PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml ADDED Viewed

@@ -0,0 +1,172 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+maturity = "production"
+updated_date = "2025/12/04"
+[rule]
+author = ["Elastic"]
+description = """
+Detects when GenAI processes perform encoding or chunking (base64, gzip, tar, zip) followed by outbound network
+activity. This sequence indicates data preparation for exfiltration. Attackers encode or compress sensitive data before
+transmission to obfuscate contents and evade detection. Legitimate GenAI workflows rarely encode data before network
+communications.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.process-*",
+    "logs-endpoint.events.network-*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "GenAI Process Performing Encoding/Chunking Prior to Network Activity"
+note = """## Triage and analysis
+### Investigating GenAI Process Performing Encoding/Chunking Prior to Network Activity
+GenAI processes performing encoding or chunking operations followed by network activity is highly suspicious. This behavior indicates data preparation for exfiltration via GenAI prompts or agents, which is a strong indicator of malicious activity.
+### Possible investigation steps
+- Review the GenAI process that performed the encoding to identify which tool is running and verify if it's an expected/authorized tool.
+- Examine the encoding/chunking command line arguments to understand what data is being processed.
+- Review the network connection details to identify the destination and determine if it's expected.
+- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
+- Review the data that was encoded to determine if it contains sensitive information.
+- Determine whether the encoding was initiated by a GenAI agent or automation loop rather than a user action.
+- Check whether the encoded data size or entropy suggests credential files, browser data, SSH keys, or cloud tokens.
+- Validate that the GenAI tool is installed from a trusted source and has not been modified.
+### False positive analysis
+- Legitimate data processing workflows that use GenAI tools may trigger this rule if they encode data before transmission.
+- Some local developer workflows may encode files before uploading training data or embeddings; confirm whether the host is a model-development workstation.
+### Response and remediation
+- Terminate the GenAI process and any spawned encoding/network processes to stop the malicious activity.
+- Review and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
+- Investigate the encoded data and network destination to determine the scope of potential data exfiltration.
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0086",
+    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "c3d4e5f6-a7b8-9012-cdef-123456789abc"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Exfiltration",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0086",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+sequence by process.entity_id with maxspan=30s
+  // Encoding/compression followed by network activity
+  [process where event.type == "start"
+     and event.type == "start"
+     // Encoding/chunking tools
+     and (
+       // Native encoding tools
+       process.name in ("base64", "gzip", "tar", "zip", "split", "7z", "7za", "7zr") or
+       // PowerShell encoding
+       (process.name in ("powershell.exe", "pwsh.exe") and
+        process.command_line like~ ("*Compress-Archive*", "*[Convert]::ToBase64String*")) or
+       // Python encoding
+       (process.name like~ "python*" and
+        process.command_line like~ ("*base64*", "*gzip*", "*zlib*", "*tarfile*", "*zipfile*")) or
+       // Node.js encoding
+       (process.name in ("node.exe", "node") and
+        process.command_line like~ ("*Buffer.from*", "*zlib*", "*gzip*") and
+        not process.command_line like~ ("*mcp*start*", "*mcp-server*", "*npm exec*mcp*"))
+     )
+     // GenAI parent process
+     and (
+       process.parent.name in (
+         "ollama.exe", "ollama", "Ollama",
+         "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
+         "lmstudio.exe", "lmstudio", "LM Studio",
+         "claude.exe", "claude", "Claude",
+         "cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
+         "copilot.exe", "copilot", "Copilot",
+         "codex.exe", "codex",
+         "Jan", "jan.exe", "jan", "Jan Helper",
+         "gpt4all.exe", "gpt4all", "GPT4All",
+         "gemini-cli.exe", "gemini-cli",
+         "genaiscript.exe", "genaiscript",
+         "grok.exe", "grok",
+         "qwen.exe", "qwen",
+         "koboldcpp.exe", "koboldcpp", "KoboldCpp",
+         "llama-server", "llama-cli"
+       ) or
+       // Node/Deno with GenAI frameworks
+       (process.parent.name in ("node.exe", "node", "deno.exe", "deno") and
+        process.parent.command_line like~ (
+          "*ollama*", "*mcp-server*", "*@modelcontextprotocol*", "*langchain*", "*autogpt*",
+          "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*",
+          "*haystack*", "*openai*", "*anthropic*", "*cohere*", "*mistral*"
+        )) or
+       // Python with GenAI frameworks
+       (process.parent.name like~ "python*" and
+        process.parent.command_line like~ (
+          "*ollama*", "*mcp-server*", "*langchain*", "*autogpt*", "*babyagi*",
+          "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*",
+          "*openai*", "*anthropic*", "*cohere*", "*mistral*"
+        ))
+     )
+  ] by process.entity_id
+  // Outbound network connection (non-local)
+  [network where event.type == "start"
+     and event.action == "connection_attempted"
+     and destination.ip != null
+     and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+                       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+                       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+                       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+                       "FF00::/8")
+  ] by process.entity_id
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

nldcsc_elastic_rules/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml ADDED Viewed

@@ -0,0 +1,98 @@
+[metadata]
+creation_date = "2025/11/27"
+integration = ["nginx", "apache", "apache_tomcat"]
+maturity = "production"
+updated_date = "2025/12/08"
+[rule]
+author = ["Elastic"]
+description = """
+Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying
+HTTP traffic that uses a different HTTP version than the one typically used in the environment. An
+HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version,
+resulting in potentially less secure communication. For example, an attacker might downgrade a
+connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in
+the older protocol versions.
+"""
+from = "now-9m"
+index = [
+        "logs-nginx.access-*",
+        "logs-apache.access-*",
+        "logs-apache_tomcat.access-*",
+]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential HTTP Downgrade Attack"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Potential HTTP Downgrade Attack
+This detection surfaces HTTP traffic negotiating a protocol version that deviates from your baseline, a sign of downgrade attempts that strip protections and enable evasion or exploit paths in older behaviors. An attacker deliberately breaks HTTP/2 negotiation so the server falls back to HTTP/1.1, then probes with crafted headers and chunked bodies to attempt request smuggling or cache bypass against web services.
+### Possible investigation steps
+- Correlate with TLS termination or load balancer logs to verify ALPN or Upgrade negotiation (server advertising h2) and whether the same client/IP previously used h2 with the same SNI/Host, distinguishing forced downgrade from capability mismatch.
+- Review the downgraded requests for exploitation indicators such as simultaneous Content-Length and Transfer-Encoding headers, duplicated or mixed-case headers, unusual methods (TRACE or PRI), or inconsistent chunked encoding suggesting smuggling attempts.
+- Examine surrounding response patterns for increased 400/421/426/431/505, backend 5xx, connection resets, or latency spikes that coincide with these requests and indicate error-driven fallback or probing.
+- Check for recent config changes or incidents on CDNs/WAFs/load balancers and web servers (e.g., http2 enablement, ALPN lists, h2/h2c settings) that could have disabled HTTP/2 and caused benign fallbacks.
+- Cluster events by source IP/User-Agent/ASN and targeted host to identify campaign activity across services and pivot the sources through threat intelligence or reputation feeds.
+### False positive analysis
+- Recent Nginx/Apache/Tomcat configuration changes that disable HTTP/2/h2c or alter TLS/ALPN on specific virtual hosts can legitimately force clients to fall back to HTTP/1.1, surfacing as a downgrade event in access logs.
+- Newly onboarded internal services or scripts that only support HTTP/1.0/1.1 and begin hitting an endpoint for the first time can introduce a first-seen older http.version relative to an HTTP/2 baseline without malicious intent.
+### Response and remediation
+- Immediately block or challenge source IPs/ASNs repeatedly forcing HTTP/1.1 to hosts that previously negotiated HTTP/2 via ALPN, and enable WAF rules to drop “Upgrade: h2c” attempts, requests with both Content-Length and Transfer-Encoding, or duplicated/mixed-case headers.
+- Remove downgrade paths by requiring TLS+ALPN “h2” on 443 (e.g., Nginx listen 443 ssl http2; Apache Protocols h2 http/1.1), disabling cleartext h2c and HTTP/1.0 on public endpoints, and ensuring intermediaries do not strip ALPN or rewrite headers.
+- Redeploy corrected configs and validate end-to-end HTTP/2 with curl --http2 and browser devtools, then confirm normal 2xx/3xx rates and elimination of 421/426/431/505 responses and backend 5xx spikes around previously downgraded traffic.
+- Escalate to Incident Response if downgraded requests show smuggling patterns (simultaneous Content-Length and Transfer-Encoding, mixed-case duplicates, TRACE/PRI methods), hit sensitive paths (/admin, /login, /actuator), or trigger cache anomalies like cross-user content.
+- Harden parsing and caching by normalizing headers at the edge, enforcing a single Content-Length, disabling TRACE, setting strict client_header_buffer_size and large_client_header_buffers, and configuring proxies/backends to reject conflicting CL/TE or ambiguous chunked bodies.
+"""
+risk_score = 21
+rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+http.version:*
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.010"
+name = "Downgrade Attack"
+reference = "https://attack.mitre.org/techniques/T1562/010/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["http.version", "agent.id"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"

nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml ADDED Viewed

@@ -0,0 +1,172 @@
+[metadata]
+creation_date = "2025/12/02"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+min_stack_version = "9.2.0"
+min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
+updated_date = "2025/12/08"
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects potential Local File Inclusion (LFI) activity on web servers by identifying HTTP GET requests that
+attempt to access sensitive local files through directory traversal techniques or known file paths. Attackers may
+exploit LFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
+"""
+from = "now-11m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Web Server Local File Inclusion Activity"
+note = """ ## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Web Server Local File Inclusion Activity
+This rule surfaces successful GET requests containing directory traversal or direct access to sensitive paths, signaling Local File Inclusion exploitation that can expose credentials, configuration, and process context and enable further compromise. A common attacker pattern is abusing a vulnerable parameter to fetch ../../../../etc/passwd, then pivoting to /proc/self/environ to harvest secrets and identify execution context for subsequent steps.
+### Possible investigation steps
+- Retrieve contiguous access logs around the alert to rebuild each request/response pair (URI, parameters, user agent, referer, cookies, X-Forwarded-For) and identify which parameter reflected traversal or wrapper usage and whether the response likely contained file contents.
+- Compare response sizes and content-types for the suspicious requests to normal pages and look for signatures such as "root:x:" lines, INI/XML keys, or base64 blobs that indicate disclosure of /etc/passwd, web.config/applicationhost.config, or other sensitive files.
+- Review web server and application error logs at the same timestamps for include/open stream warnings, open_basedir or allow_url_fopen messages, and stack traces to confirm the code path handling the input and any mitigations in place.
+- Pivot on the same source and timeframe to find adjacent probes (php://filter, data://, expect://, zip://, phar://, /proc/self/environ, traversal into webroots/configs) and any follow-on POSTs to upload endpoints or new script paths, signaling progression toward RCE or webshell placement.
+- Determine whether the traffic was authenticated and whether it traversed a WAF or reverse proxy by correlating cookies or session IDs and client IPs with proxy/WAF logs, noting any blocks, rule matches, or bypasses to bound scope and urgency.
+### False positive analysis
+- A site search or documentation endpoint echoing user-supplied text can include strings like ../../../../etc/passwd, windows/win.ini, or php://filter in the query string and return a normal 200 OK results page rather than performing a file include.
+- An authenticated admin feature (such as a log viewer or file browser) may legitimately accept path= or file= parameters referencing local paths like /var/log/nginx or /inetpub/logs/logfiles and return 200 when serving allowed files, producing URLs that match the rule without exploitation.
+### Response and remediation
+- Immediately block the source IP at the reverse proxy/WAF and deploy deny rules for GET requests using ../../ or ..\\..\\ traversal or wrappers (php://, expect://, data://) that fetch /etc/passwd, /proc/self/environ, wp-config.php, web.config, or applicationhost.config.
+- Configure the web server to return 403 for paths resolving to /proc, /etc, /var/log, /inetpub, applicationhost.config, and web.config and to reject wrapper schemes like php:// and expect://, then reload Nginx/Apache/IIS to apply.
+- Fix the vulnerable include logic by canonicalizing input with realpath, rejecting any .. segments or absolute paths, enforcing a whitelist of allowed files, and in PHP disabling allow_url_include/allow_url_fopen and setting open_basedir to a safe directory.
+- Rotate exposed secrets by changing database and API credentials from wp-config.php, connection strings and machine keys from web.config/applicationhost.config, and any tokens in /proc/self/environ, then invalidate active sessions and cache.
+- Escalate to incident leadership and quarantine the host if response bodies contain credential patterns (e.g., "root:x:" from /etc/passwd or XML keys from web.config), if /etc/shadow or windows/system32/config/SAM was requested, or if follow-on POSTs or new .php/.aspx files appear in the webroot.
+- Recover by verifying integrity of /var/www and /inetpub/wwwroot, scanning for webshells and unexpected includes, redeploying a known-good build or container image if tampering is found, and adding WAF normalization to double-decode URLs and 403 traversal attempts.
+"""
+risk_score = 21
+rule_id = "90e4ceab-79a5-4f8e-879b-513cac7fcad9"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from
+  logs-nginx.access-*,
+  logs-apache.access-*,
+  logs-apache_tomcat.access-*,
+  logs-iis.access-*
+| where
+    http.request.method == "GET" and
+    http.response.status_code == 200 and
+    url.original like "*=*"
+| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))
+| where
+  /* 1) Relative traversal */
+    Esql.url_original_url_decoded_to_lower like "*../../../../*" or           // Unix-style traversal
+    Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or           // Windows-style traversal
+    // Potential security check bypassing (enforcing multiple dots and shortening the pattern)
+    Esql.url_original_url_decoded_to_lower like "*..././*" or
+    Esql.url_original_url_decoded_to_lower like "*...\\*" or
+    Esql.url_original_url_decoded_to_lower like "*....\\*" or
+  /* 2) Linux system identity / basic info */
+    Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/issue*" or
+  /* 3) Linux /proc enumeration */
+    Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or
+  /* 4) Linux webroots, configs & logs */
+    Esql.url_original_url_decoded_to_lower like "*var/www*" or               // generic webroot
+    Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or         // classic WP config
+    Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or
+  /* 5) Windows core files / identity */
+    Esql.url_original_url_decoded_to_lower like "*windows/panther/*unattend*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/debug/netsetup.log*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/win.ini*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/drivers/etc/hosts*" or
+    Esql.url_original_url_decoded_to_lower like "*boot.ini*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/config/*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/repair/sam*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/license.rtf*" or
+  /* 6) Windows IIS / .NET configs, webroots & logs */
+     Esql.url_original_url_decoded_to_lower like "*/inetpub/wwwroot*" or
+     Esql.url_original_url_decoded_to_lower like "*/inetpub/logs/logfiles*" or
+     Esql.url_original_url_decoded_to_lower like "*applicationhost.config*" or
+     Esql.url_original_url_decoded_to_lower like "*/microsoft.net/framework64/*/config/web.config*" or
+     Esql.url_original_url_decoded_to_lower like "*windows/system32/inetsrv/*" or
+  /* 7) PHP & protocol wrappers */
+     Esql.url_original_url_decoded_to_lower like "*php://*" or
+     Esql.url_original_url_decoded_to_lower like "*zip://*" or
+     Esql.url_original_url_decoded_to_lower like "*phar://*" or
+     Esql.url_original_url_decoded_to_lower like "*expect://*" or
+     Esql.url_original_url_decoded_to_lower like "*file://*" or
+     Esql.url_original_url_decoded_to_lower like "*data://text/plain;base64*"
+| keep
+    @timestamp,
+    Esql.url_original_url_decoded_to_lower,
+    source.ip,
+    agent.id,
+    host.name,
+    http.request.method,
+    http.response.status_code,
+    event.dataset,
+    data_stream.namespace
+| stats
+    Esql.event_count = count(),
+    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.http_request_method_values = values(http.request.method),
+    Esql.http_response_status_code_values = values(http.response.status_code),
+    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+    by source.ip
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml ADDED Viewed

@@ -0,0 +1,133 @@
+[metadata]
+creation_date = "2025/12/02"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+min_stack_version = "9.2.0"
+min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
+updated_date = "2025/12/08"
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that
+attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may
+exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
+"""
+from = "now-11m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Web Server Potential Remote File Inclusion Activity"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Web Server Potential Remote File Inclusion Activity
+This rule identifies successful GET requests that pass a remote URL or raw IP in a parameter, signaling Remote File Inclusion attempts that coerce the app to fetch external content or reveal local files. RFI matters because it enables discovery, leaks sensitive data, and can bootstrap code retrieval for persistence or command-and-control. Example behavior: probing an include endpoint with /index.php?page=http://203.0.113.10/drop.txt to verify remote fetch and execution via a vulnerable loader.
