Exploit - Detected - Elastic Endgame
Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3maturity = "production"
4promotion = true
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
11rule.reference column for additional information.
12"""
13from = "now-15m"
14index = ["endgame-*"]
15interval = "10m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 10000
19name = "Exploit - Detected - Elastic Endgame"
20risk_score = 73
21rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
22setup = """## Setup
23
24This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
25
26**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
27
28To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
29
30**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
31severity = "high"
32tags = [
33 "Data Source: Elastic Endgame",
34 "Use Case: Threat Detection",
35 "Tactic: Execution",
36 "Tactic: Privilege Escalation",
37]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48
49[rule.threat.tactic]
50id = "TA0002"
51name = "Execution"
52reference = "https://attack.mitre.org/tactics/TA0002/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1068"
57name = "Exploitation for Privilege Escalation"
58reference = "https://attack.mitre.org/techniques/T1068/"
59
60
61[rule.threat.tactic]
62id = "TA0004"
63name = "Privilege Escalation"
64reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Exploit - Prevented - Elastic Endgame
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Credential Manipulation - Detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame