elastic
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-connection-to-commonly-abused-web-services.asciidoc‎
Lines changed: 351 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-connection-to-commonly-abused-web-services.asciidoc‎
Lines changed: 351 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-data-encrypted-via-openssl-utility.asciidoc‎
Lines changed: 94 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-data-encrypted-via-openssl-utility.asciidoc‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-kubernetes-secret-access-via-unusual-user-agent.asciidoc‎
Lines changed: 64 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-kubernetes-secret-access-via-unusual-user-agent.asciidoc‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-m365-azure-monitor-alert-email-with-financial-or-billing-theme.asciidoc‎
Lines changed: 139 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/8-19-19/prebuilt-rule-8-19-19-m365-azure-monitor-alert-email-with-financial-or-billing-theme.asciidoc‎
Lines changed: 139 additions & 0 deletions
@@ -0,0 +1,94 @@
+[[prebuilt-rule-8-19-19-data-encrypted-via-openssl-utility]]
+=== Data Encrypted via OpenSSL Utility
+
+Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.
+
+*Rule type*: eql
+
+*Rule indices*: 
+
+* endgame-*
+* logs-crowdstrike.fdr*
+* logs-endpoint.events.process-*
+* logs-sentinel_one_cloud_funnel.*
+* auditbeat-*
+* logs-auditd_manager.auditd-*
+* logs-system.security*
+* logs-windows.forwarded*
+* logs-windows.sysmon_operational-*
+* winlogbeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: None
+
+*Tags*: 
+
+* Domain: Endpoint
+* OS: Linux
+* OS: Windows
+* OS: macOS
+* Use Case: Threat Detection
+* Tactic: Defense Evasion
+* Tactic: Collection
+* Data Source: Elastic Defend
+* Data Source: Elastic Endgame
+* Data Source: Crowdstrike
+* Data Source: SentinelOne
+* Data Source: Auditd Manager
+* Data Source: Windows Security Event Logs
+* Data Source: Sysmon
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and
+process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out"
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Obfuscated Files or Information
+** ID: T1027
+** Reference URL: https://attack.mitre.org/techniques/T1027/
+* Sub-technique:
+** Name: Encrypted/Encoded File
+** ID: T1027.013
+** Reference URL: https://attack.mitre.org/techniques/T1027/013/
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Data Staged
+** ID: T1074
+** Reference URL: https://attack.mitre.org/techniques/T1074/
+* Sub-technique:
+** Name: Local Data Staging
+** ID: T1074.001
+** Reference URL: https://attack.mitre.org/techniques/T1074/001/
@@ -0,0 +1,64 @@
+[[prebuilt-rule-8-19-19-kubernetes-secret-access-via-unusual-user-agent]]
+=== Kubernetes Secret Access via Unusual User Agent
+
+This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining access to the cluster.
+
+*Rule type*: new_terms
+
+*Rule indices*: 
+
+* logs-kubernetes.audit_logs-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: None
+
+*Tags*: 
+
+* Data Source: Kubernetes
+* Domain: Kubernetes
+* Domain: Cloud
+* Use Case: Threat Detection
+* Tactic: Credential Access
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and
+kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format))
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Unsecured Credentials
+** ID: T1552
+** Reference URL: https://attack.mitre.org/techniques/T1552/
+* Sub-technique:
+** Name: Container API
+** ID: T1552.007
+** Reference URL: https://attack.mitre.org/techniques/T1552/007/
@@ -0,0 +1,139 @@
+[[prebuilt-rule-8-19-19-m365-azure-monitor-alert-email-with-financial-or-billing-theme]]
+=== M365 Azure Monitor Alert Email with Financial or Billing Theme
+
+Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate azure-noreply@microsoft.com address. Because the emails originate from Microsoft's own infrastructure, they pass SPF, DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent billing or security lure in the alert rule description, which is rendered in the notification email body. Observed subject patterns include invoice numbers, payment references, and order confirmations.
+
+*Rule type*: esql
+
+*Rule indices*: None
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/
+
+*Tags*: 
+
+* Domain: Cloud
+* Domain: Email
+* Data Source: Microsoft 365
+* Data Source: Microsoft Exchange Online Message Trace
+* Use Case: Threat Detection
+* Tactic: Initial Access
+* Resources: Investigation Guide
+
+*Version*: 1
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+
+*Triage and analysis*
+
+
+
+*Investigating M365 Azure Monitor Alert Email with Financial or Billing Theme*
+
+
+Azure Monitor alert rules can be abused by adversaries to deliver callback phishing emails from Microsoft's legitimate `azure-noreply@microsoft.com` address. The attacker creates a metric or activity log alert in their own Azure tenant with a phishing lure embedded in the description field, then adds victim email addresses to an action group. When the alert fires, Microsoft sends the notification email — complete with the embedded lure — directly to the victims.
+
+
+*Possible investigation steps*
+
+
+- Review the `email.subject` field to determine if the alert name matches known phishing patterns (e.g., `INV-`, `Payment Reference`, `order-`, `Funds Received`).
+- Check the `email.to.address` field to identify which users received the email and whether they are high-value targets.
+- Search for additional emails from `azure-noreply@microsoft.com` to the same recipient within a short time window. The attack typically sends both a "Fired" and "Resolved" notification, doubling phishing impressions.
+- Look for an earlier "You're now in the X action group" notification email, which arrives before the phishing alert — this confirms the user was added to an external Azure Monitor action group.
+- Check email message headers for the originating Azure subscription and resource group, which are embedded in the alert details.
+- Contact the recipient to determine if they interacted with the email or called the phone number in the lure.
+- If the victim called the number, initiate incident response for potential credential theft, payment fraud, or remote access tool installation.
+
+
+*False positive analysis*
+
+
+- Legitimate Azure Monitor alerts with financial naming (e.g., a cost alert named "Invoice threshold exceeded") may match. Verify the alert originates from a known internal Azure subscription by examining the email body or message headers.
+- Internal teams that name alert rules with billing-related terms for cost management should be documented as exceptions.
+
+
+*Response and remediation*
+
+
+- If the email is confirmed as phishing, block the sender pattern and alert name in your email security gateway.
+- Quarantine or delete the phishing emails from affected mailboxes.
+- If the victim called the phone number, treat as a compromised account: reset credentials, revoke sessions, and audit for unauthorized access.
+- Report the Azure subscription ID from the email headers to Microsoft abuse team for takedown.
+- Consider implementing a mail flow rule to flag or quarantine Azure Monitor notification emails that contain phone numbers or financial language in the body.
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+from logs-microsoft_exchange_online_message_trace.* metadata _id, _version, _index
+
+// Filter for Azure Monitor notification emails with financial/billing themed subjects
+| where event.dataset == "microsoft_exchange_online_message_trace.log"
+    and email.from.address == "azure-noreply@microsoft.com"
+    and event.outcome in ("success", "unknown")
+    and email.subject like "*Azure Monitor alert*"
+    and (
+        email.subject like "*INV-*"
+        or email.subject like "*invoice*"
+        or email.subject like "*payment*"
+        or email.subject like "*order-*"
+        or email.subject like "*purchase*"
+        or email.subject like "*funds*"
+        or email.subject like "*receipt*"
+        or email.subject like "*billing*"
+        or email.subject like "*transaction*"
+        or email.subject like "*refund*"
+        or email.subject like "*charge*"
+        or email.subject like "*subscription*"
+        or email.subject like "*renewal*"
+        or email.subject like "*overdue*"
+        or email.subject like "*past due*"
+        or email.subject like "*amount due*"
+        or email.subject like "*wire transfer*"
+        or email.subject like "*bank account*"
+        or email.subject like "*credit card*"
+        or email.subject like "*financial*"
+        or email.subject like "*remittance*"
+    )
+
+| keep *
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Phishing
+** ID: T1566
+** Reference URL: https://attack.mitre.org/techniques/T1566/
+* Sub-technique:
+** Name: Spearphishing via Service
+** ID: T1566.003
+** Reference URL: https://attack.mitre.org/techniques/T1566/003/