+### Possible investigation steps
+- Decode the full request URL and parameters, identify the endpoint and parameter names, and confirm with application owners whether passing remote URLs is expected behavior for that route.
+- Correlate the event time with outbound connections from the web server to the referenced domain or IP using egress firewall, proxy, DNS, or NetFlow logs to verify whether a fetch occurred.
+- Review adjacent web access entries from the same source IP and user agent to detect scanning behavior, varied include parameters, wrapper strings (php://, data://, file://), or local file probes that indicate exploitation attempts.
+- Check the referenced remote domain or IP with threat intelligence, and if needed, safely retrieve it in an isolated environment to examine content, redirects, and headers for droppers or callbacks.
+- Look for post-inclusion artifacts by checking webroot and temp directories for newly created or modified files, suspicious script writes, and unusual access patterns, and inspect server or application configuration for risky URL include settings.
+### False positive analysis
+- Applications that legitimately accept full URLs in query parameters for link previews, content proxies, image fetching, or feed importers (e.g., url= or src=) will return 200 and match *=http(s)://*, appearing as RFI despite expected behavior.
+- Administrative or diagnostic endpoints that allow users to supply IP addresses or URI schemes (ftp://, smb://, file://) to test connectivity or preview resources (e.g., target=192.168.1.10) can return 200 and trigger this rule even though no inclusion vulnerability is present.
+### Response and remediation
+- Immediately block offending source IPs and request patterns at the WAF/reverse proxy (e.g., GETs where page=, url=, or src= contains http://, https://, ftp://, smb://, or file://) and temporarily disable the affected include/loader endpoints until fixed.
+- Restrict outbound connections from the web server to the domains and IPs referenced in the requests and quarantine the host if 200 OK responses align with remote downloads or wrapper usage such as php://, data://, file://.
+- Collect forensic images, then remove newly created or modified scripts in webroot and temp directories (e.g., /var/www, uploads, /tmp), delete unauthorized .htaccess/web.config entries, clear caches, and terminate suspicious processes running under the web server account.
+- Redeploy the application from a known-good build, restore clean configuration files, rotate credentials exposed by local file probes (e.g., config.php, .env), invalidate sessions, and verify functionality before returning the service to production.
+- Harden by disabling risky features and enforcing strict input controls: set PHP allow_url_include=Off and allow_url_fopen=Off, apply open_basedir restrictions, implement scheme/domain allowlists for any include/load functionality, and sanitize and normalize user-supplied parameters.
+- Escalate to incident response and preserve disk and memory images if remote content was fetched and executed, a webshell or unknown script is found in the webroot, or the same actor generates successful 200 RFI-style requests across multiple hosts.
+- Enhance monitoring for RFI attempts by tuning WAF rules to alert on suspicious include parameters, enabling detailed web server logging, and setting up alerts for anomalous outbound connections from web servers.
+"""
+risk_score = 21
+rule_id = "45d099b4-a12e-4913-951c-0129f73efb41"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Tactic: Command and Control",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from
+  logs-nginx.access-*,
+  logs-apache.access-*,
+  logs-apache_tomcat.access-*,
+  logs-iis.access-*
+| where
+    http.request.method == "GET" and
+    http.response.status_code == 200 and
+    url.original like "*=*"
+| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))
+| where
+    Esql.url_original_url_decoded_to_lower like "*=http://*" or
+    Esql.url_original_url_decoded_to_lower like "*=https://*" or
+    Esql.url_original_url_decoded_to_lower like "*=ftp://*" or
+    Esql.url_original_url_decoded_to_lower like "*=smb://*" or
+    Esql.url_original_url_decoded_to_lower like "*=file://*" or
+    Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*"""
+| keep
+    @timestamp,
+    Esql.url_original_url_decoded_to_lower,
+    source.ip,
+    agent.id,
+    host.name,
+    http.request.method,
+    http.response.status_code,
+    event.dataset,
+    data_stream.namespace
+| stats
+    Esql.event_count = count(),
+    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.http_request_method_values = values(http.request.method),
+    Esql.http_response_status_code_values = values(http.response.status_code),
+    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+    by source.ip
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl