostnames to ensure that legitimate changes in the network are not mistakenly flagged as suspicious.\n\n### Response and remediation\n\n- Immediately isolate the affected computer from the network to prevent further unauthorized changes or potential exploitation.\n- Verify the legitimacy of the DnsHostName change by cross-referencing with known domain controller hostnames and authorized change requests.\n- Revert any unauthorized changes to the DnsHostName attribute to its original state to restore proper network communication and prevent misuse.\n- Conduct a thorough review of recent account activities and permissions for the user account involved in the change to identify any unauthorized access or privilege escalation attempts.\n- Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities.\n- Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities.\n- Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"6bed021a-0afb-461c-acbe-ffdb9574d3f3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"},{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.002","name":"Domain Accounts","reference":"https://attack.mitre.org/techniques/T1078/002/"}]}]}],"to":"now","references":["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4","https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"],"version":213,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"system","version":"^2.0.0"},{"package":"windows","version":"^3.0.0"}],"required_fields":[{"name":"event.action","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"user.id","type":"keyword","ecs":true},{"name":"winlog.event_data.DnsHostName","type":"unknown","ecs":false},{"name":"winlog.event_data.TargetUserName","type":"keyword","ecs":false}],"setup":"","type":"eql","language":"eql","index":["logs-system.security*","logs-windows.forwarded*","winlogbeat-*"],"query":"iam where host.os.type == \"windows\" and event.action == \"changed-computer-account\" and\n    user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n    /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n    winlog.event_data.DnsHostName : \"??*\" and\n\n    /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n    not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n","actions":[]}
{"id":"4ae25842-174a-4c0b-a2b8-b4b2d371caa7","updated_at":"2025-12-06T05:28:25.826Z","updated_by":"elastic","created_at":"2025-12-06T05:28:17.901Z","created_by":"elastic","name":"EggShell Backdoor Execution","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Execution","Data Source: Elastic Defend","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating EggShell Backdoor Execution\n\nEggShell is a post-exploitation tool used on macOS and Linux systems, allowing adversaries to execute commands and scripts remotely. It leverages command and scripting interpreters to gain control over compromised systems. Attackers exploit this by executing malicious payloads, maintaining persistence, and exfiltrating data. The detection rule identifies suspicious process activities, specifically targeting the execution patterns and arguments associated with EggShell, to alert analysts of potential backdoor usage.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of the process name 'espl' and check if the process arguments start with 'eyJkZWJ1ZyI6', which indicates potential EggShell activity.\n- Investigate the parent process of 'espl' to understand how it was initiated and identify any associated suspicious activities or processes.\n- Examine the user account under which the 'espl' process was executed to determine if it aligns with expected behavior or if it indicates a compromised account.\n- Check for any network connections or data exfiltration attempts associated with the 'espl' process to assess if data has been sent to an external source.\n- Review system logs and other security alerts around the time of the 'espl' process execution to identify any correlated events or anomalies.\n- Assess the persistence mechanisms on the affected system to determine if the EggShell backdoor has established any means to survive reboots or user logouts.\n\n### False positive analysis\n\n- Legitimate administrative scripts or tools that use similar command patterns to EggShell may trigger false positives. Review the process arguments and context to determine if the activity is expected and authorized.\n- Development or testing environments where EggShell or similar tools are used for legitimate purposes can cause alerts. Implement exceptions for these environments by excluding specific user accounts or process paths.\n- Automated scripts or monitoring tools that mimic EggShell's execution patterns might be flagged. Identify these scripts and create exceptions based on their unique identifiers or execution context.\n- Regularly update the detection rule to refine the criteria based on observed false positives, ensuring that legitimate activities are not continuously flagged.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further command execution and data exfiltration.\n- Terminate any suspicious processes associated with the EggShell backdoor, specifically those matching the process name 'espl' and arguments starting with 'eyJkZWJ1ZyI6'.\n- Conduct a thorough examination of the system to identify any additional malicious payloads or persistence mechanisms that may have been deployed by the attacker.\n- Remove any unauthorized user accounts or access credentials that may have been created or compromised during the exploitation.\n- Restore the system from a known good backup to ensure all traces of the backdoor and any associated malware are eradicated.\n- Update and patch all software and systems to close any vulnerabilities that may have been exploited by the attacker.\n- Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"41824afb-d68c-4d0e-bfee-474dac1fa56e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059/","subtechnique":[{"id":"T1059.006","name":"Python","reference":"https://attack.mitre.org/techniques/T1059/006/"}]}]}],"to":"now","references":["https://github.com/neoneggplant/EggShell"],"version":106,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"query","language":"kuery","index":["auditbeat-*","logs-endpoint.events.*"],"query":"event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n","actions":[]}
{"id":"aaa1dedf-7d62-4ad7-9975-4d5dbca4ccda","updated_at":"2025-11-02T05:43:15.433Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.433Z","created_by":"elastic","name":"A User's Password Was Changed","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A user's password was changed. Make sure it was changed by the team","risk_score":50,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"9a7ebeef-9a2d-494f-adf6-8c82b9fbb83f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.003","name":"Local Accounts","reference":"https://attack.mitre.org/techniques/T1078/003/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.action:\"changed-password\" and event.outcome:\"success\"","filters":[],"actions":[]}
{"id":"77b993d4-0152-4f9a-bdb5-7eee954da169","updated_at":"2025-12-06T05:33:24.923Z","updated_by":"elastic","created_at":"2025-12-06T05:33:19.064Z","created_by":"elastic","name":"Sudo Heap-Based Buffer Overflow Attempt","tags":["Domain: Endpoint","OS: Linux","OS: macOS","Use Case: Threat Detection","Tactic: Privilege Escalation","Use Case: Vulnerability","Data Source: Elastic Defend","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Sudo Heap-Based Buffer Overflow Attempt\n\nSudo is a critical utility in Unix-like systems, allowing users to execute commands with elevated privileges. A heap-based buffer overflow in Sudo (CVE-2021-3156) can be exploited by attackers to gain root access. Adversaries may craft specific command-line arguments to trigger this vulnerability. The detection rule identifies suspicious Sudo or Sudoedit invocations with particular argument patterns, signaling potential exploitation attempts.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the presence of suspicious Sudo or Sudoedit invocations with the specific argument patterns: process.args containing a backslash followed by either \"-i\" or \"-s\".\n- Examine the process execution context by gathering additional details such as the user account associated with the process, the parent process, and the command line used.\n- Check the system logs for any other unusual or unauthorized activities around the time of the alert to identify potential lateral movement or further exploitation attempts.\n- Investigate the history of the user account involved to determine if there have been any previous suspicious activities or privilege escalation attempts.\n- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, modified files, or unexpected network connections.\n- Verify the current version of Sudo installed on the system to determine if it is vulnerable to CVE-2021-3156 and consider applying patches or updates if necessary.\n\n### False positive analysis\n\n- Routine administrative tasks using sudo or sudoedit with interactive or shell options may trigger the rule. Review the context of these commands and consider excluding specific user accounts or scripts that are known to perform legitimate administrative functions.\n- Automated scripts or cron jobs that use sudo with the -i or -s options for legitimate purposes can be flagged. Identify these scripts and add them to an exception list to prevent unnecessary alerts.\n- Development or testing environments where users frequently test commands with elevated privileges might generate false positives. Implement a separate monitoring policy for these environments or exclude known test accounts.\n- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Ensure these tools are recognized and excluded from triggering alerts by adding them to an exception list.\n- Users with legitimate reasons to frequently switch to root using sudo -i or sudo -s should be identified, and their activities should be monitored separately to avoid false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker.\n- Terminate any suspicious sudo or sudoedit processes identified by the detection rule to halt ongoing exploitation attempts.\n- Apply the latest security patches and updates to the Sudo utility on all affected systems to remediate the vulnerability (CVE-2021-3156).\n- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or privilege escalation activities.\n- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential compromise.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the scope of the breach.\n- Implement enhanced monitoring and alerting for sudo and sudoedit command executions across the network to detect similar exploitation attempts in the future.","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":["This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."],"from":"now-9m","rule_id":"f37f3054-d40b-49ac-aa9b-a786c74c58b8","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"}]}],"to":"now","references":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156","https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit","https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw","https://www.sudo.ws/alerts/unescape_overflow.html"],"version":107,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"}],"required_fields":[{"name":"event.category","type":"keyword","ecs":true},{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"","type":"threshold","language":"kuery","index":["auditbeat-*","logs-endpoint.events.*"],"query":"event.category:process and event.type:start and\n  process.name:(sudo or sudoedit) and\n  process.args:(*\\\\ and (\"-i\" or \"-s\"))\n","threshold":{"field":["host.hostname"],"value":100},"actions":[]}
{"id":"5175eee0-e4af-4dc3-bda9-2632752efa51","updated_at":"2025-12-06T05:34:00.856Z","updated_by":"elastic","created_at":"2025-12-06T05:33:55.746Z","created_by":"elastic","name":"Potential CVE-2025-32463 Nsswitch File Creation","tags":["Domain: Endpoint","OS: Linux","Use Case: Threat Detection","Tactic: Privilege Escalation","Data Source: Elastic Defend","Data Source: SentinelOne","Data Source: Crowdstrike","Data Source: Elastic Endgame","Data Source: Auditd Manager","Use Case: Vulnerability","Resources: Investigation Guide"],"interval":"5m","enabled":true,"revision":0,"description":"Detects suspicious creation of the nsswitch.conf file, outside of the regular /etc/nsswitch.conf path, consistent with attempts to exploit CVE-2025-32463 (the \"sudo chroot\" privilege escalation), where an attacker tricks sudo into using attacker-controlled NSS files or libraries to gain root.","risk_score":73,"severity":"high","note":"## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential CVE-2025-32463 Nsswitch File Creation\n\nThis rule flags creation of an nsswitch.conf file outside the standard /etc location by a shell, an early sign of staging a fake root to coerce sudo's chroot path and hijack NSS resolution (CVE-2025-32463). A common pattern is writing /tmp/chroot/etc/nsswitch.conf, placing or pointing to a malicious NSS module, then running sudo chroot into that directory so name lookups load attacker-controlled code and escalate to root.\n\n### Possible investigation steps\n\n- Correlate the event with any sudo or chroot executions within ±10 minutes that reference the same directory prefix (e.g., /tmp/chroot), capturing full command line, user, TTY, working directory, and exit codes.\n- Inspect the created nsswitch.conf for nonstandard services or module names and enumerate any libnss_*.so* under lib*/ or usr/lib*/ within that prefix, recording owner, hashes, and timestamps.\n- List all contemporaneous file writes under the same prefix (etc, lib*, bin, sbin) to determine whether a chroot rootfs is being assembled and attribute it to a toolchain such as tar, rsync, debootstrap, or custom scripts via process ancestry.\n- Search file access telemetry to see whether privileged processes subsequently read that specific nsswitch.conf or loaded libnss_* from the same path, which would indicate the chroot was exercised.\n- Verify sudo and glibc versions and patch status for CVE-2025-32463 and collect the initiating user’s session context (SSH source, TTY, shell history) to assess exploitability and scope.\n\n### False positive analysis\n\n- An administrator legitimately staging a temporary chroot or test root filesystem may use a shell to create /tmp/*/etc/nsswitch.conf while populating configs, matching the rule even though no privilege escalation is intended.\n- OS installation, recovery, or backup-restore workflows run from a shell can populate a mounted target like /mnt/newroot/etc/nsswitch.conf, creating the file outside /etc as part of maintenance and triggering the alert.\n\n### Response and remediation\n\n- Terminate any sudo or chroot processes referencing the created path (e.g., /tmp/chroot/etc/nsswitch.conf), lock the initiating user’s sudo access, and quarantine the parent directory with root-only permissions.\n- Remove the staged nsswitch.conf and any libnss_*.so* or ld.so.* artifacts under lib*/ or usr/lib*/ within that prefix after collecting copies, hashes, and timestamps for evidence.\n- Restore and verify /etc/nsswitch.conf on the host with correct content and root:root 0644, purge temporary chroot roots under /tmp, /var/tmp, or /mnt, and restart nscd or systemd-resolved to flush cached name-service data.\n- Escalate to incident response if sudo chroot was executed against the same directory, if root processes loaded libnss_* from that path, or if nsswitch.conf appears outside /etc on multiple hosts within a short window.\n- Apply vendor fixes for CVE-2025-32463 to sudo and glibc, disallow chroot in sudoers and enforce env_reset, noexec, and secure_path, and mount /tmp and /var/tmp with noexec,nosuid,nodev to prevent libraries being sourced from user-writable paths.\n- Add controls to block execution from user-created chroot trees by policy (AppArmor or SELinux) and create alerts on creation of */etc/nsswitch.conf or libnss_* writes under non-system paths, with auto-isolation for directories under /tmp or a user’s home.\n","license":"Elastic License v2","output_index":"","timestamp_override":"event.ingested","author":["Elastic"],"false_positives":[],"from":"now-9m","rule_id":"163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1068","name":"Exploitation for Privilege Escalation","reference":"https://attack.mitre.org/techniques/T1068/"}]}],"to":"now","references":["https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot","https://github.com/kh4sh3i/CVE-2025-32463"],"version":1,"exceptions_list":[],"immutable":true,"rule_source":{"type":"external","is_customized":false},"related_integrations":[{"package":"endpoint","version":"^8.2.0"},{"package":"auditd_manager","version":"^1.0.0"},{"package":"sentinel_one_cloud_funnel","version":"^1.0.0"},{"package":"crowdstrike","version":"^2.0.0"}],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"file.path","type":"keyword","ecs":true},{"name":"host.os.type","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true}],"setup":"## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n","type":"eql","language":"eql","index":["logs-endpoint.events.file*","logs-sentinel_one_cloud_funnel.*","endgame-*","auditbeat-*","logs-auditd_manager.auditd-*","logs-crowdstrike.fdr*"],"query":"file where host.os.type == \"linux\" and event.type == \"creation\" and file.path like \"/*/etc/nsswitch.conf\" and\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nnot (\n  process.name == \"dash\" and file.path like (\"/var/tmp/mkinitramfs_*\", \"/tmp/tmp.*/mkinitramfs_*\")\n)\n","actions":[]}
{"id":"325a25f2-6f48-4d28-ba44-e4d30b36978e","updated_at":"2025-11-02T05:43:15.421Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.421Z","created_by":"elastic","name":"User Attempted to Logon","tags":["OS: Windows"],"interval":"1m","enabled":true,"revision":0,"description":"A user attempted to logon remotely. Check if they succeeded or failed","risk_score":75,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"032bfc38-0120-459d-bd4c-a93a1a89dae9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["winlogbeat-*"],"query":"(event.code: (\"4624\" or \"4625\") and winlog.event_data.LogonType: (\"3\" or \"10\")) or event.code: \"4778\"","filters":[],"actions":[]}
{"id":"0135bca6-3ca4-468a-ba5a-8ce687fbdbde","updated_at":"2025-11-02T05:43:15.436Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.436Z","created_by":"elastic","name":"A User Switched Users","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"Someone logged in as another user","risk_score":50,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"7ced2cfb-41c8-4209-9f61-bf228d3da043","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0004","name":"Privilege Escalation","reference":"https://attack.mitre.org/tactics/TA0004/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[{"id":"T1078.003","name":"Local Accounts","reference":"https://attack.mitre.org/techniques/T1078/003/"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"process.name:\"su\" and event.outcome:\"success\" and tags:\"priv_esc\"","filters":[],"actions":[]}
{"id":"9f3ca112-6f9b-4af6-a8d2-deb24bda5cae","updated_at":"2025-11-02T05:43:15.416Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.416Z","created_by":"elastic","name":"Process was Stopped or Killed","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A process was sent a signal to stop or kill it. Could mean that a service was stopped/restarted. The process ID can be found at field auditd.data.a0 and the signal at auditd.data.a1. They are converted to hexadecimal, so simply convert back to an integer to get the values.\n\nSignals:\n3 - SIGQUIT\n6 - SIGABRT\n9 - SIGKILL\nf - SIGTERM\n13 - SIGSTOP","risk_score":25,"severity":"low","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-21m","rule_id":"04ef05f3-127e-422f-ae5b-1dac07ec9ef5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"tags:\"signals\" and auditd.data.a1: (\"3\" or \"6\" or \"9\" or \"f\" or \"13\")","filters":[],"actions":[]}
{"id":"69bbfdc5-a05d-433f-a6f5-e816e97078ce","updated_at":"2025-11-02T05:43:15.440Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.440Z","created_by":"elastic","name":"New Kernel Module Loaded","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A potentially malicious new kernel module was loaded. Could be a sign of a rootkit being installed","risk_score":50,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"728f2680-911d-4738-b957-e03081e72cc9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005/"},"technique":[{"id":"T1014","name":"Rootkit","reference":"https://attack.mitre.org/techniques/T1014/","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"tags:\"modules\" and event.action:\"loaded-kernel-module\" ","filters":[],"actions":[]}
{"id":"1f9f6f7b-fc1b-45ad-8b0e-a624e8b7423e","updated_at":"2025-11-02T05:43:15.418Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.418Z","created_by":"elastic","name":"User Login","tags":["login","OS: Linux"],"interval":"30s","enabled":true,"revision":0,"description":"A user successfully logged onto the machine","risk_score":25,"severity":"low","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"investigation_fields":{"field_names":["agent.hostname","user.name","source.ip"]},"author":[],"false_positives":[],"from":"now-40s","rule_id":"89d47860-c00d-441c-8f26-261ef9fed287","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001/"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078/","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"auditd.data.op:\"login\" and event.outcome:\"success\" ","filters":[],"actions":[]}
{"id":"8eea8190-694a-4b5c-a4a0-25e14ceac2e1","updated_at":"2025-11-02T05:43:15.448Z","updated_by":"elastic","created_at":"2025-11-02T05:43:15.448Z","created_by":"elastic","name":"Configuration File Was Modified","tags":["OS: Linux"],"interval":"1m","enabled":true,"revision":0,"description":"A configuration file was modified. Can safely ignore if this was done to harden the service","risk_score":65,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"102e99f1-1337-496b-80e4-7e7da3a2b0e3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.module:\"file_integrity\" and event.type:\"change\" and file.extension: (\"conf\" or \"cfg\" or \"yml\" or \"yaml\" or \"cnf\" or \"cf\" or \"ini\")","filters":[],"actions":[]}
{"id":"dab9a44d-e184-42a2-962d-3608a2ba9145","updated_at":"2025-12-06T06:11:05.966Z","updated_by":"elastic","created_at":"2025-12-06T06:11:05.966Z","created_by":"elastic","name":"Systemd Service Enabled or Modified","tags":[],"interval":"1m","enabled":true,"revision":0,"description":"A file with the extension service or timer was created or modified in /etc/systemd. This implies that a new service was created or enabled. If it is a timer, check for the service file in /lib/systemd if it does not exist in /etc/systemd","risk_score":73,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"bfd5579f-0dcb-48bb-a70f-18cae4b42f07","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1569","name":"System Services","reference":"https://attack.mitre.org/techniques/T1569/","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"event.module:\"file_integrity\" and file.path:\"/etc/systemd/*\" and event.type:(\"creation\" or \"change\") and file.extension: (\"service\" or \"timer\")","filters":[],"actions":[]}
{"id":"24be7d59-cc51-4d7a-ade6-12026eb8e64b","updated_at":"2025-12-06T06:17:56.024Z","updated_by":"elastic","created_at":"2025-12-06T06:17:56.024Z","created_by":"elastic","name":"Potential Attacker Reconnaissance","tags":[],"interval":"1m","enabled":true,"revision":0,"description":"One of the recon binaries was ran (hostname, whoami, id, etc.). Could mean that an attacker has gained shell access. Follow their audit trail in the logs","risk_score":47,"severity":"medium","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"3a3bf168-9648-4fff-a45a-23dfe8e8af14","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0043","name":"Reconnaissance","reference":"https://attack.mitre.org/tactics/TA0043/"},"technique":[{"id":"T1592","name":"Gather Victim Host Information","reference":"https://attack.mitre.org/techniques/T1592/","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"tags:\"recon\"","filters":[],"actions":[]}
{"id":"ae0dfefb-57fd-434d-955b-6af6dbeb1cdf","updated_at":"2025-12-06T06:14:50.641Z","updated_by":"elastic","created_at":"2025-12-06T06:14:50.641Z","created_by":"elastic","name":"Sudoers File Was Modified","tags":[],"interval":"1m","enabled":true,"revision":0,"description":"Either /etc/sudoers was modified or a file in /etc/sudoers.d was. Check the configurations to see if any misconfigurations were placed there","risk_score":73,"severity":"high","license":"","output_index":"","meta":{"kibana_siem_app_url":"http://192.168.1.90:5601/app/security"},"author":[],"false_positives":[],"from":"now-80s","rule_id":"6cb3515a-727f-4be2-becc-e78c493c02ed","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003/"},"technique":[{"id":"T1556","name":"Modify Authentication Process","reference":"https://attack.mitre.org/techniques/T1556/","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["auditbeat-*"],"query":"tags:\"actions\"","filters":[],"actions":[]}
{"exported_count":77,"exported_rules_count":77,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}