nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/apm/apm_405_response_method_not_allowed.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2020/02/18"
+integration = ["apm"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+A request to a web application returned a 405 response, which indicates the web application declined to process the
+request because the HTTP method is not allowed for the resource.
+"""
+false_positives = [
+    """
+    Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers
+    of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate
+    suspicious or malicious activity.
+    """,
+]
+index = ["apm-*-transaction*", "traces-apm*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Web Application Suspicious Activity: Unauthorized Method"
+references = ["https://en.wikipedia.org/wiki/HTTP_405"]
+risk_score = 47
+rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef"
+severity = "medium"
+tags = ["Data Source: APM", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+http.response.status_code:405
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Web Application Suspicious Activity: Unauthorized Method
+
+Web applications often restrict HTTP methods to protect resources, allowing only specific actions like GET or POST. Adversaries may exploit misconfigurations by attempting unauthorized methods, potentially revealing vulnerabilities or sensitive data. The detection rule identifies such attempts by flagging HTTP 405 responses, indicating a method is not permitted, thus highlighting potential misuse or probing activities.
+
+### Possible investigation steps
+
+- Review the web server logs to identify the source IP address associated with the HTTP 405 response to determine if the request originated from a known or suspicious source.
+- Analyze the request headers and payload associated with the 405 response to understand what unauthorized method was attempted and if there are any patterns or anomalies.
+- Check the application configuration to verify which HTTP methods are allowed for the resource in question and assess if there are any misconfigurations that could be exploited.
+- Investigate if there are multiple 405 responses from the same source IP or user agent, which could indicate probing or automated scanning activity.
+- Correlate the 405 response events with other security alerts or logs to identify any related suspicious activities or potential attack vectors.
+
+### False positive analysis
+
+- Routine API calls using unsupported methods may trigger 405 responses. Review API documentation to ensure correct methods are used and adjust monitoring to exclude these known patterns.
+- Automated tools or scripts might inadvertently use incorrect HTTP methods, leading to false positives. Identify and update these tools to use appropriate methods, or whitelist their IP addresses if they are known and trusted.
+- Web crawlers or bots might attempt unsupported methods as part of their scanning process. Configure your monitoring system to recognize and exclude these benign activities based on user-agent strings or IP ranges.
+- Development and testing environments often experiment with various HTTP methods, resulting in 405 responses. Implement rules to exclude these environments from production monitoring to reduce noise.
+- Legacy systems or applications might not support certain HTTP methods, causing frequent 405 errors. Document these systems and create exceptions in your monitoring to prevent unnecessary alerts.
+
+### Response and remediation
+
+- Immediately review the web server and application logs to identify the source IP address and user agent associated with the 405 response. Block the IP address if it is determined to be malicious or part of a known attack pattern.
+- Conduct a security assessment of the web application's configuration to ensure that only necessary HTTP methods are enabled for each resource. Disable any methods that are not required for the application's functionality.
+- Implement or update web application firewall (WAF) rules to block unauthorized HTTP methods and monitor for repeated attempts from the same source.
+- Notify the security operations team to monitor for any additional suspicious activity from the identified source or similar patterns, and escalate to incident response if further malicious activity is detected.
+- Review and update the application's security policies and access controls to ensure they align with best practices and prevent unauthorized method usage.
+- Conduct a vulnerability assessment of the web application to identify and remediate any potential security weaknesses that could be exploited by unauthorized HTTP methods.
+- Document the incident, including the response actions taken, and update the incident response plan to improve future detection and response capabilities for similar threats."""
+

nldcsc_elastic_rules/rules/apm/apm_sqlmap_user_agent.toml

@@ -0,0 +1,70 @@
+[metadata]
+creation_date = "2020/02/18"
+integration = ["apm"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap
+1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
+"""
+false_positives = [
+    """
+    This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security
+    scans and tests may result in these errors. If the source is not an authorized security tester, this is generally
+    suspicious or malicious activity.
+    """,
+]
+index = ["apm-*-transaction*", "traces-apm*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Web Application Suspicious Activity: sqlmap User Agent"
+references = ["http://sqlmap.org/"]
+risk_score = 47
+rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
+severity = "medium"
+tags = ["Data Source: APM", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Web Application Suspicious Activity: sqlmap User Agent
+
+Sqlmap is a widely-used open-source tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. Adversaries may exploit sqlmap to extract sensitive data or manipulate databases. The detection rule identifies suspicious activity by monitoring for specific user agent strings associated with sqlmap, flagging potential unauthorized testing or attacks on web applications.
+
+### Possible investigation steps
+
+- Review the logs to identify the source IP address associated with the user agent string "sqlmap/1.3.11#stable (http://sqlmap.org)" to determine the origin of the suspicious activity.
+- Check for any other user agent strings or unusual activity from the same IP address to assess if there are additional signs of probing or attacks.
+- Investigate the targeted web application endpoints to understand which parts of the application were accessed and if any SQL injection attempts were successful.
+- Correlate the timestamp of the detected activity with other security logs or alerts to identify any concurrent suspicious activities or anomalies.
+- Assess the potential impact by reviewing database logs or application logs for any unauthorized data access or modifications during the time of the detected activity.
+- Consider blocking or monitoring the identified IP address to prevent further unauthorized access attempts, if deemed malicious.
+
+### False positive analysis
+
+- Development and testing environments may use sqlmap for legitimate security testing. To handle this, create exceptions for known IP addresses or user agents associated with internal security teams.
+- Automated security scanners or vulnerability assessment tools might mimic sqlmap's user agent for testing purposes. Identify and whitelist these tools to prevent unnecessary alerts.
+- Some web application firewalls or intrusion detection systems may simulate sqlmap activity to test their own detection capabilities. Coordinate with your security infrastructure team to recognize and exclude these activities.
+- Educational institutions or training environments might use sqlmap for teaching purposes. Establish a list of authorized users or networks to exclude from alerts.
+- Ensure that any third-party security service providers are recognized and their activities are documented to avoid misidentification as threats.
+
+### Response and remediation
+
+- Immediately block the IP address associated with the sqlmap user agent activity to prevent further unauthorized access attempts.
+- Review and analyze web server logs to identify any additional suspicious activity or patterns that may indicate further exploitation attempts.
+- Conduct a thorough assessment of the affected web application to identify and patch any SQL injection vulnerabilities that may have been exploited.
+- Reset credentials and enforce strong password policies for any database accounts that may have been compromised.
+- Implement web application firewall (WAF) rules to detect and block SQL injection attempts, including those using sqlmap.
+- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
+- Document the incident details and response actions taken for future reference and to enhance incident response procedures."""
+

nldcsc_elastic_rules/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/06/19"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2025/02/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
+payloads via a trusted webservice.
+"""
+false_positives = [
+    "Approved third-party applications that use Google Drive download URLs.",
+    "Legitimate publicly shared files from Google Drive.",
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious File Downloaded from Google Drive"
+references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
+risk_score = 47
+rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Windows Security Event Logs",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where
+
+    /* common browser processes  */
+    event.action in ("exec", "fork", "start") and
+
+    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
+                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
+                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
+                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
+
+    /* Look for Google Drive download URL with AV flag skipping */
+    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious File Downloaded from Google Drive
+
+Google Drive is a widely-used cloud storage service that allows users to store and share files. Adversaries may exploit its trusted nature to distribute malicious files, bypassing security measures by using download links with antivirus checks disabled. The detection rule identifies such activities by monitoring browser processes for specific Google Drive download patterns, flagging potential threats for further investigation.
+
+### Possible investigation steps
+
+- Review the process command line details to confirm the presence of the Google Drive download URL with the "export=download" and "confirm=no_antivirus" parameters, which indicate an attempt to bypass antivirus checks.
+- Identify the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.
+- Check the file downloaded from the Google Drive URL for any known malicious signatures or behaviors using a reputable antivirus or malware analysis tool.
+- Investigate the source of the download link to determine if it was shared via email, messaging, or another communication channel, and assess the legitimacy of the source.
+- Analyze network logs to identify any additional suspicious activity or connections related to the IP address or domain associated with the download.
+- Review historical data for any previous similar alerts or activities involving the same user or device to identify potential patterns or repeated attempts.
+
+### False positive analysis
+
+- Legitimate file sharing activities from Google Drive may trigger alerts if users frequently download files for business purposes. To manage this, create exceptions for specific users or departments known to use Google Drive extensively for legitimate work.
+- Automated scripts or tools that download files from Google Drive for regular data processing tasks might be flagged. Identify these scripts and whitelist their associated processes or command lines to prevent unnecessary alerts.
+- Educational institutions or research organizations often share large datasets via Google Drive, which could be mistakenly flagged. Implement exceptions for known educational or research-related Google Drive URLs to reduce false positives.
+- Internal IT or security teams may use Google Drive to distribute software updates or patches. Recognize these activities and exclude them by specifying trusted internal Google Drive links or user accounts.
+- Collaboration with external partners who use Google Drive for file sharing can lead to false positives. Establish a list of trusted partners and their associated Google Drive URLs to minimize unnecessary alerts.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
+- Quarantine the downloaded file and perform a detailed malware analysis using a sandbox environment to determine its behavior and potential impact.
+- If malware is confirmed, initiate a full system scan using updated antivirus and anti-malware tools to identify and remove any additional threats.
+- Review and analyze the process command line logs to identify any other suspicious activities or downloads that may have occurred concurrently.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
+- Implement network-level blocking of the specific Google Drive URL or domain if it is confirmed to be malicious, to prevent future access.
+- Update endpoint detection and response (EDR) systems with indicators of compromise (IOCs) identified during the analysis to enhance detection of similar threats in the future."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/cross-platform/command_and_control_non_standard_ssh_port.toml

@@ -0,0 +1,106 @@
+[metadata]
+creation_date = "2022/10/18"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For
+example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the
+standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
+"""
+false_positives = [
+    """
+    SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
+    uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
+    noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
+    legitimate ssh activities.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Non-Standard Port SSH connection"
+references = ["https://attack.mitre.org/techniques/T1571/"]
+risk_score = 21
+rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "OS: macOS",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by process.entity_id with maxspan=1m
+  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
+   "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
+   "run"
+   )
+  ]
+  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
+   destination.port != 22 and network.transport == "tcp" and not (
+     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
+       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+       "FF00::/8"
+     )
+   )
+  ]
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Non-Standard Port SSH connection
+
+SSH is a protocol used for secure remote access and management of systems. Typically, it operates over port 22. However, adversaries may exploit non-standard ports to evade detection and bypass network filters. The detection rule identifies unusual SSH activity by monitoring processes and network connections on ports other than 22, excluding common benign use cases, to flag potential threats.
+
+### Possible investigation steps
+
+- Review the process details, including process.entity_id and process.name, to confirm the execution of SSH or SSHD processes and identify any unusual parent processes not listed in the exclusion list.
+- Examine the network connection details, focusing on destination.port to verify the use of non-standard ports for SSH connections and assess if these ports are commonly used within the organization.
+- Analyze the destination.ip to determine if the connection is being made to an external or potentially malicious IP address, especially if it falls outside the specified CIDR ranges.
+- Investigate the context of the SSH connection attempt by checking for any recent changes in network configurations or firewall rules that might explain the use of non-standard ports.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Legitimate administrative tools like rsync, git, and ansible-playbook may use SSH over non-standard ports for valid operations. Ensure these tools are included in the process.parent.name exclusion list to prevent false positives.
+- Backup and synchronization applications such as pyznap and pgbackrest might use SSH on non-standard ports. Add these applications to the exclusion list to avoid unnecessary alerts.
+- Development and deployment tools like Sourcetree and git-lfs may establish SSH connections on non-standard ports during routine operations. Verify these tools are part of the exclusion criteria to minimize false positives.
+- Custom scripts or automation tasks that use SSH on non-standard ports for internal processes should be reviewed and, if deemed safe, added to the exclusion list to reduce noise.
+- Internal network traffic to non-public IP ranges might be flagged if not properly excluded. Ensure that internal IP ranges are correctly specified in the cidrmatch exclusion to prevent false positives.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate any suspicious SSH processes identified on non-standard ports to halt potential malicious activity.
+- Conduct a thorough review of the system's SSH configuration files to identify unauthorized changes, such as modifications to the SSH port settings, and revert them to the standard configuration.
+- Reset credentials for any accounts accessed via the non-standard port to prevent further unauthorized access.
+- Implement network-level controls to block SSH traffic on non-standard ports unless explicitly required and documented for legitimate use cases.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Enhance monitoring and alerting for SSH connections on non-standard ports across the network to improve early detection of similar threats in the future."""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1571"
+name = "Non-Standard Port"
+reference = "https://attack.mitre.org/techniques/T1571/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

nldcsc_elastic_rules/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2025/11/18"
+integration = ["endpoint", "panw"]
+maturity = "production"
+updated_date = "2025/11/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
+the source process performing the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "PANW and Elastic Defend - Command and Control Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/panw",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: PAN-OS",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "panw" and event.action == "c2_communication"]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating PANW and Elastic Defend - Command and Control Correlation
+
+### Possible investigation steps
+
+- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend).
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

nldcsc_elastic_rules/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2025/11/17"
+integration = ["endpoint", "fortinet_fortigate"]
+maturity = "production"
+updated_date = "2025/11/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
+source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
+or act as an intermediary for network communications to a command and control server to avoid direct connections to their
+infrastructure.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-fortinet_fortigate.log-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "SOCKS Traffic from an Unusual Process"
+references = [
+    "https://attack.mitre.org/techniques/T1090/",
+    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "6926b708-7964-425f-bed8-6e006379df08"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Fortinet",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating SOCKS Traffic from an Unusual Process
+
+### Possible investigation steps
+
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Examine all localhost network connections performed by the same process to verify if there is any port forwarding with another process on the same machine.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Browser proxy extensions and Add-ons.
+- Development and deployment tools.
+- Third party trusted tools using SOCKS for network communication.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Implement network-level controls to block traffic via SOCKS unless authorized.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

nldcsc_elastic_rules/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

@@ -0,0 +1,116 @@
+[metadata]
+creation_date = "2020/12/21"
+integration = ["endpoint", "windows", "system"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt
+to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain
+access web applications or Internet services as an authenticated user without needing credentials.
+"""
+false_positives = ["Developers performing browsers plugin or extension debugging."]
+from = "now-9m"
+index = [
+    "auditbeat-*",
+    "logs-endpoint.events.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+max_signals = 33
+name = "Potential Cookies Theft via Browser Debugging"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Cookies Theft via Browser Debugging
+
+Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems.
+
+### Possible investigation steps
+
+- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present.
+- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised.
+- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns.
+- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications.
+- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign.
+- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses.
+
+### False positive analysis
+
+- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development.
+- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts.
+- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations.
+- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel.
+- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress.
+- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies.
+- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless.
+- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future.
+- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.
+- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence."""
+references = [
+    "https://github.com/defaultnamehere/cookie_crimes",
+    "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+    "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
+    "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e",
+]
+risk_score = 47
+rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Sysmon",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started", "info") and
+  process.name in (
+             "Microsoft Edge",
+             "chrome.exe",
+             "Google Chrome",
+             "google-chrome-stable",
+             "google-chrome-beta",
+             "google-chrome",
+             "msedge.exe") and
+   process.args : ("--remote-debugging-port=*",
+                   "--remote-debugging-targets=*",
+                   "--remote-debugging-pipe=*") and
+   process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1539"
+name = "Steal Web Session Cookie"
+reference = "https://attack.mitre.org/techniques/T1539/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+