PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2021/04/05"
 integration = ["endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 75
@@ -110,3 +110,55 @@ Machine learning models analyze network traffic patterns to identify anomalies,
 - Review and update network access controls and permissions to ensure only authorized users and devices have access to sensitive data and systems.
 - Implement enhanced monitoring and alerting for similar traffic patterns to improve early detection and response to future incidents."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat.technique]]
+id = "T1498"
+name = "Network Denial of Service"
+reference = "https://attack.mitre.org/techniques/T1498/"

nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["auditd_manager", "endpoint"]
 maturity = "production"
-updated_date = "2025/01/17"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -92,3 +92,58 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["auditd_manager", "endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -118,3 +118,42 @@ In Linux environments, network ports facilitate communication between applicatio
 - Implement network segmentation to limit the exposure of critical systems to potential threats and reduce the risk of lateral movement.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique]]
+id = "T1571"
+name = "Non-Standard Port"
+reference = "https://attack.mitre.org/techniques/T1571/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/02/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 75
@@ -91,3 +91,29 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac
 - Restore any affected services from known good backups if service failure is confirmed as the cause.
 - Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further.
 - Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat.technique]]
+id = "T1499"
+name = "Endpoint Denial of Service"
+reference = "https://attack.mitre.org/techniques/T1499/"

nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["auditd_manager", "endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -118,3 +118,65 @@ Machine learning models analyze network traffic to identify atypical domain name
 - Implement network-level blocking of the identified unusual domain across the organization to prevent future access attempts.
 - Update threat intelligence feeds and detection systems with indicators of compromise (IOCs) related to the unusual domain to enhance future detection capabilities."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2021/04/05"
 integration = ["endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 75
@@ -115,3 +115,70 @@ Machine learning models analyze network logs to identify traffic to uncommon des
 - Restore the affected system from a clean backup if necessary, ensuring that all security patches and updates are applied.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+[[rule.threat.technique]]
+id = "T1048"
+name = "Exfiltration Over Alternative Protocol"
+reference = "https://attack.mitre.org/techniques/T1048/"

nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2021/04/05"
 integration = ["endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 75
@@ -115,3 +115,55 @@ severity = "low"
 tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"

nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -89,3 +89,58 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/network/initial_access_react_server_components_rce_attempt.toml ADDED Viewed

@@ -0,0 +1,123 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["network_traffic"]
+maturity = "production"
+updated_date = "2025/12/05"
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in
+React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the
+server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the
+Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command
+execution responses and prototype pollution attack patterns.
+"""
+from = "now-9m"
+index = ["logs-network_traffic.http*"]
+language = "eql"
+license = "Elastic License v2"
+name = "React2Shell (CVE-2025-55182) Exploitation Attempt"
+note = """## Triage and analysis
+### Investigating React2Shell (CVE-2025-55182) Exploitation Attempt
+This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React's Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access `__proto__`, `constructor`, and ultimately the `Function` constructor to execute arbitrary code.
+### Possible investigation steps
+- Examine the full HTTP request body to identify the specific attack payload and command being executed.
+- Check the response body for `E{"digest":"..."}` patterns which contain command output from successful exploitation.
+- Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions.
+- Review the source IP for other reconnaissance or exploitation attempts against web applications.
+- Check for the `Next-Action` header which is required for the exploit to work.
+- Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process.
+### False positive analysis
+- Legitimate React Server Components traffic will NOT contain `__proto__`, `constructor:constructor`, or code execution patterns.
+- Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing.
+- The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity.
+### Response and remediation
+- Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2.
+- Block the source IP at the WAF/reverse proxy if exploitation is confirmed.
+- If HTTP 500 or 303 responses with `digest` output were observed, assume successful code execution and investigate for compromise.
+- Review server logs for evidence of command execution (file creation, network connections, process spawning).
+- Implement WAF rules to block requests containing `__proto__` or `constructor:constructor` in POST bodies.
+"""
+references = [
+    "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182",
+    "https://github.com/assetnote/react2shell-scanner",
+    "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/",
+    "https://github.com/msanft/CVE-2025-55182",
+]
+risk_score = 73
+rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f"
+severity = "high"
+tags = [
+    "Domain: Network",
+    "Domain: Application",
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Use Case: Vulnerability",
+    "Tactic: Initial Access",
+    "Tactic: Execution",
+    "Data Source: Network Packet Capture",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+network where http.request.method == "POST" and
+(
+    // Successful CVE-2025-55182 RCE - command output in digest
+    (
+        http.response.status_code in (500, 303) and
+        http.response.body.content like~ "*E{\"digest\"*" and
+        http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*"""
+    ) or
+    // Prototype pollution attempts in RSC Flight data (never legitimate)
+    (
+        http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and
+        (
+            http.request.body.content like~ "*__proto__*" or
+            http.request.body.content like~ "*prototype*"
+        )
+    )
+)
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.007"
+name = "JavaScript"
+reference = "https://attack.mitre.org/techniques/T1059/007/"
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

nldcsc_elastic_rules/rules/promotions/external_alerts.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/08"
 maturity = "production"
 promotion = true
-updated_date = "2025/03/21"
+updated_date = "2025/12/08"
 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ timestamp_override = "event.ingested"
 type = "query"
 query = '''
-event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
+(event.kind:alert or data_stream.dataset:wiz.defend) and not event.module:(endgame or endpoint or cloud_defend)
 '''
 note = """## Triage and analysis

nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/11/04"
+updated_date = "2025/12/01"
 [transform]
 [[transform.investigate]]
@@ -291,8 +291,9 @@ network where host.os.type == "windows" and
        dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
       ) or
-      (process.code_signature.subject_name : "Python Software Foundation" and process.code_signature.trusted == true and
-       dns.question.name : "files.pythonhosted.org") or
+      (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and
+       process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org"
+      ) or
       /* Zoom */
       (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl